Analyzing the Criticality of NPM Packages Through a Time-Dependent Dependency Graph

Analyzing the Criticality of NPM Packages Through a Time-Dependent Dependency Graph

Brands, Anna (TU Delft Electrical Engineering, Mathematics and Computer Science)

Gousios, Giorgos (mentor)
Spinellis, D. (mentor)
Anand, A. (graduation committee)

Delft University of Technology

Computer Science and Engineering

CSE3000 Research Project

2022-06-23

In (open-source) development, developers routinely rely on other libraries to improve their coding efficiency by reusing code. This reliance on other packages could cause issues when critical dependencies have suddenly have a vulnerability introduced to them. This work analyzes the criticality for NPM. To get an accurate picture of what the most-critical and thus possibly most-vulnerable packages are, the entirety of NPM must be analyzed. However, this proved too big to be able to fit in 500GB of memory. This work therefore examines a small subset of 100 thousand packages. To do the analysis, this paper proposes a novel approach of embedding a time dimension into the package network to provide better accuracy. This papers analysis show that both with and without this time dimension, \texttt{babel} packages are by far the most important in the package graph (as measured by PageRank). We should, however, keep in mind that this came from only analyzing 100 thousand packages. Thus, further research is required to confirm this conclusion. In particular, other importance measures should be used to find out the packages' criticality.

Dependency Analysis
NPM
time dependent

http://resolver.tudelft.nl/uuid:ca172ae3-3e8b-4b1b-9236-81e8983d3943

Student theses

bachelor thesis

© 2022 Anna Brands