📝 SummarXiv

Abstract

Much of the success of modern software development can be attributed to code reuse. The ability to reuse existing functionality via third-party dependencies has enabled massive gains in productivity, but for a long time the dominant philosophy has been to 'reuse as much as possible, without thought for what is being depended upon', creating fragile dependency chains. Heavy reliance has raised resiliency and maintenance concerns. In this vision paper, we investigate packages that challenge the typical concepts of reuse - that is, packages with no dependencies themselves that bear the responsibility of being at the end of the dependency supply chain. By avoiding dependencies, these packages at the end of the chain may also avoid the associated risks. Our initial analysis of the most depended upon NPM packages shows that such end-of-chain packages make up a significant portion of these critical dependency chain (over 50%). We find that these end-of-chain packages vary in characteristics and are not just packages that can be easily replaced, and present five cases. We then ask ourselves: Should maintainers minimize external dependencies? We argue that these packages reveal important lessons for strategic reuse-balancing the undeniable benefits of dependency ecosystems with sustainable, secure practices.