A Strategic Model of Software Dependency Networks

Modern software development involves collaborative efforts and reuse of existing code, which reduces the cost of developing new software. However, reusing code from existing packages exposes coders to vulnerabilities in these dependencies. We study the formation of dependency networks among software packages and libraries, guided by a structural model of network formation with observable and unobservable heterogeneity. We estimate costs, benefits, and link externalities of the network of 696,790 directed dependencies between 35,473 repositories of the Rust programming language using a novel scalable algorithm. We find evidence of a positive externality exerted on other coders when coders create dependencies. Furthermore, we show that coders are likely to link to more popular packages of the same software type but less popular packages of other types. We adopt models for the spread of infectious diseases to measure a package's systemicness as the number of downstream packages a vulnerability would affect. Systemicness is highly skewed with the most systemic repository affecting almost 90% of all repositories only two steps away. Lastly, we show that protecting only the ten most important repositories reduces vulnerability contagion by nearly 40%.