Not All Dependencies are Equal: An Empirical Study on Production Dependencies in NPM

TL;DR

This empirical study of 100 npm projects reveals that less than 1% of dependencies are used in production, highlighting the need for better tools to identify and prioritize production dependencies for security.

Contribution

It provides the first comprehensive analysis of production dependencies in npm projects, challenging assumptions and emphasizing the importance of prioritizing security for production-relevant dependencies.

Findings

Less than 1% of dependencies are released to production.

Many dependencies configured for runtime are not used in production.

Most security alerts target dependencies not used in production.

Abstract

Modern software systems are often built by leveraging code written by others in the form of libraries and packages to accelerate their development. While there are many benefits to using third-party packages, software projects often become dependent on a large number of software packages. Consequently, developers are faced with the difficult challenge of maintaining their project dependencies by keeping them up-to-date and free of security vulnerabilities. However, how often are project dependencies used in production where they could pose a threat to their project's security? We conduct an empirical study on 100 JavaScript projects using the Node Package Manager (npm) to quantify how often project dependencies are released to production and analyze their characteristics and their impact on security. Our results indicate that less than 1% of the installed dependencies are released to production. Our analysis reveals that the functionality of a package is not enough to determine if it will be released to production or not. In fact, 59% of the installed dependencies configured as runtime dependencies are not used in production, and 28.2% of the dependencies configured as development dependencies are used in production, debunking two common assumptions of dependency management. Findings also indicate that most security alerts target dependencies not used in production, making them highly unlikely to be a risk for the security of the software. Our study unveils a more complex side of dependency management: not all dependencies are equal. Dependencies used in production are more sensitive to security exposure and should be prioritized. However, current tools lack the appropriate support in identifying production dependencies.