Not All Dependencies are Equal�An empirical study on production dependencies in NPM
Jasmine Latendresse Suhaib Mujahid Diego Elias Costa Emad Shihab
1
90% of softwares rely on open source packages
2
Faster development time
Lower development costs
2M+ packages
Used by 11M+ developers
3
170 nodes
352 links
170 nodes
352 dependencies
https://npm.anvaka.com/
Software projects depend on a large number of packages.
Nearly 40% of npm packages rely on vulnerable code.
Dependencies need to be maintained.
Browserify
Which dependencies are actually critical to software projects?
What happens when critical dependencies fail?
4
Security breach in Apache Struts package.
2017
2022
Faulty update in a critical component.
Which dependencies are more critical within a project?
5
Development dependencies
Runtime
dependencies
Dependencies
in production
Implementation
Validation
Deployment
Dependencies in production are the most critical in software systems
Identifying dependencies used in production
6
Identifying dependencies used in production
7
Identifying dependencies used in production
8
Identifying dependencies used in production
9
Production
Research questions
10
RQ1. How many installed dependencies are in production?
RQ2. What are the types of dependencies in production?
RQ3. How often are npm security alerts emitted for dependencies in production?
Approach overview
11
100 JavaScript projects
Clone projects and install dependencies
Build projects
Identify dependencies in production
Research questions
12
RQ1. How many installed dependencies are in production?
RQ2. What are the types of dependencies in production?
RQ3. How often are npm security alerts emitted for dependencies in production?
Quantifying packages in production
13
Manually build
projects, tree shaking
Manually inspect build configurations
Parse source maps of each project
Project build command
Project source maps
Dependencies in production
Less than 1% of installed dependencies were used in production
14
497 are used in production
53,421 installed dependencies
Research questions
15
RQ1. How many installed dependencies are in production?
RQ2. What are the types of dependencies in production?
RQ3. How often are npm security alerts emitted for dependencies in production?
Identifying the types of dependencies in production
16
npm ls
Dependency tree
Dependency tree parser
Cross dependencies in production with dataset of dependencies
Identify all versions of installed dependencies
Dataset of installed dependencies
Production dependencies types
28% of the dependencies in production are development dependencies
17
139 development dependencies
Development dependencies deployed to production can be potentially ignored in maintenance tasks.
497 dependencies in production
Dependency configuration
18
52.7% of dependencies in production are transitive
19
262 transitive dependencies
We have no control over transitive dependencies so it is important to be aware of them.
497 dependencies in production
Research questions
20
RQ1. How many installed dependencies are in production?
RQ2. What are the types of dependencies in production?
RQ3. How often are npm security alerts emitted for dependencies in production?
Collecting security alerts
21
npm audit
Alerts parser
Cross vulnerable dependencies with production dependencies
Project security alerts
Alert severity and vulnerable dependencies
Alerts emitted for production dependencies
None of the security alerts were emitted for dependencies in production
22
608 security alerts
268 high severity
45 critical severity
Too many security alerts, too little details
23
Takeaways
24
Difficult to prioritize maintenance efforts on dependencies that are critical to our software in production.
Not all security alerts are relevant to our applications.
We may miss an actual critical vulnerability, we need to be mindful about our dependencies configuration.
Not All Dependencies are Equal:�An empirical study on production dependencies in NPM
Jasmine Latendresse
Suhaib Mujahid
Diego Elias Costa
Emad Shihab
25
References
26