Introduction
Some recent highly dependent packages have caused issues either because of takedowns or security vulnerabilities. Starting from Hacker News, I wanted to see what was important and what was impact when changes were made. It took awhile and the implementation is not the best, but I feel like the results are interesting.
Approach
The approach is just brute force recursion of the dependency tree (not development dependencies).
The score is simple exponential decay starting with 1 for a direct dependency and 0.5 for a sub-dependency and so on.
A simple circular dependency check as added.
Additionally a count of how many packages were impacted was tracked which is simply a count of how many times a package was within a dependency tree.
It took around 3-4 days to run through.
Data (August 2019)
- Score
- Total number based on depth within a dependency tree.
- Impact
- Count of packages that are impacted by this package.
Full data set is available here.
Chart (August 2019)
- Score
- Total number based on depth within a dependency tree.
- Impact
- Count of packages that are impacted by this package.
Notes
I discovered a few odities in 1+ million packages. Like this hillarious package ifyouwanttogetthesumoftwonumberswherethosetwonumbers.... Or there is a number of circular dependency testing packages which I simply ignored because they just took forever. And then there was some very strange set of packages from "lecomtegs", they all sound very cryptic and probably meant to be abusive, I simply ignored them.
