Structure and Evolution of Package Dependency Networks Riivo Kikas, Georgios Gousios, Marlon Dumas, Dietmar Pfahl 

Software reuse • System reuse • Application reuse • Component reuse • Libraries • COTS components • OSS packages through dependency management • Object/Function reuse 

Dependency management library dependencies 

Package dependency networks
 csv-parser lists dependencies, among other ndjson ndjson has its own list of dependencies 

A network of dependency relationships Subset of Rust packages mid-2016 

How do dependency networks look like? How do dependency networks evolve? How resilient are dependency networks to attacks? 

How do dependency networks look like? How do dependency networks evolve? How resilient are dependency networks to attacks? 

How do dependency networks look like? How do dependency networks evolve? How resilient are dependency networks to attacks? 

Ecosystems studied 254,466 84,987 122,786 62,133 11,037 388,289 147,120 JavaScript Ruby Rust 

Dependency network construction No versions A C B D E
 A
 0.1 B
 0.3 C
 0.5 E
 0.1 Latest versions A
 0.1 C
 0.4 B
 0.3 C
 0.5 D
 0.2 E
 0.1 All versions 

A
 0.1 C
 0.4 B
 0.3 D
 0.2 E
 0.1 H
 0.6 G
 0.1 F
 0.1 L
 0.1 J
 0.2.6 K
 0.4 F
 0.2 

A
 0.1 C
 0.4 B
 0.3 D
 0.2 E
 0.1 H
 0.6 G
 0.1 F
 0.1 L
 0.1 J
 0.2.6 K
 0.4 dependents F
 0.2 

A
 0.1 C
 0.4 B
 0.3 D
 0.2 E
 0.1 H
 0.6 G
 0.1 F
 0.1 L
 0.1 J
 0.2.6 K
 0.4 dependents transitive dependents F
 0.2 

A
 0.1 C
 0.4 B
 0.3 D
 0.2 E
 0.1 H
 0.6 G
 0.1 F
 0.1 L
 0.1 J
 0.2.6 K
 0.4 dependents transitive dependents dependencies F
 0.2 

A
 0.1 C
 0.4 B
 0.3 D
 0.2 E
 0.1 H
 0.6 G
 0.1 F
 0.1 L
 0.1 J
 0.2.6 K
 0.4 dependents transitive dependents dependencies transitive dependencies F
 0.2 

Static properties
 Mean number of dependents Direct Transitive Ratio JavaScript 1.3 15.5 11.9x Ruby 1.2 6.4 5.3x Rust 1.6 7.4 4.0x 

Ecosystem growth - Dependents JavaScript/NPM dependents is growing at a tremendous speed Ruby is slowing down 

Static properties
 Mean number of dependencies Direct Transitive Ratio JavaScript 5.5 54.6 9.9x Ruby 8.7 34.1 3.9x Rust 3 9.3 3.1x 

Ecosystem growth - Dependencies JavaScript/NPM dependencies is growing at a tremendous speed Ruby is slowing down 

Vulnerability Fraction of nodes affected by the removal of single package / version 2005 2007 2009 2011 2013 2015 0.000 0.002 0.004 0.006 0.008 0.010 0.012 0.014 9ulnerability rate ASSlicatiRn Pean J6 3ackaJe Pean J6 ASSlicatiRn Pean 5uby 3ackaJe Pean 5uby 

Targeted attacks Number of transitive dependents for the 5 most “vulnerable” packages > 450k > 300k inherits.js, erubis, rack string_decoder, sigmund, is_array 

Targeted attacks Number of transitive dependents for the 5 most “vulnerable” packages > 450k > 300k string_decoder, sigmund, is_array 30 LOCs! inherits.js, erubis, rack 

Targeted attacks Number of transitive dependents for the 5 most “vulnerable” packages > 450k > 300k string_decoder, sigmund, is_array Last Commit: 2012 inherits.js, erubis, rack 

Ecosystem response to a CVE CVE-2015-3225: DOS via request with large parameter depth 

What can developers do? 

What can developers do? • Understand the effect of including a dependency • For small, inherits.js-like packages just re-implement it • Actively monitor vulnerabilities in the transitive closure • More intelligent, integrated tools • Better governance of dependency management practices 

What can researchers do? 

What can researchers do? • Better tools: • increase visibility of transitive includes • connect ecosystems to security advisories • dependency health and ecosystem stability ratings • Better analysis: understand which parts of the dependency code are actually used • A semantic versioning system that everybody agrees upon • Qualitative work: How developers approach dependency management? • Replicate in other ecosystems 

riivo/package-dependency-networks @riivo @gousiosg