ABSTRACT
Code reuse is traditionally seen as good practice. Recent trends have pushed the concept of code reuse to an extreme, by using packages that implement simple and trivial tasks, which we call `trivial packages'. A recent incident where a trivial package led to the breakdown of some of the most popular web applications such as Facebook and Netflix made it imperative to question the growing use of trivial packages.
Therefore, in this paper, we mine more than 230,000 npm packages and 38,000 JavaScript applications in order to study the prevalence of trivial packages. We found that trivial packages are common and are increasing in popularity, making up 16.8% of the studied npm packages. We performed a survey with 88 Node.js developers who use trivial packages to understand the reasons and drawbacks of their use. Our survey revealed that trivial packages are used because they are perceived to be well implemented and tested pieces of code. However, developers are concerned about maintaining and the risks of breakages due to the extra dependencies trivial packages introduce. To objectively verify the survey results, we empirically validate the most cited reason and drawback and find that, contrary to developers' beliefs, only 45.2% of trivial packages even have tests. However, trivial packages appear to be `deployment tested' and to have similar test, usage and community interest as non-trivial packages. On the other hand, we found that 11.5% of the studied trivial packages have more than 20 dependencies. Hence, developers should be careful about which trivial packages they decide to use.
- Pietro Abate, Roberto Di Cosmo, Jaap Boender, and Stefano Zacchiroli. 2009. Strong Dependencies Between Software Components. In Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement (ESEM ’09). IEEE Computer Society, 89–99. Google ScholarDigital Library
- Rabe Abdalkareem, Emad Shihab, and Juergen Rilling. 2017. On Code Reuse from StackOverflow : An exploratory study on Android apps. Information and Software Technology 88, C (2017), 148–158. Google ScholarDigital Library
- Victor R. Basili, Lionel C. Briand, and Walcélio L. Melo. 1996. How Reuse Influences Productivity in Object-oriented Systems. Commun. ACM 39, 10 (October 1996), 104–116. Google ScholarDigital Library
- Gabriele Bavota, Gerardo Canfora, Massimiliano Di Penta, Rocco Oliveto, and Sebastiano Panichella. 2013. The Evolution of Project Inter-dependencies in a Software Ecosystem: The Case of Apache. In Proceedings of the 2013 IEEE International Conference on Software Maintenance (ICSM ’13). IEEE Computer Society, 280–289. Google ScholarDigital Library
- Remco Bloemen, Chintan Amrit, Stefan Kuhlmann, and Gonzalo Ordóñez Matamoros. 2014. Gentoo Package Dependencies over Time. In Proceedings of the 11th Working Conference on Mining Software Repositories (MSR ’14). ACM, 404–407. Google ScholarDigital Library
- Christopher Bogart, Christian Kastner, and James Herbsleb. 2015. When It Breaks, It Breaks: How Ecosystem Developers Reason About the Stability of Dependencies. In Proceedings of the 2015 30th IEEE/ACM International Conference on Automated Software Engineering Workshop (ASEW ’15). IEEE Computer Society, 86–89. Google ScholarDigital Library
- Christopher Bogart, Christian Kästner, James Herbsleb, and Ferdian Thung. 2016. How to Break an API: Cost Negotiation and Community Values in Three Software Ecosystems. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE ’16). ACM, 109–120. Google ScholarDigital Library
- Stephan Bonnemann. 2015. Dependency Hell Just Froze Over. https://speakerdeck. com/boennemann/dependency-hell-just-froze-over. (September 2015). (accessed on 08/10/2016).Google Scholar
- Bower. 2012. Bower a package manager for the web. https://bower.io/. (2012). (accessed on 08/23/2016).Google Scholar
- J. Cohen. 1960. A coefficient of agreement for nominal scales. Educational and psychological measurement 20 (1960), 37–46.Google Scholar
- Andre Cruz and Andre Duarte. 2017. npms. https://npms.io/. (01 2017). (accessed on 02/20/2017).Google Scholar
- Cleidson R. B. de Souza and David F. Redmiles. 2008. An Empirical Study of Software Developers’ Management of Dependencies and Changes. In Proceedings of the 30th International Conference on Software Engineering (ICSE ’08). ACM, 241–250. Google ScholarDigital Library
- Alexandre Decan, Tom Mens, and Maelick Claes. 2016. On the Topology of Package Dependency Networks: A Comparison of Three Programming Language Ecosystems. In Proccedings of the 10th European Conference on Software Architecture Workshops (ECSAW ’16). ACM, Article 21, 4 pages. Google ScholarDigital Library
