Third-party library becomes the important part of software development within the open source community. These library packages provide software developers with useful features without the need to ``reinvent the wheel'', with each package often depending on several others. Since there are millions of packages available online, the understanding of the package goodness is needed for choosing the suitable good package in the software development project.
This thesis characterizes the package goodness through (1) the package selection and (2) the package security risk. The first part of this thesis finds how to choose the good package from user and contributor perspectives through the developer survey and the analysis of package runnability. The results show that both users and contributors share similar views on which how to assess the package quality. Runnability of the package could be used for choosing the good package. The second part of this thesis investigates the risk of vulnerability in the package through the code-centric vulnerability detection and the vulnerability fix adoption analysis. The results show that most of vulnerable code are not reachable in the application. Additionally, lags of fix adoption are affected by factors (i.e., severity and freshness).