As the default package manager for Node.js, npm has become one of the largest package management systems in the world. To facilitate dependency management for developers, npm supports a special type of dependency, Peer Dependency, whose installation and usage differ from regular dependencies. However, conflicts between peer dependencies can trap the npm client into infinite loops, leading to resource exhaustion and system crashes. We name this problem PeerSpin. Although PeerSpin poses a severe risk to ecosystems, it was overlooked by previous studies, and its impacts have not been explored. To bridge this gap, this paper conducts the first in-depth study to understand and detect PeerSpin in the npm ecosystem. First, by systematically analyzing the npm dependency resolution, we identify the root cause of PeerSpin and characterize two peer dependency patterns to guide detection. Second, we propose a novel technique called Node-Replacement-Conflict based PeerSpin Detection, which leverages the state of the directory tree during dependency resolution to achieve accurate and efficient PeerSpin detection. Based on this technique, we developed a tool called PeerChecker to detect PeerSpin. Finally, we apply PeerChecker to the entire NPM ecosystem and find that 5,662 packages, totaling 72,968 versions, suffer from PeerSpin. Up until now, we confirmed 28 real PeerSpin problems by reporting them to the package maintainer. We also open source all PeerSpin analysis implementations, tools, and data sets to the public to help the community detect PeerSpin issues and enhance the reliability of the npm ecosystem.

翻译：作为Node.js的默认包管理器，npm已成为全球最大的包管理系统之一。为方便开发者进行依赖管理，npm支持一种特殊类型的依赖——Peer依赖，其安装与使用方式均不同于常规依赖。然而，Peer依赖间的冲突可能导致npm客户端陷入无限循环，进而引发资源耗尽与系统崩溃。我们将此问题命名为PeerSpin。尽管PeerSpin对生态系统构成严重威胁，但先前研究尚未关注此问题，其影响亦未被深入探讨。为填补这一空白，本文首次对npm生态系统中的PeerSpin问题展开深入理解与检测研究。首先，通过系统分析npm依赖解析机制，我们揭示了PeerSpin的根本成因，并归纳出两种指导检测的Peer依赖模式。其次，我们提出一种基于节点替换冲突的新型PeerSpin检测技术，该技术利用依赖解析过程中目录树的状态实现精准高效的PeerSpin检测。基于此技术，我们开发了名为PeerChecker的检测工具。最后，我们将PeerChecker应用于整个NPM生态系统，发现共有5,662个软件包的72,968个版本存在PeerSpin问题。截至目前，我们已通过向软件包维护者报告的方式确认了28个真实存在的PeerSpin问题。同时，我们将所有PeerSpin分析实现、工具及数据集向公众开源，以帮助社区检测PeerSpin问题并提升npm生态系统的可靠性。