Properties of Common Dependencies in the NPM Ecosystem

Sammanfattning: The utilization of dependencies has become a very central part of softwaredevelopment. Dependencies themselves often have dependencies, creating so calleddependency trees, that make up the supply chain of software. This study performs data analysison dependency trees of 100 popular packages in the NPM ecosystem. It starts by inquiring howthese dependency trees change over time go and then finds some of the most commonly useddependencies. Results suggest the evolution of dependency trees is very unpredictable, with noclear pattern in how trees change over time. It also finds that dependencies are concerninglywidespread, with the top 10 all appearing in 25% of all packages. Furthermore, thesedependencies all tend to be small, functionally simple, and transitive and have inconsistentprevalences. The authors argue that these dependencies pose a serious risk and highlight theneed for better dependency management and software diversity.