The web of dependencies a complex network analysis of the NPM

Thesis / Dissertation

2024

Permanent link to this Item
http://hdl.handle.net/11427/41222
Files
thesis_com_2024_oldnall emilie rose.pdf (8.76 MB)
Authors
Oldnall, Emilie-Rose
Supervisors
Georg, Co-Pierre
Journal Title
Link to Journal
Journal ISSN
Volume Title
Publisher
Publisher

University of Cape Town

Department
School of Economics
Faculty
Faculty of Commerce
License
Series
Abstract
Open-source software development is a collaborative effort resulting in complex dependencies betweensoftwarepackages. Unlikeproprietarysoftware,theopen-sourcemodeloffersaunique opportunity to analyse and trace these dependencies due to its public availability. This thesis maps out the complex dependency network within the npm ecosystem, the package manager for JavaScript. JavaScript is the world's most widely used programming language, and its pack age manager is a tool responsible for storing and distributing thousands of third-party software packages to the developer community. Yet, with greater interconnectivity comes greater vulner ability, a reality sharply highlighted in 2016 when removing the small utility left-pad package from the npm registry. This event precipitated widespread software breakage as many web ap plications transitively and unknowingly depended on it for functionality. This thesis uses complex network science to demonstrate how network measures can be used to determine the structure and level of complexity of the npm network and, more interestingly, howthese parameters evolve over time. I analyse the npm network over five years, from 2012 to 2016. To the author's knowledge, no study at the time of writing has analysed the npm package ecosystem at a version level from the perspective of complex network science. This thesis finds that the npm network exhibits small-world behaviour and a scale-free archi tecture, concurring with existing studies on open-source software systems. It underscores the pivotal role of hierarchical software design in moulding npm's network topology and identifies versioned packages that disproportionately influence the network's functionality. Notably, it re veals that central nodes can have up to 200,000 reverse transitive dependencies, highlighting the ecosystem's vulnerability to cascading failures. By providing a detailed exploration of npm's complex dependency network, this research deepens our understanding of npm's infrastruc ture and highlights the critical network dynamics at play in open-source software development. These insights pave the way for further research on mitigating potential vulnerabilities and im proving the resilience of software dependency networks.
Description
Keywords
economics

Reference:

Oldnall, E. 2024. The web of dependencies a complex network analysis of the NPM. . University of Cape Town ,Faculty of Commerce ,School of Economics. http://hdl.handle.net/11427/41222

Collections
Masters