Skip to main content
Log in

Helping or not helping? Why and how trivial packages impact the npm ecosystem

  • Published:
Empirical Software Engineering Aims and scope Submit manuscript

Abstract

Developers often share their code snippets by packaging them and making them available to others through software packages. How much a package does and how big it is can be seen as positive or negative. Recent studies showed that many packages that exist in the npm ecosystem are trivial and may introduce high dependency overhead. Hence, one question that arises is why developers choose to publish these trivial packages. Therefore, in this paper, we perform a developer-centered study to empirically examine why developers choose to publish such trivial packages. Specifically, we ask 1) why developers publish trivial packages, 2) what they believe to be the possible negative impacts of these packages, and 3) how such negative issues can be mitigated. The survey response of 59 JavaScript developers who publish trivial npm packages showed that the main advantages for publishing these trivial packages are to provide reusable components, testing & documentation, and separation of concerns. Even the developers who publish these trivial packages admitted to having issues when they publish such packages, which include the maintenance of multiple packages, dependency hell, finding the right package, and the increase of duplicated packages in the ecosystems. Furthermore, we found that the majority of the developers suggested grouping these trivial packages to cope with the problems associated with publishing them. Then, to quantitatively investigate the impact of these trivial packages on the npm ecosystem and its users, we examine grouping these trivial packages. We found that if trivial packages that are always used together are grouped, the ecosystem can reduce the number of dependencies by approximately 13%. Our findings shed light on the impact of publishing trivial packages and show that ecosystems and developer communities need to rethink their publishing policies since it can negatively impact the developers and the entire ecosystem.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

Notes

  1. https://npms.io/

  2. http://www.npmdiscover.com/

  3. http://anvaka.github.io/npmrank/online/

  4. https://npms.io/

References

  • Abdalkareem R (2017) Reasons and drawbacks of using trivial npm packages: the developers’ perspective. In: Proceedings of the 2017 11th joint meeting on foundations of software engineering, ESEC/FSE 2017. ACM, pp 1062–1064

  • Abdalkareem R, Nourry O, Wehaibi S, Mujahid S, Shihab E (2017) Why do developers use trivial packages? An empirical case study on npm. In: Proceedings of the 2017 11th joint meeting on foundations of software engineering, ESEC/FSE 2017. ACM, pp 385–395

  • Abdalkareem R, Oda V, Mujahid S, Shihab E (2020) On the impact of using trivial packages: an empirical case study on npm and pypi. Empir Softw Eng 25(2):1168–1204

    Article  Google Scholar 

  • Abdalkareem R, Shihab E, Rilling J (2017) On code reuse from stackoverflow. Inf Softw Technol 88(C):148–158

    Article  Google Scholar 

  • Aghajani E, Nagy C, Bavota G, Lanza M (2018) A large-scale empirical study on linguistic antipatterns affecting apis. In: 2018 IEEE international conference on software maintenance and evolution (ICSME). IEEE, pp 25–35

  • Bavota G, Canfora G, Di Penta M, Oliveto R, Panichella S (2015) How the apache community upgrades dependencies: an evolutionary study. Empir Softw Eng 20(5):1275–1317

    Article  Google Scholar 

  • Bavota G, Linares-Vásquez M, Bernal-Cárdenas CE, Penta MD, Oliveto R, Poshyvanyk D (2015) The impact of api change- and fault-proneness on the user ratings of android apps. IEEE Trans Softw Eng 41(4):384–407

    Article  Google Scholar 

  • Bogart C, Kästner C, Herbsleb J, Thung F (2016) How to break an api: cost negotiation and community values in three software ecosystems. In: Proceedings of the 2016 24th ACM SIGSOFT international symposium on foundations of software engineering, FSE 2016. ACM, pp 109–120

  • Chen X, Abdalkareem R, Mujahid S, Shihab E, Xia X (2019) Helping or not helping? Why and how trivial packages impact the npm ecosystem. Zenodo. https://doi.org/10.5281/zenodo.3417393

  • Cox R (2019) Surviving software dependencies. Commun ACM 62(9):36–43

    Article  Google Scholar 

  • DeBill E (2019) Modulecounts. http://www.modulecounts.com/#. Accessed 16 Jan 2019

  • Decan A, Mens T, Grosjean P (2018) An empirical comparison of dependency network evolution in seven software packaging ecosystems. Empir Softw Eng

  • Fard AM, Mesbah A (2017) Javascript: the (un)covered parts. In: 2017 IEEE international conference on software testing, verification and validation (ICST), pp 230–240

  • Fleiss JL, Levin B, Paik MC (2013) Statistical methods for rates and proportions. Wiley, New York

    MATH  Google Scholar 

  • Fuchs T (2016) What if we had a great standard library in javascript? – medium. https://medium.com/@thomasfuchs/what-if-we-had-a-great-standard-library-in-javascript-52692342ee3f.pw7d4cq8j. Accessed 24 Feb 2017

  • Gharehyazie M, Ray B, Filkov V (2017) Some from here, some from there: cross-project code reuse in github. In: Proceedings of the 14th international conference on mining software repositories, MSR ’17. IEEE Press, pp 291–301

  • Jansen S, Brinkkemper S, Cusumano MA, Jansen S, Brinkkemper S, Cusumano MA (2013) Software ecosystems: analyzing and managing business networks in the software industry. Edward Elgar Publishing, Incorporated

