On March 23rd, 2016, the Internets witnessed a hot debate when software developer Azer Koçulu removed more than 250 of his JavaScript packages from the NPM registry, which is a popular package manager used by JavaScript projects to install dependencies. Apparently, an instant-messaging startup called Kik wanted to take over the name of the npm package kik that belongs to Azer. Kik’s lawyers contacted NPM Inc. to resolve the disagreement. In return, NPM Inc. changed the ownership of Azer’s module, without his permission. As a result, Azer announced that he unpublished his modules from the NPM registry:

This is not a knee-jerk action. I love open source and believe that open source community will eventually create a truly free alternative for NPM.

Removal of these modules immediately impacted many thousands of dependent projects, NPM reports:

Shortly after 2:30 PM on Tuesday, March 22, we began observing hundreds of failures per minute, as dependent projects — and their dependents, and their dependents… — all failed when requesting the now-unpublished package.

You can read more accounts on the case: How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript, Reflections on NPM-gate, npm’s single point of failure.

Further questions can be raised regarding the dependencies:

What was the affected projects’ dependency network like?

Aside from the popular modules like Babel and Node, what other central modules were affected because they are also dependent upon the removed modules?

Which of the removed modules had the highest impact on the npm network? Were there other single point of failures aside from now famous left-pad module?

We may not have the answers to these questions after the fact, but we can map the current software package dependencies, which would allow us to measure network metrics, develop a sense of structural patterns, and evaluate the future possible risks.

Mapping the NPM dependency network

JavaScript world has a sprawling library of modules and packages, more than a quarter million in the NPM registry. It is a tough task to capture or comprehend its entirety.

npm-dependency-network is a Python script that starts from a package, crawls links from the npm registry, and generates an interactive NPM dependency graph. The graph below is the top 100 dependent upon npm packages and their dependencies in 4 levels of depth.