Artifact for Flexible and Optimal Dependency Management via Max-SMT

We present PacSolve, a semantics of dependency solving that we use to highlight the essential features and differences between NPM, PIP, and Cargo. We use PacSolve to implement MaxNPM, a drop-in replacement for NPM that allows the user to customize dependency solving with a variety of global objectives and consistency criteria. Using MaxNPM, developers can optimize dependency resolution to achieve goals that npm is unable to, such as: reduce the presence of vulnerabilities, resolve newer packages and reduce bloat.

We evaluate MaxNPM on the top 1,000 packages in the NPM ecosystem, finding that our prototype introduces a median overhead of less than two seconds. We find that MaxNPM produces solutions with fewer dependencies and newer dependencies for many packages.