Towards Sustainable and Secure Reuse in Dependency Supply Chains: Initial Analysis of NPM packages at the End of the Chain

• URL: http://arxiv.org/abs/2503.02804v3
• Date: Mon, 06 Oct 2025 05:28:38 GMT
• Title: Towards Sustainable and Secure Reuse in Dependency Supply Chains: Initial Analysis of NPM packages at the End of the Chain
• Authors: Brittany Anne Reid, Raula Gaikovina Kula,
• Abstract summary: We investigate packages with no dependencies themselves that bear the responsibility of being at the end of the dependency supply chain.<n>Our initial analysis of the most depended upon NPM packages shows that such end-of-chain packages make up a significant portion of these critical dependency chain.<n>We argue that these packages reveal important lessons for strategic reuse-balancing the undeniable benefits of dependency ecosystems with sustainable, secure practices.
• Score: 1.7577744940574058
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Much of the success of modern software development can be attributed to code reuse. The ability to reuse existing functionality via third-party dependencies has enabled massive gains in productivity, but for a long time the dominant philosophy has been to 'reuse as much as possible, without thought for what is being depended upon', creating fragile dependency chains. Heavy reliance has raised resiliency and maintenance concerns. In this vision paper, we investigate packages that challenge the typical concepts of reuse - that is, packages with no dependencies themselves that bear the responsibility of being at the end of the dependency supply chain. By avoiding dependencies, these packages at the end of the chain may also avoid the associated risks. Our initial analysis of the most depended upon NPM packages shows that such end-of-chain packages make up a significant portion of these critical dependency chain (over 50%). We find that these end-of-chain packages vary in characteristics and are not just packages that can be easily replaced, and present five cases. We then ask ourselves: Should maintainers minimize external dependencies? We argue that these packages reveal important lessons for strategic reuse-balancing the undeniable benefits of dependency ecosystems with sustainable, secure practices.