- Alexandre Decan, Tom Mens, and Maëlick Claes. 2017. An Empirical Comparison of Dependency Issues in OSS Packaging Ecosystems. In Proccedings of the 24th International Conference on Software Analysis, Evolution, and Reengineering (SANER ’17). IEEE.Google ScholarCross Ref
- Alexandre Decan, Tom Mens, Philippe Grosjean, and others. 2016. When GitHub Meets CRAN: An Analysis of Inter-Repository Package Dependency Problems. In Proceedings of the 23rd IEEE International Conference on Software Analysis, Evolution, and Reengineering (SANER ’16), Vol. 1. IEEE, 493–504.Google ScholarCross Ref
- Roberto Di Cosmo, Davide Di Ruscio, Patrizio Pelliccione, Alfonso Pierantonio, and Stefano Zacchiroli. 2011. Supporting software evolution in component-based FOSS systems. Science of Computer Programming 76, 12 (2011), 1144–1160. Google ScholarDigital Library
- Mehdi Dogguy, Stephane Glondu, Sylvain Le Gall, and Stefano Zacchiroli. 2011. Enforcing Type-Safe Linking using Inter-Package Relationships. Studia Informatica Universalis. 9, 1 (2011), 129–157.Google Scholar
- J. L. Fleiss and J. Cohen. 1973. The equivalence of weighted kappa and the intraclass correlation coefficient as measures of reliability. Educational and Psychological Measurement 33 (1973), 613–619.Google ScholarCross Ref
- Bent Flyvbjerg. 2006. Five misunderstandings about case-study research. Qualitative Inquiry 12, 2 (2006), 219–245.Google ScholarCross Ref
- Thomas Fuchs. 2016. What if we had a great standard library in JavaScript? âĂŞ Medium. https://medium.com/@thomasfuchs/ what-if-we-had-a-great-standard-library-in-javascript-52692342ee3f. pw7d4cq8j. (Mar 2016). (accessed on 02/24/2017).Google Scholar
- D German, B Adams, and AE Hassan. 2013. Programming language ecosystems: the evolution of r. In Proceedings of the 17th European Conference on Software Maintenance and Reengineering (CSMR ’13). IEEE, 243–252.Google Scholar
- Georgios Gousios and Andy Zaidman. 2014. A Dataset for Pull-based Development Research. In Proceedings of the 11th Working Conference on Mining Software Repositories (MSR ’14). ACM, 368–371. Google ScholarDigital Library
- Robert J Grissom and John J Kim. 2005. Effect sizes for research: A broad practical approach. Lawrence Erlbaum Associates Publishers.Google Scholar
- Stefan Haefliger, Georg Von Krogh, and Sebastian Spaeth. 2008. Code reuse in open source software. Management Science 54, 1 (2008), 180–193. Google ScholarDigital Library
- Quinn Hanam, Fernando S. de M. Brito, and Ali Mesbah. 2016. Discovering Bug Patterns in JavaScript. In Proceedings of the 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE ’16). ACM, 144–156. Google ScholarDigital Library
- David Haney. 2016. NPM & left-pad: Have We Forgotten How To Program? http: //www.haneycodes.net/npm-left-pad-have-we-forgotten-how-to-program/. (March 2016). (accessed on 08/10/2016).Google Scholar
- Rich Harris. 2015. Small modules: itâĂŹs not quite that simple. https://medium. com/@Rich_Harris/small-modules-it-s-not-quite-that-simple-3ca532d65de4. (Jul 2015). (accessed on 08/24/2016).Google Scholar
- Hemanth.HM. 2015. One-line node modules -Issue#10sindresorhus/ama. https: //github.com/sindresorhus/ama/issues/10. (2015). (accessed on 08/10/2016).Google Scholar
- Katsuro Inoue, Yusuke Sasaki, Pei Xia, and Yuki Manabe. 2012. Where Does This Code Come from and Where Does It Go? - Integrated Code History Tracker for Open Source Systems -. In Proceedings of the 34th International Conference on Software Engineering (ICSE ’12). IEEE Press, 331–341. Google ScholarDigital Library
- Jaap Kabbedijk and Slinger Jansen. 2011. Steering insight: An exploration of the ruby software ecosystem. In Proceedings of the Second International Conference of Software Business (ICSOB ’11). Springer, 44–55.Google ScholarCross Ref
- Eirini Kalliamvakou, Georgios Gousios, Kelly Blincoe, Leif Singer, Daniel M. German, and Daniela Damian. 2014. The Promises and Perils of Mining GitHub. In Proceedings of the 11th Working Conference on Mining Software Repositories (MSR ’14). ACM, 92–101. Google ScholarDigital Library
- Wayne C. Lim. 1994. Effects of Reuse on Quality, Productivity, and Economics. IEEE Software 11, 5 (1994), 23–30. Google ScholarDigital Library
- Fiona Macdonald. 2016. A programmer almost broke the Internet last week by deleting 11 lines of code. &+#http://www.sciencealert.com/how-a-programmeralmost-broke-the-internet-by-deleting-11-lines-of-code. (March 2016). (accessed on 08/24/2016).Google Scholar
