This paper presents the first systematic characterization of PeerSpin—a previously undocumented infinite dependency resolution loop in the npm ecosystem, triggered by peer dependency conflicts and leading to client resource exhaustion and crashes. To address this, we propose Node-Replacement-Conflict, a dynamic detection technique grounded in directory-tree state evolution. We formally define PeerSpin and establish two decidable conflict patterns. Our approach integrates dependency graph modeling, fine-grained directory-tree state tracking, hybrid static-dynamic analysis, and reverse engineering of npm client behavior. Evaluated on the complete npm registry (729,680 package versions), our tool PeerChecker identifies 5,662 affected packages (spanning 7,2968 versions) and validates 28 real-world PeerSpin cases. All artifacts—including PeerChecker, the curated dataset, and full implementation—are publicly released under an open-source license.

As the default package manager for Node.js, npm has become one of the largest package management systems in the world. To facilitate dependency management for developers, npm supports a special type of dependency, Peer Dependency, whose installation and usage differ from regular dependencies. However, conflicts between peer dependencies can trap the npm client into infinite loops, leading to resource exhaustion and system crashes. We name this problem PeerSpin. Although PeerSpin poses a severe risk to ecosystems, it was overlooked by previous studies, and its impacts have not been explored. To bridge this gap, this paper conducts the first in-depth study to understand and detect PeerSpin in the npm ecosystem. First, by systematically analyzing the npm dependency resolution, we identify the root cause of PeerSpin and characterize two peer dependency patterns to guide detection. Second, we propose a novel technique called Node-Replacement-Conflict based PeerSpin Detection, which leverages the state of the directory tree during dependency resolution to achieve accurate and efficient PeerSpin detection. Based on this technique, we developed a tool called PeerChecker to detect PeerSpin. Finally, we apply PeerChecker to the entire NPM ecosystem and find that 5,662 packages, totaling 72,968 versions, suffer from PeerSpin. Up until now, we confirmed 28 real PeerSpin problems by reporting them to the package maintainer. We also open source all PeerSpin analysis implementations, tools, and data sets to the public to help the community detect PeerSpin issues and enhance the reliability of the npm ecosystem.