Node package manager's dependency network robustness

TL;DR

This paper analyzes the robustness of the npm dependency network, revealing its vulnerabilities to targeted attacks, its evolving resilience, and providing guidelines to improve its security and stability.

Contribution

It offers a comprehensive analysis of npm network robustness over time, highlighting vulnerabilities, community structures, and proposing development guidelines for enhanced resilience.

Findings

Network is vulnerable to targeted attacks on crucial nodes.

The trend of dependencies and influence of key nodes is decreasing.

Communities form around important packages but do not align with standard community definitions.

Abstract

The robustness of npm dependency network is a crucial property, since many projects and web applications heavily rely on the functionalities of packages, especially popular ones that have many dependant packages. In the past, there have been instances where the removal or update of certain npm packages has caused widespread chaos and web-page downtime on the internet. Our goal is to track the network's resilience to such occurrences through time and figure out whether the state of the network is trending towards a more robust structure. We show that the network is not robust to targeted attacks, since a security risk in a few crucial nodes affects a large part of the network. Because such packages are often backed up by serious communities with high standards, the issue is not alarming and is a consequence of power law distribution of the network. The current trend in average number of dependencies and effect of important nodes on the rest of the network is decreasing, which further improves the resilience and sets a positive path in development. Furthermore, we show that communities form around the most important packages, although they do not conform well to the common community definition using modularity. We also provide guidelines for package development that increases the robustness of the network and reduces the possibility of introducing security risks.