- Konstantinos Manikas. 2016. Revisiting software ecosystems research: a longitudinal literature study. Journal of Systems and Software 117 (2016), 84–103. Google ScholarDigital Library
- Stephen McCamant and Michael D. Ernst. 2003. Predicting Problems Caused by Component Upgrades. In Proceedings of the 9th European Software Engineering Conference Held Jointly with 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/FSE ’03). ACM, 287–296. Google ScholarDigital Library
- Audris Mockus. 2007. Large-Scale Code Reuse in Open Source Software. In Proceedings of the First International Workshop on Emerging Trends in FLOSS Research and Development (FLOSS ’07). IEEE Computer Society, 7–. Google ScholarDigital Library
- Parastoo Mohagheghi, Reidar Conradi, Ole M. Killi, and Henrik Schwarz. 2004. An Empirical Study of Software Reuse vs. Defect-Density and Stability. In Proceedings of the 26th International Conference on Software Engineering (ICSE ’04). IEEE Computer Society, 282–292. Google ScholarDigital Library
- npm. 2016. Most depended-upon packages. http://www.npmjs.com/browse/ depended. (August 2016). (accessed on 08/10/2016).Google Scholar
- npm. 2016. What is npm? | Node Package Managment Documentation. https: //docs.npmjs.com/getting-started/what-is-npm. (July 2016). (accessed on 08/14/2016).Google Scholar
- The npm Blog. 2016. The npm Blog changes to npm’s unpublish policy. http:// blog.npmjs.org/post/141905368000/changes-to--unpublish-policy. (March 2016). (accessed on 08/11/2016).Google Scholar
- Heikki Orsila, Jaco Geldenhuys, Anna Ruokonen, and Imed Hammouda. 2008. Update propagation practices in highly reusable open source components. In Proceedings of the 4th IFIP WG 2.13 International Conference on Open Source Systems (OSS ’08). 159–170.Google ScholarCross Ref
- Janice Singer, Susan E Sim, and Timothy C Lethbridge. 2008. Software engineering data collection for field studies. In Guide to Advanced Empirical Software Engineering. Springer London, 9–34.Google Scholar
- Manuel Sojer and Joachim Henkel. 2010. Code Reuse in Open Source Software Development: Quantitative Evidence, Drivers, and Impediments. Journal of the Association for Information Systems 11, 12 (2010), 868–901.Google ScholarCross Ref
- Jason Tsay, Laura Dabbish, and James Herbsleb. 2014. Influence of Social and Technical Factors for Evaluating Contribution in GitHub. In Proceedings of the 36th International Conference on Software Engineering (ICSE ’14). ACM, 356–366. Google ScholarDigital Library
- Chris Williams. 2016. How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript. http://www.theregister.co.uk/2016/03/23/ npm_left_pad_chaos. (March 2016). (accessed on 08/24/2016).Google Scholar
- Erik Wittern, Philippe Suter, and Shriram Rajagopalan. 2016. A Look at the Dynamics of the JavaScript Package Ecosystem. In Proceedings of the 13th International Conference on Mining Software Repositories (MSR ’16). ACM, 351–361. Google ScholarDigital Library
- Dan Zambonini. 2011. Testing and deployment. In A Practical Guide to Web App Success, Owen Gregory (Ed.). Five Simple Steps, Chapter 20. (accessed on 02/23/2017).Google Scholar
Index Terms
- Why do developers use trivial packages? an empirical case study on npm
Recommendations
A look at the dynamics of the JavaScript package ecosystem
MSR '16: Proceedings of the 13th International Conference on Mining Software RepositoriesThe node package manager (npm) serves as the frontend to a large repository of JavaScript-based software packages, which foster the development of currently huge amounts of server-side Node. js and client-side JavaScript applications. In a span of 6 ...
Reasons and drawbacks of using trivial npm packages: the developers' perspective
ESEC/FSE 2017: Proceedings of the 2017 11th Joint Meeting on Foundations of Software EngineeringCode reuse is traditionally seen as good practice. Recent trends have pushed the idea of code reuse to an extreme, by using packages that implement simple and trivial tasks, which we call ‘trivial packages’. A recent incident where a trivial package ...
Helping or not helping? Why and how trivial packages impact the npm ecosystem
AbstractDevelopers often share their code snippets by packaging them and making them available to others through software packages. How much a package does and how big it is can be seen as positive or negative. Recent studies showed that many packages ...
Comments