Saved in:
Bibliographic Details
Main Authors: Tevarut, Napasorn, Reid, Brittany, Kashiwa, Yutaro, Leelaprute, Pattara, Rungsawang, Arnon, Manaskasemsak, Bundit, Iida, Hajimu
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2510.04495
Tags: Add Tag
No Tags, Be the first to tag this record!
Table of Contents:
  • Trivial packages, small modules with low functionality, are common in the npm ecosystem and can pose security risks despite their simplicity. This paper refines existing definitions and introduce data-only packages that contain no executable logic. A rule-based static analysis method is developed to detect trivial and data-only packages and evaluate their prevalence and associated risks in the 2025 npm ecosystem. The analysis shows that 17.92% of packages are trivial, with vulnerability levels comparable to non-trivial ones, and data-only packages, though rare, also contain risks. The proposed detection tool achieves 94% accuracy (macro-F1 0.87), enabling effective large-scale analysis to reduce security exposure. This findings suggest that trivial and data-only packages warrant greater attention in dependency management to reduce potential technical debt and security exposure.