Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Towards Sustainable and Secure Reuse in Dependency Supply Chains: Initial Analysis of NPM packages at the End of the Chain

Brittany Anne Reid, Raula Gaikovina Kula

TL;DR

The paper investigates the prevalence and role of end-of-chain, zero-dependency packages within the NPM ecosystem as a lens for sustainable and secure software reuse. Using libraries.io and NPM registry data, it shows that end-of-chain packages constitute over half of the dependency chain for the top dependencies, with four end-of-chain roots identified among the ten most depended-upon packages. Through five motivating cases, the authors illustrate the varied nature of these zero-dependency libraries—from core infrastructure to seemingly trivial packages with potential risks. They argue that understanding end-of-chain packages is essential to rethinking reuse, and they propose a four-part research agenda to characterize, motivate, evaluate, and govern minimal-dependency strategies for ecosystem resilience and security.

Abstract

Much of the success of modern software development can be attributed to code reuse. The ability to reuse existing functionality via third-party dependencies has enabled massive gains in productivity, but for a long time the dominant philosophy has been to 'reuse as much as possible, without thought for what is being depended upon', creating fragile dependency chains. Heavy reliance has raised resiliency and maintenance concerns. In this vision paper, we investigate packages that challenge the typical concepts of reuse - that is, packages with no dependencies themselves that bear the responsibility of being at the end of the dependency supply chain. By avoiding dependencies, these packages at the end of the chain may also avoid the associated risks. Our initial analysis of the most depended upon NPM packages shows that such end-of-chain packages make up a significant portion of these critical dependency chain (over 50%). We find that these end-of-chain packages vary in characteristics and are not just packages that can be easily replaced, and present five cases. We then ask ourselves: Should maintainers minimize external dependencies? We argue that these packages reveal important lessons for strategic reuse-balancing the undeniable benefits of dependency ecosystems with sustainable, secure practices.

Towards Sustainable and Secure Reuse in Dependency Supply Chains: Initial Analysis of NPM packages at the End of the Chain

TL;DR

The paper investigates the prevalence and role of end-of-chain, zero-dependency packages within the NPM ecosystem as a lens for sustainable and secure software reuse. Using libraries.io and NPM registry data, it shows that end-of-chain packages constitute over half of the dependency chain for the top dependencies, with four end-of-chain roots identified among the ten most depended-upon packages. Through five motivating cases, the authors illustrate the varied nature of these zero-dependency libraries—from core infrastructure to seemingly trivial packages with potential risks. They argue that understanding end-of-chain packages is essential to rethinking reuse, and they propose a four-part research agenda to characterize, motivate, evaluate, and govern minimal-dependency strategies for ecosystem resilience and security.

Abstract

Much of the success of modern software development can be attributed to code reuse. The ability to reuse existing functionality via third-party dependencies has enabled massive gains in productivity, but for a long time the dominant philosophy has been to 'reuse as much as possible, without thought for what is being depended upon', creating fragile dependency chains. Heavy reliance has raised resiliency and maintenance concerns. In this vision paper, we investigate packages that challenge the typical concepts of reuse - that is, packages with no dependencies themselves that bear the responsibility of being at the end of the dependency supply chain. By avoiding dependencies, these packages at the end of the chain may also avoid the associated risks. Our initial analysis of the most depended upon NPM packages shows that such end-of-chain packages make up a significant portion of these critical dependency chain (over 50%). We find that these end-of-chain packages vary in characteristics and are not just packages that can be easily replaced, and present five cases. We then ask ourselves: Should maintainers minimize external dependencies? We argue that these packages reveal important lessons for strategic reuse-balancing the undeniable benefits of dependency ecosystems with sustainable, secure practices.

Paper Structure

This paper contains 15 sections, 1 figure, 2 tables.

Table of Contents

  1. Introduction
  2. How prevalent are end-of-chain libraries for the Top 10 NPM Packages?
  3. Motivating Examples: Exploring Five Cases of End-of-Chain Libraries
  4. Case 1: The Core Ecosystem Package
  5. Case 2: The 'Classical' Package
  6. Case 3: The Unmaintained Trivial Package
  7. Case 4: The 'Not Trivial' Trivial Package
  8. Case 5: The Bundled Package
  9. Discussion
  10. Research Agenda
  11. Characterising End-of-Chain Packages
  12. Understanding Developer Motivations
  13. Evaluating the Risks, Impact and Benefits of No Dependencies
  14. Rethinking Reuse for the Ecosystem
  15. Conclusion

Figures (1)

  • Figure 1: Example of a dependency chain for the NPM package axios. Darker nodes indicate direct dependencies, lighter nodes indicate indirect dependencies, and crosses indicate end-of-chain packages.