Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web

Lauinger, Tobias; Chaabane, Abdelberi; Arshad, Sajjad; Robertson, William; Wilson, Christo; Kirda, Engin

doi:10.14722/ndss.2017.23414

Cited by 101 publications

(86 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It is also useful to compare the extent of technical lag across different software component repositories and different package managers, in order to assess which policies, practices, culture, and tools lead to the best compromise. Inspired by Lauinger et al, we would also like to include other types of external applications to our analysis, like deployed websites.…”

Section: Discussion and Future Workmentioning

confidence: 99%

“…They observed that systems using outdated dependencies were four times more likely to have security issues and backward incompatibilities than systems that are up‐to‐date. Lauinger et al studied the client‐side use of JavaScript libraries. They found that “the time lag behind the newest release of a library is measured in the order of years,” and that this is a major source of known vulnerabilities in websites using these libraries.…”

Section: Related Workmentioning

confidence: 99%

“…According to Tiobe's programming language index (September 2018), JavaScript is the 8th most popular programming language. npm and JavaScript have also been used as case studies by many other researchers in empirical software engineering …”

Section: Empirical Analysis Of Technical Lag In Npmmentioning

confidence: 99%

See 2 more Smart Citations

A formal framework for measuring technical lag in component repositories — and its application to npm

Zerouali

Mens

González-Barahona

et al. 2019

J Software Evolu Process

View full text Add to dashboard Cite

Reusable Open Source Software (OSS) components for major programming languages are available in package repositories. Developers rely on package management tools to automate deployments, specifying which package releases satisfy the needs of their applications. However, these specifications may lead to deploying package releases that are outdated, or otherwise undesirable, because they do not include bug fixes, security fixes, or new functionality. In contrast, automatically updating to a more recent release may introduce incompatibility issues.To capture this delicate balance, we formalise a generic model of technical lag, a concept that quantifies to which extent a deployed collection of components is outdated, with respect to the ideal deployment. We operationalise this model for the npm package manager. We empirically analyze the history of package update practices and technical lag for more than 500K packages with about 4M package releases over a seven-year period. We consider both development and runtime dependencies, and study both direct and transitive dependencies. We also analyze the technical lag of external GitHub applications depending on npm packages. We report our findings, suggesting the need for more awareness of, and integrated tool support for, controlling technical lag in software libraries. KEYWORDS empirical analysis, semantic versioning, software repository mining, software reuse, technical lag INTRODUCTIONOver the past years, depending on external software components has become a common software development practice, especially in the free, Open Source community. 1 This practice can lead to a significant gain in productivity, because of the ability to reuse complex functionality, rather than implementing it from scratch. 2 To further facilitate this form of reuse, many online platforms have been created for distributions of operating systems (eg, Linux distributions such as Debian and Ubuntu) and the most prominent programming languages (eg. npm for JavaScript, MavenCentral for Java, RubyGems for Ruby), totaling millions of reusable components.While the availability and abundance of those reusable components facilitate building software, it can also cause problems in maintenance and evolution. For example, a recent version of an application may be outdated, not because of its own code but due to depending on components that were not updated to their latest versions. If this happens, there is a higher risk of having bugs and security issues that may have been already fixed. 3 On the other hand, updating to more recent releases of reusable components is not for free since it might lead to a risk of facing backward incompatible changes. 4To capture how outdated a deployed software package release is w.r.t. the ''ideal'' situation, Gonzalez-Barahona et al 5 introduced the concept of ''technical lag'' as the increasing lag between upstream development and the deployed system if no corrective actions are taken. Its goal is to enable developers to decide on a more informed basis, whether or not t...

show abstract

Section: Discussion and Future Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

A formal framework for measuring technical lag in component repositories — and its application to npm

Zerouali

Mens

González-Barahona

et al. 2019

J Software Evolu Process

View full text Add to dashboard Cite

show abstract

“…Lauinger et al [16] examined the security implications of relying on client-side JavaScript library usage. They examined 133K websites and found that 37% of these websites use at least one library with a known vulnerability.…”

Section: Security Vulnerabilitiesmentioning

confidence: 99%

On the impact of security vulnerabilities in the npm package dependency network

Decan

Mens

Constantinou

2018

Proceedings of the 15th International Conference on Mining Software Repositories

175

113

View full text Add to dashboard Cite

Security vulnerabilities are among the most pressing problems in open source software package libraries. It may take a long time to discover and fix vulnerabilities in packages. In addition, vulnerabilities may propagate to dependent packages, making them vulnerable too. This paper presents an empirical study of nearly 400 security reports over a 6-year period in the npm dependency network containing over 610k JavaScript packages. Taking into account the severity of vulnerabilities, we analyse how and when these vulnerabilities are discovered and fixed, and to which extent they affect other packages in the packaging ecosystem in presence of dependency constraints. We report our findings and provide guidelines for package maintainers and tool developers to improve the process of dealing with security issues. KEYWORDSsoftware repository mining, software ecosystem, dependency network, security vulnerability, semantic versioning ACM Reference Format: Alexandre Decan, Tom Mens, and Eleni Constantinou. 2018. On the impact of security vulnerabilities in the npm package dependency network. In

show abstract

“…The Inclusion graph corrects the technical problem of the Referer graph by using the actual inclusion relationships between domains to represent edges, rather than imprecise Referer relationships. We are able to construct Inclusion graphs, thanks to advances in browser instrumentation that allow researchers to conduct web crawls that record the exact provenance of all HTTP(S) requests [6,10,41].…”

Section: Introductionmentioning

confidence: 99%

Diffusion of User Tracking Data in the Online Advertising Ecosystem

Bashir

Wilson

2018

Proceedings on Privacy Enhancing Technologies

Self Cite

View full text Add to dashboard Cite

Advertising and Analytics (A&A) companies have started collaborating more closely with one another due to the shift in the online advertising industry towards Real Time Bidding (RTB). One natural way to understand how user tracking data moves through this interconnected advertising ecosystem is by modeling it as a graph. In this paper, we introduce a novel graph representation, called an Inclusion graph, to model the impact of RTB on the diffusion of user tracking data in the advertising ecosystem. Through simulations on the Inclusion graph, we provide upper and lower estimates on the tracking information observed by A&A companies. We find that 52 A&A companies observe at least 91% of an average user’s browsing history under reasonable assumptions about information sharing within RTB auctions. We also evaluate the effectiveness of blocking strategies (e.g., AdBlock Plus), and find that major A&A companies still observe 40–90% of user impressions, depending on the blocking strategy.

show abstract

Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web

Cited by 101 publications

References 12 publications

A formal framework for measuring technical lag in component repositories — and its application to npm

A formal framework for measuring technical lag in component repositories — and its application to npm

On the impact of security vulnerabilities in the npm package dependency network

Diffusion of User Tracking Data in the Online Advertising Ecosystem

Contact Info

Product

Resources

About