This study investigates how maintainers of core packages in the NPM ecosystem respond to vulnerability reports, particularly whether ambiguous responsibility attribution—e.g., attributing defects to downstream dependencies—leads to non-remediation. Method: We employ a mixed-methods approach: quantitative analysis of 32,000 real-world vulnerability reports, complemented by open coding for qualitative causal attribution. Contribution/Results: We introduce the first taxonomy for non-remediation causes, grounded in contribution norms, dependency constraints, and library-specific criteria. Findings show a median maintainer response rate of 70% (IQR: 55%–89%), indicating overall engagement but substantial heterogeneity. Notably, ~23% of non-responses stem from contested responsibility boundaries—revealing unclear accountability across dependency chains as a critical institutional barrier to collaborative remediation. This work provides empirical evidence and a theoretical framework to inform improvements in open-source governance and vulnerability response policies.

Background: Widespread use of third-party libraries makes ecosystems like Node Package Manager (npm) critical to modern software development. However, this interconnected chain of dependencies also creates challenges: bugs in one library can propagate downstream, potentially impacting many other libraries that rely on it. We hypothesize that maintainers may not always decide to fix a bug, especially if the maintainer decides it falls out of their responsibility within the chain of dependencies. Aims: To confirm this hypothesis, we investigate the responsiveness of 30,340 bug reports across 500 of the most depended-upon npm packages. Method: We adopt a mixed-method approach to mine repository issue data and perform qualitative open coding to analyze reasons behind unaddressed bug reports. Results: Our findings show that maintainers are generally responsive, with a median project-level responsiveness of 70% (IQR: 55%-89%), reflecting their commitment to support downstream developers. Conclusions: We present a taxonomy of the reasons some bugs remain unresolved. The taxonomy includes contribution practices, dependency constraints, and library-specific standards as reasons for not being responsive. Understanding maintainer behavior can inform practices that promote a more robust and responsive open-source ecosystem that benefits the entire community.