On the impact of security vulnerabilities in the npm package dependency network

Decan, Alexandre; Mens, Tom; Constantinou, Eleni

doi:10.1145/3196398.3196401

Cited by 176 publications

(126 citation statements)

References 22 publications

Supporting

Mentioning

121

Contrasting

Unclassified

Order By: Relevance

“…Derr et al [24] conducted a survey with more than 200 mobile app developers in the Android ecosystem to investigate the use of outdated libraries, and reported that almost 98% of 17K actively used library versions with a known security vulnerability could be easily fixed by updating the library. Decan et al [25] empirically studied nearly 400 security reports for 269 npm packages, and found that more than 40% of the releases depending on a vulnerable package do not automatically benefit from the security fixes because of too restrictive dependency constraints.…”

Section: Related Workmentioning

confidence: 99%

What Do Package Dependencies Tell Us About Semantic Versioning?

Decan

Mens

2021

IIEEE Trans. Software Eng.

Self Cite

View full text Add to dashboard Cite

The semantic versioning (semver) policy is commonly accepted by open source package management systems to inform whether new releases of software packages introduce possibly backward incompatible changes. Maintainers depending on such packages can use this information to avoid or reduce the risk of breaking changes in their own packages by specifying version constraints on their dependencies. Depending on the amount of control a package maintainer desires to have over her package dependencies, these constraints can range from very permissive to very restrictive. This article empirically compares semver compliance of four software packaging ecosystems (Cargo, npm, Packagist and Rubygems), and studies how this compliance evolves over time. We explore to what extent ecosystem-specific characteristics or policies influence the degree of compliance. We also propose an evaluation based on the "wisdom of the crowds" principle to help package maintainers decide which type of version constraints they should impose on their dependencies.

show abstract

Section: Related Workmentioning

confidence: 99%

What Do Package Dependencies Tell Us About Semantic Versioning?

Decan

Mens

2021

IIEEE Trans. Software Eng.

Self Cite

View full text Add to dashboard Cite

show abstract

“…They found that “the time lag behind the newest release of a library is measured in the order of years,” and that this is a major source of known vulnerabilities in websites using these libraries. They also observed that “libraries included transitively [...] are more likely to be vulnerable.” Decan et al carried out an empirical analysis of security vulnerabilities in the npm repository by analyzing how and when these vulnerabilities are discovered and fixed, and to which extent they affect other package releases in the repository in presence of dependency constraints. They observed that it often takes a long time to discover vulnerabilities since their introduction.…”

Section: Related Workmentioning

confidence: 99%

A formal framework for measuring technical lag in component repositories — and its application to npm

Zerouali

Mens

González-Barahona

et al. 2019

J Software Evolu Process

Self Cite

View full text Add to dashboard Cite

Reusable Open Source Software (OSS) components for major programming languages are available in package repositories. Developers rely on package management tools to automate deployments, specifying which package releases satisfy the needs of their applications. However, these specifications may lead to deploying package releases that are outdated, or otherwise undesirable, because they do not include bug fixes, security fixes, or new functionality. In contrast, automatically updating to a more recent release may introduce incompatibility issues.To capture this delicate balance, we formalise a generic model of technical lag, a concept that quantifies to which extent a deployed collection of components is outdated, with respect to the ideal deployment. We operationalise this model for the npm package manager. We empirically analyze the history of package update practices and technical lag for more than 500K packages with about 4M package releases over a seven-year period. We consider both development and runtime dependencies, and study both direct and transitive dependencies. We also analyze the technical lag of external GitHub applications depending on npm packages. We report our findings, suggesting the need for more awareness of, and integrated tool support for, controlling technical lag in software libraries. KEYWORDS empirical analysis, semantic versioning, software repository mining, software reuse, technical lag INTRODUCTIONOver the past years, depending on external software components has become a common software development practice, especially in the free, Open Source community. 1 This practice can lead to a significant gain in productivity, because of the ability to reuse complex functionality, rather than implementing it from scratch. 2 To further facilitate this form of reuse, many online platforms have been created for distributions of operating systems (eg, Linux distributions such as Debian and Ubuntu) and the most prominent programming languages (eg. npm for JavaScript, MavenCentral for Java, RubyGems for Ruby), totaling millions of reusable components.While the availability and abundance of those reusable components facilitate building software, it can also cause problems in maintenance and evolution. For example, a recent version of an application may be outdated, not because of its own code but due to depending on components that were not updated to their latest versions. If this happens, there is a higher risk of having bugs and security issues that may have been already fixed. 3 On the other hand, updating to more recent releases of reusable components is not for free since it might lead to a risk of facing backward incompatible changes. 4To capture how outdated a deployed software package release is w.r.t. the ''ideal'' situation, Gonzalez-Barahona et al 5 introduced the concept of ''technical lag'' as the increasing lag between upstream development and the deployed system if no corrective actions are taken. Its goal is to enable developers to decide on a more informed basis, whether or not t...

show abstract

“…Since our RQ3 is asking the same questions as our RQ1 and RQ2, but with a different condition, we present the answer of RQ3 together with the answers of RQ1 and RQ2. 12 https://greenkeeper.io/…”

Section: Resultsmentioning

confidence: 99%

“…The NPM ecosystem is one of the most active and dynamic JavaScript ecosystems and [31] presents its dependency structure and package popularity. Studies on NPM have mostly focused on its dependency networks [12], its effect on popularity of NPM packages [13], and problems associated with library migration [33].…”

Section: Related Workmentioning

confidence: 99%

Patterns of Effort Contribution and Demand and User Classification based on Participation Patterns in NPM Ecosystem

Dey

Mockus

2019

Proceedings of the Fifteenth International Conference on Predictive Models and Data Analytics in Software Engineering

View full text Add to dashboard Cite

Background: Open source requires participation of volunteer and commercial developers (users) in order to deliver functional highquality components. Developers both contribute effort in the form of patches and demand effort from the component maintainers to resolve issues reported against it. Aim: Identify and characterize patterns of effort contribution and demand throughout the open source supply chain and investigate if and how these patterns vary with developer activity; identify different groups of developers; and predict developers' company affiliation based on their participation patterns. Method: 1,376,946 issues and pull-requests created for 4433 NPM packages with over 10,000 monthly downloads and full (public) commit activity data of the 272,142 issue creators is obtained and analyzed and dependencies on NPM packages are identified. Fuzzy c-means clustering algorithm is used to find the groups among the users based on their effort contribution and demand patterns, and Random Forest is used as the predictive modeling technique to identify their company affiliations. Result: Users contribute and demand effort primarily from packages that they depend on directly with only a tiny fraction of contributions and demand going to transitive dependencies. A significant portion of demand goes into packages outside the users' respective supply chains (constructed based on publicly visible version control data). Three and two different groups of users are observed based on the effort demand and effort contribution patterns respectively. The Random Forest model used for identifying the company affiliation of the users gives a AUC-ROC value of 0.68. Conclusion: Our results give new insights into effort demand and supply at different parts of the supply chain of the NPM ecosystem and its users and suggests the need to increase visibility further upstream. CCS CONCEPTS• Software and its engineering → Open source model; • Computing methodologies → Supervised learning by classification; Cluster analysis;

show abstract

On the impact of security vulnerabilities in the npm package dependency network

Cited by 176 publications

References 22 publications

What Do Package Dependencies Tell Us About Semantic Versioning?

What Do Package Dependencies Tell Us About Semantic Versioning?

A formal framework for measuring technical lag in component repositories — and its application to npm

Patterns of Effort Contribution and Demand and User Classification based on Participation Patterns in NPM Ecosystem

Contact Info

Product

Resources

About