Like many other web-based frameworks, Drupal is increasingly relying on JavaScript libraries (such as React, Node.JS, Angular and many more) for improving its user experience. However, relying on such JavaScript libraries implies a significant risk of breaking or compromising your applications.
To illustrate this, we present a series of empirical results on the health of the npm dependency network for JavaScript packages. Our findings based on a historical data analysis show that the npm package ecosystem suffers from a range of important technical health issues related to how its dependency network is structured and evolves over time.
Examples of such issues include the exponential growth of npm, the huge number of transitive dependencies, the abundance of outdated dependencies, and the long time it takes to fix security vulnerabilities and to benefit from these fixes in dependent packages. We provide empirical evidence of these problems, and suggest ways to reduce their potential impact by providing concrete guidelines.
All presented results have been conducted by researchers of the Software Engineering Lab at the University of Mons in the context of two ongoing projects SECOHealth and SECO-ASSIST, aiming to analyse and improve the health of software ecosystems.
The presentation was given by Tom Mens, Full Professor and Director of the Software Engineering Lab of the University of Mons, Belgium.
Download material
- Presentation slides are available at SlideShare. (Click here for other related presentations.)
- Download our open access publication An Empirical Comparison of Dependency Network Evolution in Seven Software Packaging Ecosystems in which we analyse npm, packagist and 5 other package dependency networks.
- Download our open access publication On the impact of security vulnerabilities in the npm package dependency network
- More publications can be found on Google Scholar