On the Impact of Micro-Packages: An Empirical Study of the npm JavaScript Ecosystem

TL;DR

This empirical study analyzes the prevalence, dependency structures, and usage costs of micro-packages in the npm JavaScript ecosystem, highlighting their significant impact and potential risks for developers.

Contribution

It provides the first large-scale empirical analysis of micro-packages in npm, revealing their dependency complexity and usage costs, and emphasizing ecosystem sensitivity.

Findings

Micro-packages constitute a significant portion of npm.

Some micro-packages have long dependency chains.

Micro-packages can incur comparable usage costs to larger packages.

Abstract

The rise of user-contributed Open Source Software (OSS) ecosystems demonstrate their prevalence in the software engineering discipline. Libraries work together by depending on each other across the ecosystem. From these ecosystems emerges a minimized library called a micro-package. Micro- packages become problematic when breaks in a critical ecosystem dependency ripples its effects to unsuspecting users. In this paper, we investigate the impact of micro-packages in the npm JavaScript ecosystem. Specifically, we conducted an empirical in- vestigation with 169,964 JavaScript npm packages to understand (i) the widespread phenomena of micro-packages, (ii) the size dependencies inherited by a micro-package and (iii) the developer usage cost (ie., fetch, install, load times) of using a micro-package. Results of the study find that micro-packages form a significant portion of the npm ecosystem. Apart from the ease of readability and comprehension, we show that some micro-packages have long dependency chains and incur just as much usage costs as other npm packages. We envision that this work motivates the need for developers to be aware of how sensitive their third-party dependencies are to critical changes in the software ecosystem.