Trivial packages, small modules with low functionality, are common in the npm ecosystem and can pose security risks despite their simplicity. This paper refines existing definitions and introduce data-only packages that contain no executable logic. A rule-based static analysis method is developed to detect trivial and data-only packages and evaluate their prevalence and associated risks in the 2025 npm ecosystem. The analysis shows that 17.92% of packages are trivial, with vulnerability levels comparable to non-trivial ones, and data-only packages, though rare, also contain risks. The proposed detection tool achieves 94% accuracy (macro-F1 0.87), enabling effective large-scale analysis to reduce security exposure. This findings suggest that trivial and data-only packages warrant greater attention in dependency management to reduce potential technical debt and security exposure.

翻译：琐碎软件包（即功能有限的微小模块）在npm生态系统中普遍存在，尽管结构简单，却可能带来安全风险。本文细化了现有定义，并引入了不含可执行逻辑的纯数据软件包。我们开发了一种基于规则的静态分析方法，用于检测琐碎软件包与纯数据软件包，并评估其在2025年npm生态系统中的普遍性及相关风险。分析表明，17.92%的软件包属于琐碎软件包，其漏洞水平与非琐碎软件包相当；纯数据软件包虽较为罕见，同样存在风险。所提出的检测工具达到了94%的准确率（宏观F1值0.87），能够支持有效的大规模分析以降低安全暴露。本研究表明，在依赖项管理中应更加关注琐碎软件包与纯数据软件包，以减少潜在的技术债务与安全暴露。