Gathering detailed insights and metrics for million
Gathering detailed insights and metrics for million
Installations
npm install millionDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS, ESM
Node Version
22.0.0
NPM Version
10.5.1
Score
81.7
Supply Chain
97.4
Quality
78.5
Maintenance
100
Vulnerability
100
License
Releases
216
Languages
5
TypeScript
MDX
JavaScript
CSS
HTML
TypeScript (71.93%)
MDX (17.93%)
JavaScript (8.88%)
CSS (1.23%)
HTML (0.02%)
Developer
Download Statistics
Total Downloads
2,480,892
Last Day
970
Last Week
22,028
Last Month
112,272
Last Year
1,410,292
GitHub Statistics
MIT License
17,253 Stars
2,363 Commits
589 Forks
64 Watchers
71 Branches
126 Contributors
Updated on Jul 05, 2025
Bundle Size
12.20 kB
Minified
4.73 kB
Minified + Gzipped
Sponsor this package
Maintainers
2
Package Meta Information
Latest Version
3.1.11
Package Id
million@3.1.11
Unpacked Size
840.03 kB
Size
205.66 kB
File Count
60
NPM Version
10.5.1
Node Version
22.0.0
Published on
Jun 04, 2024
Total Downloads
Cumulative downloads
Total Downloads
2,480,892
Last Day
-12%
970
Compared to previous day
Last Week
-21.7%
22,028
Compared to previous week
Last Month
-4.7%
112,272
Compared to previous month
Last Year
57.1%
1,410,292
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dev Dependencies
25
@rollup/plugin-replace@types/babel__core@types/node@typescript-eslint/eslint-plugin@typescript-eslint/parser@vercel/style-guide@vitejs/plugin-react@vitest/coverage-v8babel-plugin-testerbumppc8esbuildeslinteslint-config-prettierjsdomprettierrolluprollup-plugin-banner2source-maptslibtypescriptunbuildvitevite-tsconfig-pathsvitest
Want to automatically find and fix performance issues? Check out Million Lint.
What is Million.js?
Million.js is an extremely fast and lightweight optimizing compiler that make components up to 70% faster.
Oh man... Another
/virtual dom|javascript/giframework? I'm fine with React already, why do I need this?
Million.js works with React and makes reconciliation faster. By using a fine-tuned, optimized virtual DOM, Million.js reduces the overhead of diffing (try it out here)
TL;DR: Imagine React components running at the speed of raw JavaScript.
👉 Setup Million.js in seconds! →
Installation
The Million.js CLI will automatically install the package and configure your project for you.
1npx million@latest
Once your down, just run your project and information should show up in your command line!
Having issues installing? → View the installation guide
Why Million.js?
To understand why to use Million.js, we need to understand how React updates interfaces. When an application's state or props change, React undergoes an update in two parts: rendering and reconciliation.
To show this, let's say this is our App:
1function App() { 2 const [count, setCount] = useState(0); 3 const increment = () => setCount(count + 1); 4 return ( 5 <div> 6 <p>Count: {count}</p> 7 <button onClick={increment}>Increment</button> 8 </div> 9 ); 10}
In this App, when I click on the button, the count state will update and the <p> tag will update to reflect the new value. Let's break this down.
Rendering
The first step is rendering. Rendering is the process of generating a snapshot of the current component. You can imagine it as simply "calling" the App function and storing the output in a variable. This is what the App snapshot would look like:
1const snapshot = App(); 2 3// snapshot = 4<div> 5 <p>Count: 1</p> 6 <button onClick={increment}>Increment</button> 7</div>;
Reconciliation
In order to update the interface to reflect the new state, React needs to compare the previous snapshot to the new snapshot (called "diffing"). React's reconciler will go to each element in the previous snapshot and compare it to the new snapshot. If the element is the same, it will skip it. If the element is different, it will update it.
- The
<div>tag is the same, so it doesn't need to be updated. ✅- The
<p>tag is the same, so it doesn't needs to be updated. ✅- The text inside the
<p>tag is different, so it needs to be updated. ⚠ ️
- The text inside the
- The
<button>tag is the same, so it doesn't need to be updated. ✅- The
onClickprop is the same, so it doesn't need to be updated. ✅ - The text inside the
<button>tag is the same, so it doesn't need to be updated. ✅
- The
- The
(total: 6 diff checks)
1<div> 2- <p>Count: 0</p> 3+ <p>Count: 1</p> 4 <button onClick={increment}>Increment</button> 5</div>
From here, we can see that the <p> tag needs to be updated. React will then update the <p> DOM node to reflect the new value.
1<p>.innerHTML = `Count: ${count}`;
How Million.js makes this faster
React is slow.
The issue with React's reconciliation it becomes exponentially slower the more JSX elements you have. With this simple App, it only needs to diff a few elements. In a real world React app, you can easily have hundreds of elements, slowing down interface updates.
Million.js solves this by skipping the diffing step entirely and directly updating the DOM node.
Here is a conceptual example of how Million.js reconciler works:
1function App() { 2 const [count, setCount] = useState(0); 3 const increment = () => setCount(count + 1); 4 5 // generated by compiler 6 if (count !== prevCount) { 7 <p>.innerHTML = `Count: ${count}`; 8 } 9 10 <button>.onclick = increment; 11 12 // ... 13}
Notice how when the count is updated, Million.js will directly update the DOM node. Million.js turns React reconciliation from O(n) (linear time) to O(1) (constant time).
How fast is it? → View the benchmarks
Resources & Contributing Back
Looking for the docs? Check the documentation or the Contributing Guide out. We also recommend reading Virtual DOM: Back in Block to learn more about Million.js's internals.
