Related papers: Rethinking Reuse in Dependency Supply Chains: Initial Analysis of NPM packages at the End of the Chain

Rethinking Reuse in Dependency Supply Chains: Initial Analysis of NPM packages at the End of the Chain

URL: http://arxiv.org/abs/2503.02804v2
Date: Fri, 25 Apr 2025 05:23:35 GMT
Title: Rethinking Reuse in Dependency Supply Chains: Initial Analysis of NPM packages at the End of the Chain
Authors: Brittany Anne Reid, Raula Gaikovina Kula,
Abstract summary: This paper advocates for a shift in software development practices toward minimizing reliance on third-party packages.<n>We find that these end-of-chain packages offer unique insights, as they play a key role in the ecosystem.
Score: 2.4969046521751768
License: http://creativecommons.org/licenses/by/4.0/
Abstract: The success of modern software development can be largely attributed to the concept of code reuse, such as the ability to reuse existing functionality via third-party package dependencies, evident within massive package networks like NPM, PyPI and Maven. For a long time, the dominant philosophy has been to `reuse as much as possible, without thought for what is being depended upon', resulting in the formation of large dependency supply chains that spread throughout entire software ecosystems. Such heavy reliance on third-party packages has eventually brought forward resilience and maintenance concerns, such as security attacks and outdated dependencies. In this vision paper, we investigate packages that challenge the typical concepts of reuse--that is, packages with no dependencies themselves that bear the responsibility of being at the end of the dependency supply chain. We find that these end-of-chain packages vary in characteristics and not just packages that can be easily replaced: an active, well-maintained package at the end of the chain; a "classical" package that has remained unchanged for 11 years; a trivial package nested deep in the dependency chain; a package that may appear trivial; and a package that bundled up and absorbed its dependencies. The vision of this paper is to advocate for a shift in software development practices toward minimizing reliance on third-party packages, particularly those at the end of dependency supply chains. We argue that these end-of-chain packages offer unique insights, as they play a key role in the ecosystem.

Related papers

Insights into Dependency Maintenance Trends in the Maven Ecosystem [0.14999444543328289]
We present a quantitative analysis of the Neo4j dataset using the Goblin framework. Our analysis reveals that releases with fewer dependencies have a higher number of missed releases. Our study shows that the dependencies in the latest releases have positive freshness scores, indicating better software management efficacy.
arXiv Detail & Related papers (2025-03-28T22:20:24Z)
Analyzing the Usage of Donation Platforms for PyPI Libraries [91.97201077607862]
This study analyzes the adoption of donation platforms in the PyPI ecosystem. GitHub Sponsors is the dominant platform, though many PyPI-listed links are outdated.
arXiv Detail & Related papers (2025-03-11T10:27:31Z)
Pinning Is Futile: You Need More Than Local Dependency Versioning to Defend against Supply Chain Attacks [23.756533975349985]
Recent high-profile incidents in open-source software have raised practitioner attention on software supply chain attacks.<n>Security practitioners advocate pinning dependency to specific versions rather than floating in version ranges.<n>We quantify, through counterfactual analysis and simulations, the security and maintenance impact of version constraints in the npm ecosystem.
arXiv Detail & Related papers (2025-02-10T16:50:48Z)
Semantic Dependency in Microservice Architecture: A Framework for Definition and Detection [0.0]
This paper introduces the Semantic Dependency Matrix as an instrument to address these challenges.<n>It shows that these hidden dependencies can exist independently of endpoint data dependencies, revealing critical connections that might otherwise be overlooked.
arXiv Detail & Related papers (2025-01-20T23:34:24Z)
An Overview and Catalogue of Dependency Challenges in Open Source Software Package Registries [52.23798016734889]
This article provides a catalogue of dependency-related challenges that come with relying on OSS packages or libraries. The catalogue is based on the scientific literature on empirical research that has been conducted to understand, quantify and overcome these challenges.
arXiv Detail & Related papers (2024-09-27T16:20:20Z)
A Systematic Approach to Evaluating Development Activity in Heterogeneous Package Management Systems for Overall System Health Assessment [0.0]
We develop a method to identify packages within a Linux distribution that show low development activity between versions of the OSS projects included in a release. We use regular expressions to extract the epoch and upstream project major, minor, and patch versions for more than 6000 packages in the Ubuntu distribution.
arXiv Detail & Related papers (2024-09-06T19:58:20Z)
Enhancing Supply Chain Visibility with Knowledge Graphs and Large Language Models [49.898152180805454]
This paper presents a novel framework leveraging Knowledge Graphs (KGs) and Large Language Models (LLMs) to enhance supply chain visibility. Our zero-shot, LLM-driven approach automates the extraction of supply chain information from diverse public sources. With high accuracy in NER and RE tasks, it provides an effective tool for understanding complex, multi-tiered supply networks.
arXiv Detail & Related papers (2024-08-05T17:11:29Z)
Characterizing Dependency Update Practice of NPM, PyPI and Cargo Packages [7.739923421146855]
Keeping dependencies up-to-date prevents software supply chain attacks through outdated and vulnerable dependencies. We propose two update metrics to measure the updatedness of dependencies and updatedness of vulnerable dependencies. We conduct a large-scale empirical study of update metrics with 2.9M packages, 66.8M package versions, and 26.8M unique package-dependency relations.
arXiv Detail & Related papers (2024-03-26T05:01:53Z)
Dependency Practices for Vulnerability Mitigation [4.710141711181836]
We analyze more than 450 vulnerabilities in the npm ecosystem to understand why dependent packages remain vulnerable. We identify over 200,000 npm packages that are infected through their dependencies. We use 9 features to build a prediction model that identifies packages that quickly adopt the vulnerability fix and prevent further propagation of vulnerabilities.
arXiv Detail & Related papers (2023-10-11T19:48:46Z)
Visual Dependency Transformers: Dependency Tree Emerges from Reversed Attention [106.67741967871969]
We propose Visual Dependency Transformers (DependencyViT) that can induce visual dependencies without any labels. We formulate it as a dependency graph where a child token in reversed attention is trained to attend to its parent tokens and send information. DependencyViT works well on both self- and weakly-supervised pretraining paradigms on ImageNet.
arXiv Detail & Related papers (2023-04-06T17:59:26Z)
Pack Together: Entity and Relation Extraction with Levitated Marker [61.232174424421025]
We propose a novel span representation approach, named Packed Levitated Markers, to consider the dependencies between the spans (pairs) by strategically packing the markers in the encoder. Our experiments show that our model with packed levitated markers outperforms the sequence labeling model by 0.4%-1.9% F1 on three flat NER tasks, and beats the token concat model on six NER benchmarks.
arXiv Detail & Related papers (2021-09-13T15:38:13Z)
Reconstructive Sequence-Graph Network for Video Summarization [107.0328985865372]
Exploiting the inner-shot and inter-shot dependencies is essential for key-shot based video summarization. We propose a Reconstructive Sequence-Graph Network (RSGN) to encode the frames and shots as sequence and graph hierarchically. A reconstructor is developed to reward the summary generator, so that the generator can be optimized in an unsupervised manner.
arXiv Detail & Related papers (2021-05-10T01:47:55Z)

This list is automatically generated from the titles and abstracts of the papers in this site.