Open-source software (OSS) ecosystems such as CRAN, PyPI, and npm are vital to modern software development, providing developers with vast collections of reusable software packages. However, the interconnectedness of these packages creates complex interdependencies that can expose these ecosystems to systemic risks. In this work, we model such ecosystems as directed package dependency networks and apply complex network analysis techniques to study their robustness and vulnerability to cascading failures. We begin by assessing how random failures and degree-based targeted attacks impact the connectivity of the networks, revealing a high susceptibility to deliberate in-degree-based attacks, with npm being particularly fragile. In contrast, the networks exhibit greater tolerance to random failures and out-degree-based attacks. Then, we implement a threshold-based failure propagation model to capture the cascading dynamicsresulting from a single package’s failure and assess how such failures can spread through the ecosystem. The results for CRAN show that while most cascades remain localized, a few critical packages can trigger widespread failures. These findings reinforce the need to address the risks that result from the structural properties of the studied repositories.