Thesis Defence: What About Our Bug? A Study on the Responsiveness of Package Maintainers in the Node Package Manager (npm) Ecosystem

Mohammadreza Saeidi, supervised by Dr. Gema Rodriguez-Perez, will defend their thesis titled “What About Our Bug? A Study on the Responsiveness of Package Maintainers in the Node Package Manager (npm) Ecosystem” in partial fulfillment of the requirements for the degree of Master of Science in Computer Science.

An abstract for Mohammadreza Saeidi’s thesis is included below.

Defences are open to all members of the campus community as well as the general public. Registration is not required for in-person defences.

---

Abstract

The Node Package Manager (npm) ecosystem is foundational to modern JavaScript development, enabling developers to rapidly build software by leveraging a vast array of third-party packages. However, this heavy reliance also introduces critical risks, particularly when bugs in upstream packages cascade down the dependency chain, affecting numerous downstream projects. This thesis investigates how maintainers of the 500 most depended-upon npm packages handle bug reports submitted by downstream developers. We adopt a mixed-methods approach to answer three research questions. First, we manually analyze 1,729 bug report issues to assess maintainer responsiveness and develop a taxonomy of reasons why certain bugs remain unresolved. Our manual classification reveals that while most upstream developers are responsive, some bugs remain unaddressed due to contributor practices, dependency boundaries, library-specific standards, and lack of engagement from upstream developers.

To scale the analysis, we evaluate the use of instruction-tuned Large Language Models (LLMs) in a zero-shot setting. Using a manually labelled ground truth dataset, we assess the effectiveness of LLMs in classifying issues as bug reports, determining maintainer responsiveness, and classifying unresolved bug reports. Our results show that LLMs can accurately replicate human classification, enabling large-scale analysis across 47,883 GitHub issues. The automated approach calculated a median per-package responsiveness ratio of 72%, further confirming that the majority of maintainers are actively addressing reported bugs.

Finally, we conduct a regression analysis to explore the relationship between maintainer responsiveness and package popularity, as measured by monthly downloads and GitHub stars. We find a positive correlation between responsiveness and downloads, suggesting that active maintenance supports widespread adoption. However, we observe a negative correlation with GitHub stars, indicating that visibility does not necessarily imply active bug handling.