Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

What About Our Bug? A Study on the Responsiveness of NPM Package Maintainers

Mohammadreza Saeidi, Ethan Thoma, Raula Gaikovina Kula, Gema Rodríguez-Pérez

TL;DR

This study analyzes maintainer responsiveness to bug reports in the npm ecosystem by combining manual classification with an automated, LLM-driven pipeline across 30,340 issues in the 500 most depended-upon packages. It defines ownership-based and responsiveness-based labels, builds a 1,729-issue manual ground truth, and demonstrates that upstream maintainers are generally responsive, with a median project-level responsiveness of 70%. The authors identify four main non-responsiveness drivers—Contribution Practices, Dependency issues, Library Standards, and Lack of Engagement—and provide a taxonomy to inform improvements in contribution practices and dependency management. They further show that instruction-tuned LLMs can accurately identify bug reports (≈0.93–0.94 F1) and classify responsiveness with reasonable accuracy (up to 0.84), enabling scalable ecosystem-wide analyses and practical guidance for both upstream and downstream developers.

Abstract

Background: Widespread use of third-party libraries makes ecosystems like Node Package Manager (npm) critical to modern software development. However, this interconnected chain of dependencies also creates challenges: bugs in one library can propagate downstream, potentially impacting many other libraries that rely on it. We hypothesize that maintainers may not always decide to fix a bug, especially if the maintainer decides it falls out of their responsibility within the chain of dependencies. Aims: To confirm this hypothesis, we investigate the responsiveness of 30,340 bug reports across 500 of the most depended-upon npm packages. Method: We adopt a mixed-method approach to mine repository issue data and perform qualitative open coding to analyze reasons behind unaddressed bug reports. Results: Our findings show that maintainers are generally responsive, with a median project-level responsiveness of 70% (IQR: 55%-89%), reflecting their commitment to support downstream developers. Conclusions: We present a taxonomy of the reasons some bugs remain unresolved. The taxonomy includes contribution practices, dependency constraints, and library-specific standards as reasons for not being responsive. Understanding maintainer behavior can inform practices that promote a more robust and responsive open-source ecosystem that benefits the entire community.

What About Our Bug? A Study on the Responsiveness of NPM Package Maintainers

TL;DR

This study analyzes maintainer responsiveness to bug reports in the npm ecosystem by combining manual classification with an automated, LLM-driven pipeline across 30,340 issues in the 500 most depended-upon packages. It defines ownership-based and responsiveness-based labels, builds a 1,729-issue manual ground truth, and demonstrates that upstream maintainers are generally responsive, with a median project-level responsiveness of 70%. The authors identify four main non-responsiveness drivers—Contribution Practices, Dependency issues, Library Standards, and Lack of Engagement—and provide a taxonomy to inform improvements in contribution practices and dependency management. They further show that instruction-tuned LLMs can accurately identify bug reports (≈0.93–0.94 F1) and classify responsiveness with reasonable accuracy (up to 0.84), enabling scalable ecosystem-wide analyses and practical guidance for both upstream and downstream developers.

Abstract

Background: Widespread use of third-party libraries makes ecosystems like Node Package Manager (npm) critical to modern software development. However, this interconnected chain of dependencies also creates challenges: bugs in one library can propagate downstream, potentially impacting many other libraries that rely on it. We hypothesize that maintainers may not always decide to fix a bug, especially if the maintainer decides it falls out of their responsibility within the chain of dependencies. Aims: To confirm this hypothesis, we investigate the responsiveness of 30,340 bug reports across 500 of the most depended-upon npm packages. Method: We adopt a mixed-method approach to mine repository issue data and perform qualitative open coding to analyze reasons behind unaddressed bug reports. Results: Our findings show that maintainers are generally responsive, with a median project-level responsiveness of 70% (IQR: 55%-89%), reflecting their commitment to support downstream developers. Conclusions: We present a taxonomy of the reasons some bugs remain unresolved. The taxonomy includes contribution practices, dependency constraints, and library-specific standards as reasons for not being responsive. Understanding maintainer behavior can inform practices that promote a more robust and responsive open-source ecosystem that benefits the entire community.

Paper Structure

This paper contains 29 sections, 2 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Related Works
  3. Quality and Responsiveness in Open-Source Projects
  4. Upstream–Downstream Collaboration and Bug Resolution
  5. LLMs for Issue Classification and Analysis
  6. Empirical Design
  7. RQ1: To what extent do npm package maintainers respond to bug reports submitted by downstream developers?
  8. Data Preparation
  9. Proposed Framework
  10. Manual classification
  11. RQ2: What are the reasons upstream developers of npm packages do not fix reported bugs?
  12. RQ3: How can Large Language Models be used to automate the analysis of maintainer responsiveness in individual npm packages?
  13. Bug Report Identification
  14. Responsiveness Classification
  15. Results
  16. ...and 14 more sections

Figures (2)

  • Figure 1: Our designed framework for manual analysis of issues for responsiveness
  • Figure 2: Overview of the sequence of steps followed to construct the dataset for bug report identification.