Detecting and Characterizing Low and No Functionality Packages in the NPM Ecosystem
Trivial packages, small modules with low functionality, are common in the npm ecosystem and can pose security risks despite their simplicity. In this study, we refine existing definitions and introduce data- only packages that contain no executable logic. We propose a rule-based static analysis method to detect both trivial and data-only packages and evaluate their prevalence and associated risks in the 2025 npm ecosys- tem. We find 17.92% of packages are trivial, with vulnerability levels comparable to non-trivial ones, and data-only packages, though rare, also contain risks. Our detection tool achieves 94% accuracy (macro- F1 0.87), enabling effective large-scale analysis to reduce technical debt and security exposure. Our findings suggest that trivial and data-only packages warrant greater attention in dependency management to reduce potential technical debt and security exposure.
| Detecting and Characterizing Low and No Functionality Packages in the NPM Ecosystem (Slides) (_Detecting and characterizing trivial and data-only package in non ecosystem slide_compressed.pdf) | 1.85MiB |
Wed 3 DecDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
11:30 - 13:00 | Software Composition, Compliance, and SecurityResearch Papers / Short Papers and Posters / Industry Papers at Sala degli Affreschi (Fresco Room) Chair(s): Eriks Klotins Blekinge Institute of Technology | ||
11:30 15mTalk | AI Alignment for Ethical Compliance and Risk Mitigation in Industrial Applications Research Papers Rushali Gupta Lund University, Qunying Song University College London, Matthias Wagner Lund University, Emelie Engstrom Lund University, Emma Söderberg Lund University, Markus Borg CodeScene, Per Runeson Lund University | ||
11:45 15mTalk | FOSS-chain: using blockchain for Open Source Software license compliance Research Papers Kypros Iacovou University of Cyprus, Georgia Kapitsaki University of Cyprus, Evangelia Vanezi University of Cyprus File Attached | ||
12:00 15mTalk | Pipelines Under Pressure: An Empirical Study of Security Misconfigurations of GitHub Workflows Research Papers Edoardo Riggio Software Institute - USI, Lugano, Cesare Pautasso Software Institute, Faculty of Informatics, USI Lugano DOI | ||
12:15 15mTalk | Policy-driven Software Bill of Materials on GitHub: An Empirical Study Research Papers Oleksii Novikov Blekinge Institute of Technology, Davide Fucci Blekinge Institute of Technology, Oleksandr Adamov Blekinge Institute of Technology, Daniel Mendez Blekinge Institute of Technology and fortiss | ||
12:30 10mTalk | Cross-Domain Evaluation of Transformer-Based Vulnerability Detection on Open & Industry Data Industry Papers Moritz Mock Free University of Bozen-Bolzano, Thomas Forrer Wurth Phoenix S.r.l., Barbara Russo Free University of Bolzano DOI Pre-print File Attached | ||
12:40 7mTalk | Detecting and Characterizing Low and No Functionality Packages in the NPM Ecosystem Short Papers and Posters Napasorn Tevarut Kasetsart University, Brittany Reid Nara Institute of Science and Technology, Yutaro Kashiwa Nara Institute of Science and Technology, Pattara Leelaprute Kasetsart University, Arnon Rungsawang Kasetsart University, Bundit Manaskasemsak Kasetsart University, Hajimu Iida Nara Institute of Science and Technology File Attached | ||
12:47 7mTalk | An Empirical Study of Security-Policy Related Issues in Open Source Projects Short Papers and Posters Rintaro Kanaji Nara Institute of Science and Technology, Brittany Reid Nara Institute of Science and Technology, Yutaro Kashiwa Nara Institute of Science and Technology, Raula Gaikovina Kula The University of Osaka, Hajimu Iida Nara Institute of Science and Technology File Attached | ||