Helping or not helping? Why and how trivial packages impact the npm ecosystem

Developers often share their code snippets by packaging them and making them available to others through software packages. How much a package does and how big it is can be seen as positive or negative. Recent studies showed that many packages that exist in the npm ecosystem are trivial and may introduce high dependency overhead. Hence, one question that arises is why developers choose to publish these trivial packages. Therefore, in this paper, we perform a developer-centered study to empirically examine why developers choose to publish such trivial packages. Specifically, we ask 1) why developers publish trivial packages, 2) what they believe to be the possible negative impacts of these packages, and 3) how such negative issues can be mitigated. The survey response of 59 JavaScript developers who publish trivial npm packages showed that the main advantages for publishing these trivial packages are to provide reusable components , testing & documentation , and separation of concerns . Even the developers who publish these trivial packages admitted to having issues when they publish such packages, which include the maintenance of multiple packages, dependency hell, finding the right package, and the increase of duplicated packages in the ecosystems. Furthermore, we found that the majority of the developers suggested grouping these trivial packages to cope with the problems associated with publishing them. Then, to quantitatively investigate the impact of these trivial packages on the npm ecosystem and its users, we examine grouping these trivial packages. We found that if trivial packages that are always used together are grouped, the ecosystem can reduce the number of dependencies by approximately 13%. Our findings shed light on the impact of publishing trivial packages and show that ecosystems and developer communities need to rethink their publishing policies since it can negatively impact the developers and the entire ecosystem.

[1]  Rabe Abdalkareem,et al.  Why do developers use trivial packages? an empirical case study on npm , 2017, ESEC/SIGSOFT FSE.

[2]  Alberto Bacchelli,et al.  On the reaction to deprecation of clients of 4 + 1 popular Java APIs and the JDK , 2018, Empirical Software Engineering.

[3]  Imed Hammouda,et al.  Update Propagation Practices in Highly Reusable Open Source Components , 2008, OSS.

[4]  Markus Zimmermann,et al.  Small World with High Risks: A Study of Security Threats in the npm Ecosystem , 2019, USENIX Security Symposium.

[5]  Russ Cox,et al.  Surviving software dependencies , 2019, ACM Queue.

[6]  Rabe Abdalkareem,et al.  On the impact of using trivial packages: an empirical case study on npm and PyPI , 2020, Empirical Software Engineering.

[7]  Tom Mens,et al.  An empirical comparison of dependency network evolution in seven software packaging ecosystems , 2017, Empirical Software Engineering.

[8]  Jan Vitek,et al.  DéjàVu: a map of code duplicates on GitHub , 2017, Proc. ACM Program. Lang..

[9]  Russ Cox,et al.  Surviving software dependencies , 2019, Commun. ACM.

[10]  Carolyn B. Seaman,et al.  Qualitative Methods in Empirical Studies of Software Engineering , 1999, IEEE Trans. Software Eng..

[11]  B. Everitt,et al.  Statistical methods for rates and proportions , 1973 .

[12]  Timothy C. Lethbridge,et al.  Software Engineering Data Collection for Field Studies , 2008, Guide to Advanced Empirical Software Engineering.

[13]  Gabriele Bavota,et al.  How the Apache community upgrades dependencies: an evolutionary study , 2014, Empirical Software Engineering.

[14]  Gabriele Bavota,et al.  A Large-Scale Empirical Study on Linguistic Antipatterns Affecting APIs , 2018, 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[15]  Rabe Abdalkareem,et al.  On code reuse from StackOverflow: An exploratory study on Android apps , 2017, Inf. Softw. Technol..

[16]  Baishakhi Ray,et al.  Some from Here, Some from There: Cross-Project Code Reuse in GitHub , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).

[17]  Tom Mens,et al.  Challenges in Software Ecosystems Research , 2015, ECSA Workshops.

[18]  Gabriele Bavota,et al.  The Impact of API Change- and Fault-Proneness on the User Ratings of Android Apps , 2015, IEEE Transactions on Software Engineering.

[19]  Chris Parnin,et al.  Can automated pull requests encourage software developers to upgrade out-of-date dependencies? , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[20]  H. B. Mann,et al.  On a Test of Whether one of Two Random Variables is Stochastically Larger than the Other , 1947 .

[21]  Kelly Blincoe,et al.  The Sky Is Not the Limit: Multitasking Across GitHub Projects , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[22]  Chris Aldrich,et al.  Stack Overflow Developer Survey 2015 , 2015 .

[23]  Gabriele Bavota,et al.  How do API changes trigger stack overflow discussions? a study on the Android SDK , 2014, ICPC 2014.

[24]  Christian Kästner,et al.  Adding Sparkle to Social Coding: An Empirical Study of Repository Badges in the npm Ecosystem , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion).

[25]  James D. Herbsleb,et al.  Ecosystem-level determinants of sustained activity in open-source projects: a case study of the PyPI ecosystem , 2018, ESEC/SIGSOFT FSE.

[26]  Katsuro Inoue,et al.  Do developers update their library dependencies? , 2017, Empirical Software Engineering.

[27]  Rabe Abdalkareem Reasons and drawbacks of using trivial npm packages: the developers' perspective , 2017, ESEC/SIGSOFT FSE.

[28]  James D. Herbsleb,et al.  How to break an API: cost negotiation and community values in three software ecosystems , 2016, SIGSOFT FSE.

[29]  Slinger Jansen,et al.  Software Ecosystems: Analyzing and Managing Business Networks in the Software Industry , 2013 .

[30]  Philippe Suter,et al.  A Look at the Dynamics of the JavaScript Package Ecosystem , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[31]  Amin Milani Fard,et al.  JavaScript: The (Un)Covered Parts , 2017, 2017 IEEE International Conference on Software Testing, Verification and Validation (ICST).