As the default package manager for Node.js, npm has become one of the largest package management systems in the world. To facilitate dependency management for developers, npm supports a special type of dependency, Peer Dependency, whose installation and usage differ from regular dependencies. However, conflicts between peer dependencies can trap the npm client into infinite loops, leading to resource exhaustion and system crashes. We name this problem PeerSpin. Although PeerSpin poses a severe risk to ecosystems, it was overlooked by previous studies, and its impacts have not been explored. To bridge this gap, this paper conducts the first in-depth study to understand and detect PeerSpin in the npm ecosystem. First, by systematically analyzing the npm dependency resolution, we identify the root cause of PeerSpin and characterize two peer dependency patterns to guide detection. Second, we propose a novel technique called Node-Replacement-Conflict based PeerSpin Detection, which leverages the state of the directory tree during dependency resolution to achieve accurate and efficient PeerSpin detection. Based on this technique, we developed a tool called PeerChecker to detect PeerSpin. Finally, we apply PeerChecker to the entire NPM ecosystem and find that 5,662 packages, totaling 72,968 versions, suffer from PeerSpin. Up until now, we confirmed 28 real PeerSpin problems by reporting them to the package maintainer. We also open source all PeerSpin analysis implementations, tools, and data sets to the public to help the community detect PeerSpin issues and enhance the reliability of the npm ecosystem.

翻译：作为 Node.js 的默认包管理器，npm 已成为全球最大的包管理系统之一。为方便开发者进行依赖管理，npm 支持一种特殊类型的依赖——对等依赖，其安装和使用方式与常规依赖不同。然而，对等依赖之间的冲突可能导致 npm 客户端陷入无限循环，从而引发资源耗尽和系统崩溃。我们将此问题命名为 PeerSpin。尽管 PeerSpin 对生态系统构成严重风险，但先前的研究忽视了该问题，其影响尚未得到探索。为弥补这一空白，本文首次在 npm 生态系统中开展深入研究，以理解和检测 PeerSpin。首先，通过系统分析 npm 依赖解析过程，我们识别了 PeerSpin 的根本原因，并刻画了两种对等依赖模式以指导检测。其次，我们提出了一种基于节点替换冲突的新型 PeerSpin 检测技术，该技术利用依赖解析过程中目录树的状态来实现准确高效的 PeerSpin 检测。基于此技术，我们开发了一个名为 PeerChecker 的工具来检测 PeerSpin。最后，我们将 PeerChecker 应用于整个 NPM 生态系统，发现有 5,662 个软件包，共计 72,968 个版本受到 PeerSpin 影响。截至目前，我们已通过向软件包维护者报告的方式确认了 28 个真实的 PeerSpin 问题。我们还将所有 PeerSpin 分析实现、工具和数据集开源，以帮助社区检测 PeerSpin 问题并提升 npm 生态系统的可靠性。