On the health of the npm package ecosystem (and its potential impact on Drupal)

Session track
Code & Development
Experience level
50 min

Like many other web-based frameworks, Drupal is increasingly relying on JavaScript libraries (such as React, Node.JS, Angular and many more) for improving its user experience. However, relying on such JavaScript libraries implies a significant risk of breaking or compromising your applications.

To illustrate this, we present a series of empirical results on the health of the npm dependency network for JavaScript packages. Our findings based on a historical data analysis show that the npm package ecosystem suffers from a range of important technical health issues related to how its dependency network is structured and evolves over time.

Examples of such issues include the exponential growth of npm, the huge number of transitive dependencies, the abundance of outdated dependencies, and the long time it takes to fix security vulnerabilities and to benefit from these fixes in dependent packages. We provide empirical evidence of these problems, and suggest ways to reduce their potential impact by providing concrete guidelines.

All presented results have been conducted by researchers of the Software Engineering Lab at the University of Mons in the context of two ongoing projects SECOHealth and SECO-ASSIST, aiming to analyse and improve the health of software ecosystems.

The presentation was given by Tom Mens, Full Professor and Director of the Software Engineering Lab of the University of Mons, Belgium.

Download material