Rethinking Reuse in Dependency Supply Chains: Initial Analysis of NPM packages at the End of the Chain

The success of modern software development can be largely attributed to the concept of code reuse, such as the ability to reuse existing functionality via third-party package dependencies, evident within massive package networks like NPM, PyPI and Maven. For a long time, the dominant philosophy has been to `reuse as much as possible, without thought for what is being depended upon', resulting in the formation of large dependency supply chains that spread throughout entire software ecosystems. Such heavy reliance on third-party packages has eventually brought forward resilience and maintenance concerns, such as security attacks and outdated dependencies. In this vision paper, we investigate packages that challenge the typical concepts of reuse--that is, packages with no dependencies themselves that bear the responsibility of being at the end of the dependency supply chain. We find that these end-of-chain packages vary in characteristics and not just packages that can be easily replaced: an active, well-maintained package at the end of the chain; a "classical" package that has remained unchanged for 11 years; a trivial package nested deep in the dependency chain; a package that may appear trivial; and a package that bundled up and absorbed its dependencies. The vision of this paper is to advocate for a shift in software development practices toward minimizing reliance on third-party packages, particularly those at the end of dependency supply chains. We argue that these end-of-chain packages offer unique insights, as they play a key role in the ecosystem.