Abstract
Developers often share their code snippets by packaging them and making them available to others through software packages. How much a package does and how big it is can be seen as positive or negative. Recent studies showed that many packages that exist in the npm ecosystem are trivial and may introduce high dependency overhead. Hence, one question that arises is why developers choose to publish these trivial packages. Therefore, in this paper, we perform a developer-centered study to empirically examine why developers choose to publish such trivial packages. Specifically, we ask 1) why developers publish trivial packages, 2) what they believe to be the possible negative impacts of these packages, and 3) how such negative issues can be mitigated. The survey response of 59 JavaScript developers who publish trivial npm packages showed that the main advantages for publishing these trivial packages are to provide reusable components, testing & documentation, and separation of concerns. Even the developers who publish these trivial packages admitted to having issues when they publish such packages, which include the maintenance of multiple packages, dependency hell, finding the right package, and the increase of duplicated packages in the ecosystems. Furthermore, we found that the majority of the developers suggested grouping these trivial packages to cope with the problems associated with publishing them. Then, to quantitatively investigate the impact of these trivial packages on the npm ecosystem and its users, we examine grouping these trivial packages. We found that if trivial packages that are always used together are grouped, the ecosystem can reduce the number of dependencies by approximately 13%. Our findings shed light on the impact of publishing trivial packages and show that ecosystems and developer communities need to rethink their publishing policies since it can negatively impact the developers and the entire ecosystem.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Abdalkareem R (2017) Reasons and drawbacks of using trivial npm packages: the developers’ perspective. In: Proceedings of the 2017 11th joint meeting on foundations of software engineering, ESEC/FSE 2017. ACM, pp 1062–1064
Abdalkareem R, Nourry O, Wehaibi S, Mujahid S, Shihab E (2017) Why do developers use trivial packages? An empirical case study on npm. In: Proceedings of the 2017 11th joint meeting on foundations of software engineering, ESEC/FSE 2017. ACM, pp 385–395
Abdalkareem R, Oda V, Mujahid S, Shihab E (2020) On the impact of using trivial packages: an empirical case study on npm and pypi. Empir Softw Eng 25(2):1168–1204
Abdalkareem R, Shihab E, Rilling J (2017) On code reuse from stackoverflow. Inf Softw Technol 88(C):148–158
Aghajani E, Nagy C, Bavota G, Lanza M (2018) A large-scale empirical study on linguistic antipatterns affecting apis. In: 2018 IEEE international conference on software maintenance and evolution (ICSME). IEEE, pp 25–35
Bavota G, Canfora G, Di Penta M, Oliveto R, Panichella S (2015) How the apache community upgrades dependencies: an evolutionary study. Empir Softw Eng 20(5):1275–1317
Bavota G, Linares-Vásquez M, Bernal-Cárdenas CE, Penta MD, Oliveto R, Poshyvanyk D (2015) The impact of api change- and fault-proneness on the user ratings of android apps. IEEE Trans Softw Eng 41(4):384–407
Bogart C, Kästner C, Herbsleb J, Thung F (2016) How to break an api: cost negotiation and community values in three software ecosystems. In: Proceedings of the 2016 24th ACM SIGSOFT international symposium on foundations of software engineering, FSE 2016. ACM, pp 109–120
Chen X, Abdalkareem R, Mujahid S, Shihab E, Xia X (2019) Helping or not helping? Why and how trivial packages impact the npm ecosystem. Zenodo. https://doi.org/10.5281/zenodo.3417393
Cox R (2019) Surviving software dependencies. Commun ACM 62(9):36–43
DeBill E (2019) Modulecounts. http://www.modulecounts.com/#. Accessed 16 Jan 2019
Decan A, Mens T, Grosjean P (2018) An empirical comparison of dependency network evolution in seven software packaging ecosystems. Empir Softw Eng
Fard AM, Mesbah A (2017) Javascript: the (un)covered parts. In: 2017 IEEE international conference on software testing, verification and validation (ICST), pp 230–240
Fleiss JL, Levin B, Paik MC (2013) Statistical methods for rates and proportions. Wiley, New York
Fuchs T (2016) What if we had a great standard library in javascript? – medium. https://medium.com/@thomasfuchs/what-if-we-had-a-great-standard-library-in-javascript-52692342ee3f.pw7d4cq8j. Accessed 24 Feb 2017
Gharehyazie M, Ray B, Filkov V (2017) Some from here, some from there: cross-project code reuse in github. In: Proceedings of the 14th international conference on mining software repositories, MSR ’17. IEEE Press, pp 291–301
