Dependency Dilemmas: A Comparative Study of Independent and Dependent Artifacts in Maven Central Ecosystem
Mehedi Hasan Shanto, Muhammad Asaduzzaman, Manishankar Mondal, Shaiful Chowdhury
TL;DR
This study investigates independent artifacts in Maven Central, a previously underexplored class defined by an in-degree of zero in the dependency graph. Using the Goblin dataset and a Neo4j-based extraction pipeline, the authors analyze PageRank and out-degree centrality alongside 18 usability and maintenance metrics, CVE/CWE data, and GitHub repository signals to contrast independent versus dependent artifacts. They find that while independent artifacts are a non-trivial, safety-oriented subset that can reduce transitive vulnerability risk, they lag in release frequency, community maintenance, and licensing/documentation quality compared to dependent artifacts, though their zero-dependency property can shield users from downstream issues. The results offer practical guidance for developers to judiciously select independent artifacts and for maintainers to bolster documentation, licensing compliance, and update cadence, with future work including developer surveys and automated tooling to improve sustainability and security in software supply chains.
Abstract
The Maven Central ecosystem forms the backbone of Java dependency management, hosting artifacts that vary significantly in their adoption, security, and ecosystem roles. Artifact reuse is fundamental in software development, with ecosystems like Maven Central facilitating this process. However, prior studies predominantly analyzed popular artifacts with numerous dependencies, leaving those without incoming dependencies (independent artifacts) unexplored. In this study, we analyzed 658,078 artifacts, of which 635,003 had at least one release. Among these, 93,101 artifacts (15.4%) were identified as independent (in-degree = 0), while the rest were classified as dependent. We looked at the impact of separate artifacts using PageRank and out-degree centrality and discovered that they were very important to the ecosystem. Further analysis across 18 different metrics revealed several advantages and comparability of independent artifacts with dependent artifacts: comparable popularity (25.58 vs. 7.30), fewer vulnerabilities (60 CVEs vs. 179 CVEs), and zero propagated vulnerabilities. Based on these results, it seems that independent artifacts make a big difference in the ecosystem and give developers a safe, self-contained alternative to traditional dependencies. These findings suggest that independent artifacts might be a beneficial choice for dependencies but have some maintainability issues. Therefore, developers should carefully incorporate independent artifacts into their projects, and artifact maintainers should prioritize this group of artifacts to mitigate the risk of transitive vulnerability propagation and improve software sustainability.