Want to talk to the community? Hop in our Discord and share your ideas and what you've build with Million.js.
Find a bug? Head over to our issue tracker and we'll do our best to help. We love pull requests, too!
We expect all Million.js contributors to abide by the terms of our Code of Conduct.
→ Start contributing on GitHub
Codebase
This repo is a "mono-repo" with modules. Million.js ships as one NPM package, but has first class modules for more complex, but important extensions. Each module has its own folder in the /packages directory.
You can also track our progress through our Roadmap.
| Module | Description |
|---|---|
million | The main Virtual DOM with all of Million.js's core. |
react / react-server | React compatibility for Million.js. |
compiler | The compiler for Million.js in React. |
jsx-runtime | A simple JSX runtime for Million.js core. |
types | Shared types between packages |
Sponsors
Acknowledgments
Million.js takes heavy inspiration from the following projects:
blockdom(Géry Debongnie) Thank you to Géry pioneering the concept of "blocks" in the virtual DOM. Many parts of the Million.js codebase either directly or indirectly derive from his work.voby(Fabio Spampinato) The Million.js "template" concept is derived from Voby'stemplate()API.- Hack the Wave (Melinda Chang) for their homepage.
reactandturbofor their documentation. Many parts of the current Million.js documentation are grokked and modified from theirs.ivi, Preact, and more
License
Million.js is MIT-licensed open-source software by Aiden Bai and contributors:
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/publish.yml:7
Reason
Found 4/30 approved changesets -- score normalized to 1
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/publish.yml:10
- Warn: no topLevel permission defined: .github/workflows/auto-response.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Warn: no topLevel permission defined: .github/workflows/issue-needs-repro.yml:1
- Warn: no topLevel permission defined: .github/workflows/publish.yml:1
- Info: no jobLevel write permissions found
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'main'
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-response.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/aidenybai/million/auto-response.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-response.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/aidenybai/million/auto-response.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/aidenybai/million/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/aidenybai/million/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/aidenybai/million/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/aidenybai/million/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/aidenybai/million/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/issue-needs-repro.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/aidenybai/million/issue-needs-repro.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/aidenybai/million/publish.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/aidenybai/million/publish.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/aidenybai/million/publish.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/publish.yml:27
- Info: 0 out of 6 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 5 third-party GitHubAction dependencies pinned
- Info: 0 out of 1 npmCommand dependencies pinned
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 6 are checked with a SAST tool
Reason
52 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
- Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
- Warn: Project is vulnerable to: GHSA-8hc4-vh64-cxmj
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-gx9m-whjm-85jf
- Warn: Project is vulnerable to: GHSA-mmhx-hmjr-r674
- Warn: Project is vulnerable to: GHSA-vhxf-7vqr-mrjg
- Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h
- Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
- Warn: Project is vulnerable to: GHSA-f7f6-9jq7-3rqj
- Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
- Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
- Warn: Project is vulnerable to: GHSA-3wc5-fcw2-2329
- Warn: Project is vulnerable to: GHSA-64fm-8hw2-v72w
- Warn: Project is vulnerable to: GHSA-cvr6-37gx-v8wc
- Warn: Project is vulnerable to: GHSA-f98w-7cxr-ff2h
- Warn: Project is vulnerable to: GHSA-cg87-wmx4-v546
- Warn: Project is vulnerable to: GHSA-m4gq-x24j-jpmf
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
- Warn: Project is vulnerable to: GHSA-fr5h-rqp8-mj6g
- Warn: Project is vulnerable to: GHSA-g77x-44xx-532m
- Warn: Project is vulnerable to: GHSA-gp8f-8m3g-qvj9
- Warn: Project is vulnerable to: GHSA-7gfc-8cq8-jh5f
- Warn: Project is vulnerable to: GHSA-7m27-7ghc-44w9
- Warn: Project is vulnerable to: GHSA-qpjv-v59x-3qc4
- Warn: Project is vulnerable to: GHSA-f82v-jwr5-mffw
- Warn: Project is vulnerable to: GHSA-3h52-269p-cp9r
- Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-3787-6prv-h9w3
- Warn: Project is vulnerable to: GHSA-9f24-jqhm-jfcw
- Warn: Project is vulnerable to: GHSA-9qxr-qj54-h672
- Warn: Project is vulnerable to: GHSA-m4v8-wqvr-p9f7
- Warn: Project is vulnerable to: GHSA-c76h-2ccp-4975
- Warn: Project is vulnerable to: GHSA-cxrh-j4jr-qwg3
- Warn: Project is vulnerable to: GHSA-92r3-m2mg-pj97
- Warn: Project is vulnerable to: GHSA-c24v-8rfc-w8vw
- Warn: Project is vulnerable to: GHSA-8jhw-289h-jh2g
- Warn: Project is vulnerable to: GHSA-64vr-g452-qvp3
- Warn: Project is vulnerable to: GHSA-9cwx-2883-4wfx
- Warn: Project is vulnerable to: GHSA-vg6x-rcgg-rjx6
- Warn: Project is vulnerable to: GHSA-x574-m823-4x7w
- Warn: Project is vulnerable to: GHSA-4r4m-qw57-chr8
- Warn: Project is vulnerable to: GHSA-xcj6-pq6g-qj4x
- Warn: Project is vulnerable to: GHSA-356w-63v5-8wf4
- Warn: Project is vulnerable to: GHSA-859w-5945-r5v3
- Warn: Project is vulnerable to: GHSA-9crc-q9x8-hgqq
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Score
3
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More