This work addresses software supply chain security risks posed by the prevalence of low-functionality packages—particularly trivial packages lacking substantive logic and data-only packages—in the NPM ecosystem. We propose a rule-based static analysis method that precisely defines data-only package characteristics and jointly leverages macro-structural and content-pattern analysis to achieve high-accuracy detection (94% precision, macro-F1 score of 0.87). To our knowledge, this is the first systematic, large-scale quantification of both the scale and security implications of such packages: we find that 17.92% of NPM packages exhibit low functionality, and a non-negligible proportion harbor under-recognized security vulnerabilities. Our contributions include an open-source detection tool, a reproducible analytical framework, and actionable risk-assessment guidelines for dependency management. Collectively, these advances provide critical empirical evidence and methodological innovation to strengthen software supply chain security governance.

Trivial packages, small modules with low functionality, are common in the npm ecosystem and can pose security risks despite their simplicity. This paper refines existing definitions and introduce data-only packages that contain no executable logic. A rule-based static analysis method is developed to detect trivial and data-only packages and evaluate their prevalence and associated risks in the 2025 npm ecosystem. The analysis shows that 17.92% of packages are trivial, with vulnerability levels comparable to non-trivial ones, and data-only packages, though rare, also contain risks. The proposed detection tool achieves 94% accuracy (macro-F1 0.87), enabling effective large-scale analysis to reduce security exposure. This findings suggest that trivial and data-only packages warrant greater attention in dependency management to reduce potential technical debt and security exposure.