Can dependencies of the npm installer be smaller?

[evancz]

I ran npm install elm@0.18.0 today, and it has a lot of transitive dependencies:

└─┬ elm@0.18.0 
  ├─┬ mkdirp@0.5.1 
  │ └── minimist@0.0.8 
  ├─┬ promise@7.1.1 
  │ └── asap@2.0.6 
  ├─┬ request@2.74.0 
  │ ├── aws-sign2@0.6.0 
  │ ├── aws4@1.7.0 
  │ ├─┬ bl@1.1.2 
  │ │ └─┬ readable-stream@2.0.6 
  │ │   ├── core-util-is@1.0.2 
  │ │   ├── isarray@1.0.0 
  │ │   ├── process-nextick-args@1.0.7 
  │ │   ├── string_decoder@0.10.31 
  │ │   └── util-deprecate@1.0.2 
  │ ├── caseless@0.11.0 
  │ ├─┬ combined-stream@1.0.6 
  │ │ └── delayed-stream@1.0.0 
  │ ├── extend@3.0.1 
  │ ├── forever-agent@0.6.1 
  │ ├─┬ form-data@1.0.1 
  │ │ └─┬ async@2.6.0 
  │ │   └── lodash@4.17.5 
  │ ├─┬ har-validator@2.0.6 
  │ │ ├─┬ chalk@1.1.3 
  │ │ │ ├── ansi-styles@2.2.1 
  │ │ │ ├── escape-string-regexp@1.0.5 
  │ │ │ ├─┬ has-ansi@2.0.0 
  │ │ │ │ └── ansi-regex@2.1.1 
  │ │ │ ├── strip-ansi@3.0.1 
  │ │ │ └── supports-color@2.0.0 
  │ │ ├── commander@2.15.1 
  │ │ ├─┬ is-my-json-valid@2.17.2 
  │ │ │ ├── generate-function@2.0.0 
  │ │ │ ├─┬ generate-object-property@1.2.0 
  │ │ │ │ └── is-property@1.0.2 
  │ │ │ ├── is-my-ip-valid@1.0.0 
  │ │ │ ├── jsonpointer@4.0.1 
  │ │ │ └── xtend@4.0.1 
  │ │ └─┬ pinkie-promise@2.0.1 
  │ │   └── pinkie@2.0.4 
  │ ├─┬ hawk@3.1.3 
  │ │ ├── boom@2.10.1 
  │ │ ├── cryptiles@2.0.5 
  │ │ ├── hoek@2.16.3 
  │ │ └── sntp@1.0.9 
  │ ├─┬ http-signature@1.1.1 
  │ │ ├── assert-plus@0.2.0 
  │ │ ├─┬ jsprim@1.4.1 
  │ │ │ ├── assert-plus@1.0.0 
  │ │ │ ├── extsprintf@1.3.0 
  │ │ │ ├── json-schema@0.2.3 
  │ │ │ └─┬ verror@1.10.0 
  │ │ │   └── assert-plus@1.0.0 
  │ │ └─┬ sshpk@1.14.1 
  │ │   ├── asn1@0.2.3 
  │ │   ├── assert-plus@1.0.0 
  │ │   ├── bcrypt-pbkdf@1.0.1 
  │ │   ├─┬ dashdash@1.14.1 
  │ │   │ └── assert-plus@1.0.0 
  │ │   ├── ecc-jsbn@0.1.1 
  │ │   ├─┬ getpass@0.1.7 
  │ │   │ └── assert-plus@1.0.0 
  │ │   ├── jsbn@0.1.1 
  │ │   └── tweetnacl@0.14.5 
  │ ├── is-typedarray@1.0.0 
  │ ├── isstream@0.1.2 
  │ ├── json-stringify-safe@5.0.1 
  │ ├─┬ mime-types@2.1.18 
  │ │ └── mime-db@1.33.0 
  │ ├── node-uuid@1.4.8 
  │ ├── oauth-sign@0.8.2 
  │ ├── qs@6.2.3 
  │ ├── stringstream@0.0.5 
  │ ├─┬ tough-cookie@2.3.4 
  │ │ └── punycode@1.4.1 
  │ └── tunnel-agent@0.4.3 
  └─┬ tar@2.2.1 
    ├── block-stream@0.0.9 
    ├─┬ fstream@1.0.11 
    │ ├── graceful-fs@4.1.11 
    │ └─┬ rimraf@2.6.2 
    │   └─┬ glob@7.1.2 
    │     ├── fs.realpath@1.0.0 
    │     ├─┬ inflight@1.0.6 
    │     │ └── wrappy@1.0.2 
    │     ├─┬ minimatch@3.0.4 
    │     │ └─┬ brace-expansion@1.1.11 
    │     │   ├── balanced-match@1.0.0 
    │     │   └── concat-map@0.0.1 
    │     ├── once@1.4.0 
    │     └── path-is-absolute@1.0.1 
    └── inherits@2.0.3 

Is it possible to get rid of the direct dependency on request? That would help a lot, and my instinct is that whatever we need to do can be done with XMLHttpRequest directly. Maybe the redirect stuff wouldn't be easy though. Not sure!

[rofrol]

Looks like binstall is using it:

installers/npm/package-lock.json

    "binstall": {
      "version": "1.2.0",
      "resolved": "https://registry.npmjs.org/binstall/-/binstall-1.2.0.tgz",
      "integrity": "sha1-aywPWAuePGB/UO96IqVM6f3I2TM=",
      "requires": {
        "request": "2.79.0",
        "tar": "2.2.1"
      }
    },

and we use it here:

installers/npm/install.js

binstall(url, {path: binariesDir, strip: 1},
  {verbose: true, verify: executablePaths, errorMessage: errorMessage}
).then(function(successMessage) {
    console.log(successMessage);
  }, function(errorMessage) {
    console.error(errorMessage);
    process.exit(1);
  });