Related papers

• Why Authors and Maintainers Link (or Don't Link) Their PyPI Libraries to Code Repositories and Donation Platforms [83.16077040470975]
  Metadata of libraries on the Python Package Index (PyPI) plays a critical role in supporting the transparency, trust, and sustainability of open-source libraries.<n>This paper presents a large-scale empirical study combining two targeted surveys sent to 50,000 PyPI authors and maintainers.<n>We analyze more than 1,400 responses using large language model (LLM)-based topic modeling to uncover key motivations and barriers related to linking repositories and donation platforms.
  arXiv  Detail & Related papers  (2026-01-21T16:13:57Z)
• Analyzing the Availability of E-Mail Addresses for PyPI Libraries [89.21869606965578]
  81.6% of libraries include at least one valid e-mail address, with PyPI serving as the primary source.<n>We identify over 698,000 invalid entries, primarily due to missing fields.
  arXiv  Detail & Related papers  (2026-01-20T14:54:58Z)
• PyPitfall: Dependency Chaos and Software Supply Chain Vulnerabilities in Python [1.2644387713029346]
  This paper introduces PyPitfall, a quantitative analysis of vulnerable dependencies across the PyPI ecosystem.<n>We analyzed the dependency structures of 378,573 PyPI packages and identified 4,655 packages that explicitly require at least one known-vulnerable version.<n>We aim to raise awareness of Python software supply chain security by characterizing the ecosystem-wide dependency landscape.
  arXiv  Detail & Related papers  (2025-07-24T03:58:18Z)
• GoLeash: Mitigating Golang Software Supply Chain Attacks with Runtime Policy Enforcement [10.835705780366466]
  We present GoLeash, a novel system that applies the principle of at least privilege at the package-level granularity.<n>This finer granularity enables GoLeash to detect malicious packages more precisely than traditional sandboxing.<n>GoLeash remains effective under obfuscation, can overcome the limitations of static analysis, and incurs acceptable runtime overhead.
  arXiv  Detail & Related papers  (2025-05-16T09:10:07Z)
• Faster Releases, Fewer Risks: A Study on Maven Artifact Vulnerabilities and Lifecycle Management [0.14999444543328289]
  We analyze the release histories of 10,000 Maven artifacts, covering over 203,000 releases and 1.7 million dependencies.<n>Our results show an inverse relationship between release speed and dependency outdatedness.<n>These findings emphasize the importance of accelerated release strategies in reducing security risks.
  arXiv  Detail & Related papers  (2025-03-31T17:32:45Z)
• Insights into Dependency Maintenance Trends in the Maven Ecosystem [0.14999444543328289]
  We present a quantitative analysis of the Neo4j dataset using the Goblin framework. Our analysis reveals that releases with fewer dependencies have a higher number of missed releases. Our study shows that the dependencies in the latest releases have positive freshness scores, indicating better software management efficacy.
  arXiv  Detail & Related papers  (2025-03-28T22:20:24Z)
• Analyzing the Usage of Donation Platforms for PyPI Libraries [91.97201077607862]
  This study analyzes the adoption of donation platforms in the PyPI ecosystem. GitHub Sponsors is the dominant platform, though many PyPI-listed links are outdated.
  arXiv  Detail & Related papers  (2025-03-11T10:27:31Z)
• Pinning Is Futile: You Need More Than Local Dependency Versioning to Defend against Supply Chain Attacks [23.756533975349985]
  Recent high-profile incidents in open-source software have raised practitioner attention on software supply chain attacks.<n>Security practitioners advocate pinning dependency to specific versions rather than floating in version ranges.<n>We quantify, through counterfactual analysis and simulations, the security and maintenance impact of version constraints in the npm ecosystem.
  arXiv  Detail & Related papers  (2025-02-10T16:50:48Z)
• Semantic Dependency in Microservice Architecture: A Framework for Definition and Detection [0.0]
  This paper introduces the Semantic Dependency Matrix as an instrument to address these challenges.<n>It shows that these hidden dependencies can exist independently of endpoint data dependencies, revealing critical connections that might otherwise be overlooked.
  arXiv  Detail & Related papers  (2025-01-20T23:34:24Z)
• An Overview and Catalogue of Dependency Challenges in Open Source Software Package Registries [52.23798016734889]
  This article provides a catalogue of dependency-related challenges that come with relying on OSS packages or libraries. The catalogue is based on the scientific literature on empirical research that has been conducted to understand, quantify and overcome these challenges.
  arXiv  Detail & Related papers  (2024-09-27T16:20:20Z)
• A Systematic Approach to Evaluating Development Activity in Heterogeneous Package Management Systems for Overall System Health Assessment [0.0]
  We develop a method to identify packages within a Linux distribution that show low development activity between versions of the OSS projects included in a release. We use regular expressions to extract the epoch and upstream project major, minor, and patch versions for more than 6000 packages in the Ubuntu distribution.
  arXiv  Detail & Related papers  (2024-09-06T19:58:20Z)
• Enhancing Supply Chain Visibility with Knowledge Graphs and Large Language Models [49.898152180805454]
  This paper presents a novel framework leveraging Knowledge Graphs (KGs) and Large Language Models (LLMs) to enhance supply chain visibility. Our zero-shot, LLM-driven approach automates the extraction of supply chain information from diverse public sources. With high accuracy in NER and RE tasks, it provides an effective tool for understanding complex, multi-tiered supply networks.
  arXiv  Detail & Related papers  (2024-08-05T17:11:29Z)
• Characterizing Dependency Update Practice of NPM, PyPI and Cargo Packages [7.739923421146855]
  Keeping dependencies up-to-date prevents software supply chain attacks through outdated and vulnerable dependencies. We propose two update metrics to measure the updatedness of dependencies and updatedness of vulnerable dependencies. We conduct a large-scale empirical study of update metrics with 2.9M packages, 66.8M package versions, and 26.8M unique package-dependency relations.
  arXiv  Detail & Related papers  (2024-03-26T05:01:53Z)
• Dependency Practices for Vulnerability Mitigation [4.710141711181836]
  We analyze more than 450 vulnerabilities in the npm ecosystem to understand why dependent packages remain vulnerable. We identify over 200,000 npm packages that are infected through their dependencies. We use 9 features to build a prediction model that identifies packages that quickly adopt the vulnerability fix and prevent further propagation of vulnerabilities.
  arXiv  Detail & Related papers  (2023-10-11T19:48:46Z)
• Analyzing Maintenance Activities of Software Libraries [55.2480439325792]
  Industrial applications heavily integrate open-source software libraries nowadays.<n>I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
  arXiv  Detail & Related papers  (2023-06-09T16:51:25Z)
• Visual Dependency Transformers: Dependency Tree Emerges from Reversed Attention [106.67741967871969]
  We propose Visual Dependency Transformers (DependencyViT) that can induce visual dependencies without any labels. We formulate it as a dependency graph where a child token in reversed attention is trained to attend to its parent tokens and send information. DependencyViT works well on both self- and weakly-supervised pretraining paradigms on ImageNet.
  arXiv  Detail & Related papers  (2023-04-06T17:59:26Z)
• Pack Together: Entity and Relation Extraction with Levitated Marker [61.232174424421025]
  We propose a novel span representation approach, named Packed Levitated Markers, to consider the dependencies between the spans (pairs) by strategically packing the markers in the encoder. Our experiments show that our model with packed levitated markers outperforms the sequence labeling model by 0.4%-1.9% F1 on three flat NER tasks, and beats the token concat model on six NER benchmarks.
  arXiv  Detail & Related papers  (2021-09-13T15:38:13Z)
• Reconstructive Sequence-Graph Network for Video Summarization [107.0328985865372]
  Exploiting the inner-shot and inter-shot dependencies is essential for key-shot based video summarization. We propose a Reconstructive Sequence-Graph Network (RSGN) to encode the frames and shots as sequence and graph hierarchically. A reconstructor is developed to reward the summary generator, so that the generator can be optimized in an unsupervised manner.
  arXiv  Detail & Related papers  (2021-05-10T01:47:55Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.