English

Detecting and Characterizing Low and No Functionality Packages in the NPM Ecosystem

Software Engineering 2025-10-07 v1

Abstract

Trivial packages, small modules with low functionality, are common in the npm ecosystem and can pose security risks despite their simplicity. This paper refines existing definitions and introduce data-only packages that contain no executable logic. A rule-based static analysis method is developed to detect trivial and data-only packages and evaluate their prevalence and associated risks in the 2025 npm ecosystem. The analysis shows that 17.92% of packages are trivial, with vulnerability levels comparable to non-trivial ones, and data-only packages, though rare, also contain risks. The proposed detection tool achieves 94% accuracy (macro-F1 0.87), enabling effective large-scale analysis to reduce security exposure. This findings suggest that trivial and data-only packages warrant greater attention in dependency management to reduce potential technical debt and security exposure.

Keywords

Cite

@article{arxiv.2510.04495,
  title  = {Detecting and Characterizing Low and No Functionality Packages in the NPM Ecosystem},
  author = {Napasorn Tevarut and Brittany Reid and Yutaro Kashiwa and Pattara Leelaprute and Arnon Rungsawang and Bundit Manaskasemsak and Hajimu Iida},
  journal= {arXiv preprint arXiv:2510.04495},
  year   = {2025}
}

Comments

Accepted in PROFES 2025

R2 v1 2026-07-01T06:18:31.671Z