  • Kula RG, German DM, Ouni A, Ishio T, Inoue K (2018) Do developers update their library dependencies? Empir Softw Eng 23(1):384–417

    Article  Google Scholar 

  • Linares-Vásquez M, Bavota G, Di Penta M, Oliveto R, Poshyvanyk D (2014) How do api changes trigger stack overflow discussions? a study on the android sdk. In: Proceedings of the 22nd international conference on program comprehension, ICPC 2014. ACM, pp 83–94

  • Linares-Vásquez M, Bavota G, Di Penta M, Oliveto R, Poshyvanyk D (2014) How do api changes trigger stack overflow discussions? A study on the android sdk. In: Proceedings of the 22nd international conference on program comprehension. ACM, pp 83–94

  • Lopes CV, Maj P, Martins P, Saini V, Yang D, Zitny J, Sajnani H, Vitek J (2017) Déjàvu: a map of code duplicates on github. Proc ACM Program Lang 1(OOPSLA)

  • MacDonald F (2018) How a programmer nearly broke the internet by deleting just 11 lines of code. https://www.sciencealert.com/how-a-programmer-almost-broke-the-internet-by-deleting-11-lines-of-code. Accessed 09 June 2020

  • Mann HB, Whitney DR (1947) On a test of whether one of two random variables is stochastically larger than the other. Ann Math Stat 18(1):50–60. (11 pages)

    Article  MathSciNet  Google Scholar 

  • Mirhosseini S, Parnin C (2017) Can automated pull requests encourage software developers to upgrade out-of-date dependencies?. In: Proceedings of the 32nd IEEE/ACM international conference on automated software engineering ASE 2017. IEEE Press, pp 84–94

  • npm Documentation (2020) npm-registry — npm documentation. https://docs.npmjs.com/using-npm/registry.html. Accessed 10 June 2020

  • Orsila H, Geldenhuys J, Ruokonen A, Hammouda E-B, Imed, Damiani E, Hissam S, Lundell B, Succi G (2008) Update propagation practices in highly reusable open source components. In: Open source development, communities and quality. Springer, US, pp 159–170

  • Sawant AA, Robbes R, Bacchelli A (2018) On the reaction to deprecation of clients of 4 + 1 popular java apis and the jdk. Empir Softw Eng 23 (4):2158–2197

    Article  Google Scholar 

  • Scholtz A, Mehrotra P, Naumenko G (2018) Detection and mitigation of security vulnerabilities, pp 1–9

  • Seaman CB (1999) Qualitative methods in empirical studies of software engineering. IEEE Trans Softw Eng 25(4):557–572

    Article  Google Scholar 

  • Serebrenik A, Mens T (2015) Challenges in software ecosystems research. In: Proceedings of the 2015 European conference on software architecture workshops, ECSAW ’15. ACM, pp 40:1–40:6

  • Singer J, Sim SE, Lethbridge TC (2008) Software engineering data collection for field studies. In: Guide to advanced empirical software engineering. Springer, London, pp 9–34

  • StackOverflow (2020) Stack overflow developer survey 2020. https://insights.stackoverflow.com/survey/2020/. Accessed 09 June 2020

  • Tool SU (2020) Scitools.com. https://scitools.com/. Accessed 10 June 2020

  • Trockman A, Zhou S, Kästner C, Vasilescu B (2018) Adding sparkle to social coding: an empirical study of repository badges in the npm ecosystem. In: Proceedings of the 40th international conference on software engineering, ICSE 2018. ACM, pp 511–522

  • Valiev M, Vasilescu B, Herbsleb J (2018) Ecosystem-level determinants of sustained activity in open-source projects: a case study of the pypi ecosystem. In: Proceedings of the 2018 26th ACM joint meeting on european software engineering conference and symposium on the foundations of software engineering, ESEC/FSE 2018. ACM, pp 644–655

  • Vasilescu B, Blincoe K, Xuan Q, Casalnuovo C, Damian D, Devanbu P, Filkov V (2016) The sky is not the limit: multitasking across github projects. In: 2016 IEEE/ACM 38Th international conference on software engineering, ICSE 2016. IEEE, pp 994–1005

  • Wikipedia (2018) Unix philosophy - wikipedia. https://en.wikipedia.org/wiki/Unix_philosophy. Accessed 11 Jan 2019

  • Wittern E, Suter P, Rajagopalan S (2016) A look at the dynamics of the javascript package ecosystem. In: Proceedings of the 13th international conference on mining software repositories, MSR 2016. ACM, pp 351–361

  • Yin RK (2009) Case study research: design and methods (applied social research methods). Sage, London and Singapore

    Google Scholar 

  • Zimmermann M, Staicu C-A, Tenny C, Pradel M (2019) Small world with high risks: a study of security threats in the npm ecosystem. In: Proceedings of the 28th USENIX security symposium (USENIX Security, USENIX 2019. USENIX Association

Download references

Acknowledgments

We thank the JavaScript developer community and npm developers and special thanks for the developers who kindly respond to our survey.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Xiaowei Chen.

Additional information

Communicated by: Massimiliano Di Penta

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Chen, X., Abdalkareem, R., Mujahid, S. et al. Helping or not helping? Why and how trivial packages impact the npm ecosystem. Empir Software Eng 26, 27 (2021). https://doi.org/10.1007/s10664-020-09904-w

Download citation

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10664-020-09904-w

Keywords

Navigation