A Longitudinal Study of Dependency Reclassifications in JavaScript Projects

TL;DR

This study examines how JavaScript projects reclassify dependencies over time, revealing prevalent, long-term, and complex reclassification activities that impact dependency management practices.

Contribution

It provides the first large-scale analysis of dependency reclassification patterns, highlighting their frequency, duration, and implications for tooling and best practices.

Findings

79.1% of projects reclassify dependencies

97.2% remove dependencies at some point

38.0% reassign dependency roles over time

Abstract

Modern software projects depend on third-party dependencies, whose declarations must be maintained as projects evolve. Prior work has focused on dependency version updates, while much less is known about how developers assign dependencies to different roles over time. In this paper, we investigate how developers of JavaScript projects reclassify their dependencies, including removal and role reassignment. Our analysis of 33,087 JavaScript projects with active dependency maintenance reveals that dependency reclassification is a prevalent maintenance activity, occurring in 79.1% of the studied projects. Of these projects, nearly all (97.2%) remove dependencies at some point, while 38.0% undergo role reassignments across Core (runtime), Dev (development-only), and Peer (consumer-provided) roles. These changes are not always final, as 33.1% of projects later reintroduce removed dependencies and 11.2% exhibit repeated role switching. Reclassification practices also tend to unfold over long periods, with a median duration of 408 days. These findings broaden the study of dependency maintenance beyond version updates, and contribute implications for dependency tools, package managers, and research to support correct dependency role declarations.