Jansen S, Brinkkemper S, Cusumano MA, Jansen S, Brinkkemper S, Cusumano MA (2013) Software ecosystems: analyzing and managing business networks in the software industry. Edward Elgar Publishing, Incorporated
Kula RG, German DM, Ouni A, Ishio T, Inoue K (2018) Do developers update their library dependencies? Empir Softw Eng 23(1):384–417
Linares-Vásquez M, Bavota G, Di Penta M, Oliveto R, Poshyvanyk D (2014) How do api changes trigger stack overflow discussions? a study on the android sdk. In: Proceedings of the 22nd international conference on program comprehension, ICPC 2014. ACM, pp 83–94
Linares-Vásquez M, Bavota G, Di Penta M, Oliveto R, Poshyvanyk D (2014) How do api changes trigger stack overflow discussions? A study on the android sdk. In: Proceedings of the 22nd international conference on program comprehension. ACM, pp 83–94
Lopes CV, Maj P, Martins P, Saini V, Yang D, Zitny J, Sajnani H, Vitek J (2017) Déjàvu: a map of code duplicates on github. Proc ACM Program Lang 1(OOPSLA)
MacDonald F (2018) How a programmer nearly broke the internet by deleting just 11 lines of code. https://www.sciencealert.com/how-a-programmer-almost-broke-the-internet-by-deleting-11-lines-of-code. Accessed 09 June 2020
Mann HB, Whitney DR (1947) On a test of whether one of two random variables is stochastically larger than the other. Ann Math Stat 18(1):50–60. (11 pages)
Mirhosseini S, Parnin C (2017) Can automated pull requests encourage software developers to upgrade out-of-date dependencies?. In: Proceedings of the 32nd IEEE/ACM international conference on automated software engineering ASE 2017. IEEE Press, pp 84–94
npm Documentation (2020) npm-registry — npm documentation. https://docs.npmjs.com/using-npm/registry.html. Accessed 10 June 2020
Orsila H, Geldenhuys J, Ruokonen A, Hammouda E-B, Imed, Damiani E, Hissam S, Lundell B, Succi G (2008) Update propagation practices in highly reusable open source components. In: Open source development, communities and quality. Springer, US, pp 159–170
Sawant AA, Robbes R, Bacchelli A (2018) On the reaction to deprecation of clients of 4 + 1 popular java apis and the jdk. Empir Softw Eng 23 (4):2158–2197
Scholtz A, Mehrotra P, Naumenko G (2018) Detection and mitigation of security vulnerabilities, pp 1–9
Seaman CB (1999) Qualitative methods in empirical studies of software engineering. IEEE Trans Softw Eng 25(4):557–572
Serebrenik A, Mens T (2015) Challenges in software ecosystems research. In: Proceedings of the 2015 European conference on software architecture workshops, ECSAW ’15. ACM, pp 40:1–40:6
Singer J, Sim SE, Lethbridge TC (2008) Software engineering data collection for field studies. In: Guide to advanced empirical software engineering. Springer, London, pp 9–34
StackOverflow (2020) Stack overflow developer survey 2020. https://insights.stackoverflow.com/survey/2020/. Accessed 09 June 2020
Tool SU (2020) Scitools.com. https://scitools.com/. Accessed 10 June 2020
Trockman A, Zhou S, Kästner C, Vasilescu B (2018) Adding sparkle to social coding: an empirical study of repository badges in the npm ecosystem. In: Proceedings of the 40th international conference on software engineering, ICSE 2018. ACM, pp 511–522
Valiev M, Vasilescu B, Herbsleb J (2018) Ecosystem-level determinants of sustained activity in open-source projects: a case study of the pypi ecosystem. In: Proceedings of the 2018 26th ACM joint meeting on european software engineering conference and symposium on the foundations of software engineering, ESEC/FSE 2018. ACM, pp 644–655
Vasilescu B, Blincoe K, Xuan Q, Casalnuovo C, Damian D, Devanbu P, Filkov V (2016) The sky is not the limit: multitasking across github projects. In: 2016 IEEE/ACM 38Th international conference on software engineering, ICSE 2016. IEEE, pp 994–1005
Wikipedia (2018) Unix philosophy - wikipedia. https://en.wikipedia.org/wiki/Unix_philosophy. Accessed 11 Jan 2019
Wittern E, Suter P, Rajagopalan S (2016) A look at the dynamics of the javascript package ecosystem. In: Proceedings of the 13th international conference on mining software repositories, MSR 2016. ACM, pp 351–361
Yin RK (2009) Case study research: design and methods (applied social research methods). Sage, London and Singapore
Zimmermann M, Staicu C-A, Tenny C, Pradel M (2019) Small world with high risks: a study of security threats in the npm ecosystem. In: Proceedings of the 28th USENIX security symposium (USENIX Security, USENIX 2019. USENIX Association
Acknowledgments
We thank the JavaScript developer community and npm developers and special thanks for the developers who kindly respond to our survey.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by: Massimiliano Di Penta
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Chen, X., Abdalkareem, R., Mujahid, S. et al. Helping or not helping? Why and how trivial packages impact the npm ecosystem. Empir Software Eng 26, 27 (2021). https://doi.org/10.1007/s10664-020-09904-w
Accepted:
Published:
DOI: https://doi.org/10.1007/s10664-020-09904-w