This study addresses the challenges of structural understanding and risk governance in large-scale software ecosystems. Focusing on Maven Central, it constructs a Java dependency network comprising 1.3 million nodes and 20.9 million edges. Methodologically, it introduces a novel BFS-based sampling strategy centered on highly connected nodes, leverages the Goblin framework for dependency extraction, and applies topological metrics—including degree centrality, betweenness centrality, PageRank, and connected components—for structural analysis. Results confirm the network exhibits scale-free and small-world properties. Crucially, testing frameworks and general-purpose utility libraries emerge as sparse but high-impact hubs: they enable efficient code reuse while simultaneously serving as primary conduits for systemic security risk propagation. The study thus provides empirical evidence and methodological support for enhancing software ecosystem resilience, optimizing dependency governance, and identifying critical infrastructure components.

Understanding the structural characteristics and connectivity patterns of large-scale software ecosystems is critical for enhancing software reuse, improving ecosystem resilience, and mitigating security risks. In this paper, we investigate the Maven Central ecosystem, one of the largest repositories of Java libraries, by applying network science techniques to its dependency graph. Leveraging the Goblin framework, we extracted a sample consisting of the top 5,000 highly connected artifacts based on their degree centrality and then performed breadth-first search (BFS) expansion from each selected artifact as a seed node, traversing the graph outward to capture all libraries and releases reachable those seed nodes. This sampling strategy captured the immediate structural context surrounding these libraries resulted in a curated graph comprising of 1.3 million nodes and 20.9 million edges. We conducted a comprehensive analysis of this graph, computing degree distributions, betweenness centrality, PageRank centrality, and connected components graph-theoretic metrics. Our results reveal that Maven Central exhibits a highly interconnected, scale-free, and small-world topology, characterized by a small number of infrastructural hubs that support the majority of projects. Further analysis using PageRank and betweenness centrality shows that these hubs predominantly consist of core ecosystem infrastructure, including testing frameworks and general-purpose utility libraries. While these hubs facilitate efficient software reuse and integration, they also pose systemic risks; failures or vulnerabilities affecting these critical nodes can have widespread and cascading impacts throughout the ecosystem.