research-article

Open access

On the impact of security vulnerabilities in the npm package dependency network

Authors:

Alexandre Decan,

Eleni ConstantinouAuthors Info & Claims

MSR '18: Proceedings of the 15th International Conference on Mining Software Repositories

Pages 181 - 191

https://doi.org/10.1145/3196398.3196401

Published: 28 May 2018 Publication History

Abstract

Security vulnerabilities are among the most pressing problems in open source software package libraries. It may take a long time to discover and fix vulnerabilities in packages. In addition, vulnerabilities may propagate to dependent packages, making them vulnerable too. This paper presents an empirical study of nearly 400 security reports over a 6-year period in the npm dependency network containing over 610k JavaScript packages. Taking into account the severity of vulnerabilities, we analyse how and when these vulnerabilities are discovered and fixed, and to which extent they affect other packages in the packaging ecosystem in presence of dependency constraints. We report our findings and provide guidelines for package maintainers and tool developers to improve the process of dealing with security issues.

References

[1]

O. Aalen, O. Borgan, and H. Gjessing. 2008. Survival and Event History Analysis: A Process Point of View. Springer.

[2]

R. Abdalkareem, O. Nourry, S. Wehaibi, S. Mujahid, and E. Shihab. 2017. Why do developers use trivial packages? An empirical case study on npm. In Joint Meeting on Foundations of Software Engineering (ESEC/FSE). 385--395.

Digital Library

[3]

P. Bisht, M. Heim, M. Ifland, M. Scovetta, and T. Skinner. 2017. Managing Security Risks Inherent in the Use of Third-party Components. (2017). Executive Information Systems, Inc., White Paper No. Eleven.

[4]

C. Bogart, C. Kästner, J. Herbsleb, and F. Thung. 2016. How to Break an API: Cost Negotiation and Community Values in Three Software Ecosystems. In Int'l Symp. Foundations of Software Engineering.

Digital Library

[5]

M. Cadariu, E. Bouwers, J. Visser, and A. van Deursen. 2015. Tracking known security vulnerabilities in proprietary software systems. In Int'l Conf. Software Analysis, Evolution, and Reengineering. 516--519.

[6]

F. Camilo, A. Meneely, and M. Nagappan. 2015. Do Bugs Foreshadow Vulnerabilities? A Study of the Chromium Project. In Working Conf. Mining Software Repositories. 269--279.

Digital Library

[7]

J. Cox, E. Bouwers, M. van Eekelen, and J. Visser. 2015. Measuring Dependency Freshness in Software Systems. In Int'l Conf. Software Engineering. IEEE Press, 109--118.

Digital Library

[8]

A. Decan, T. Mens, and M. Claes. 2016. On the Topology of Package Dependency Networks --- A Comparison of Three Programming Language Ecosystems. In European Conf. Software Architecture Workshops. ACM.

Digital Library

[9]

A. Decan, T. Mens, and M. Claes. 2017. An empirical comparison of dependency issues in OSS packaging ecosystems. In Int'l Conf. Software Analysis, Evolution, and Reengineering. 2--12.

[10]

Alexandre Decan, Tom Mens, and Philippe Grosjean. 2018. An empirical comparison of dependency network evolution in seven software packaging ecosystems. Empirical Software Engineering (10 Feb 2018).

[11]

E. Derr, S. Bugiel, S. Fahl, Y. Acar, and M. Backes. 2017. Keep me Updated: An Empirical Study of Third-Party Library Updatability on Android. In ACM Conf. on Computer and Communications Security.

Digital Library

[12]

Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey, and J. A. Halderman. 2014. The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (IMC '14). ACM, New York, NY, USA, 475--488.

Digital Library

[13]

J.I. Hejderup. 2015. In Dependencies We Trust: How vulnerable are dependencies in software modules? Master's thesis. Delft University of Technology.

[14]

E. L. Kaplan and P. Meier. 2012. Nonparametric Estimation from Incomplete Observations. J. American Statistical Association 53, 282 (2012), 457--481.

[15]

R. G. Kula, D. M. German, A. Ouni, T. Ishio, and K. Inoue. 2017. Do developers update their library dependencies? Empirical Software Engineering (11 May 2017).

Digital Library

[16]

T. Lauinger, A. Chaabane, W. Robertson, C. Wilson, and E. Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. In ISOC Network and Distributed System Security Symposium.

[17]

F. Massacci, S. Neuhaus, and V. H. Nguyen. 2011. After-life Vulnerabilities: A Study on Firefox Evolution, Its Vulnerabilities, and Fixes. In Proceedings of the Third International Conference on Engineering Secure Software and Systems (ESSoS'11). Springer-Verlag, Berlin, Heidelberg, 195--208. http://dl.acm.org/citation.cfm?id=1946341.1946361

Digital Library

[18]

F. Massacci and V. H. Nguyen. 2010. Which is the Right Source for Vulnerability Studies?: An Empirical Analysis on Mozilla Firefox. In Proceedings of the 6th International Workshop on Security Measurements and Metrics (MetriSec '10). ACM.

Digital Library

[19]

A. Nesbitt and B. Nickolls. 2017. Libraries.io Open Source Repository and Dependency Metadata. (June 2017).

[20]

M. Di Penta, L. Cerulo, and L. Aversano. 2009. The life and death of statically detected vulnerabilities: An empirical study. Information and Software Technology 51, 10 (2009), 1469 -- 1484.

Digital Library

[21]

N. H. Pham, T. T. Nguyen, H. A. Nguyen, and T. N. Nguyen. 2010. Detection of Recurring Software Vulnerabilities. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE '10). ACM, New York, NY, USA, 447--456.

Digital Library

[22]

snyk. 2017. The State of Open Source Security. https://snyk.io/stateofossecurity/. (November 2017).

[23]

H. H. Thompson. 2003. Why security testing is hard. IEEE Security Privacy 1, 4 (July 2003), 83--86.

Digital Library

[24]

J. Williams and A. Dabirsiaghi. 2014. The Unfortunate Reality of Insecure Libraries. White Paper. Contrast Security.

[25]

E. Wittern, P. Suter, and S. Rajagopalan. 2016. A Look at the Dynamics of the JavaScript Package Ecosystem. In Int'l Conf. Mining Software Repositories. ACM, 351--361.

Digital Library

Cited By

Di Rocco JNguyen PDi Sipio CRubei RDi Ruscio DDi Penta M(2025)DeepMigInformation and Software Technology10.1016/j.infsof.2024.107588177:COnline publication date: 1-Jan-2025
https://dl.acm.org/doi/10.1016/j.infsof.2024.107588
Sheneamer A(2024)Vulnerable JavaScript functions detection using stacking of convolutional neural networksPeerJ Computer Science10.7717/peerj-cs.183810(e1838)Online publication date: 29-Feb-2024
https://doi.org/10.7717/peerj-cs.1838
Dr. Paresh R Rathod Parthiv Andharia Vivek Baraiya (2024)A Review of Protection Mechanisms and Examination of Security and Access Control Measures in Java PackagesInternational Journal of Scientific Research in Science and Technology10.32628/IJSRST2411510411:5(280-284)Online publication date: 10-Oct-2024
https://doi.org/10.32628/IJSRST24115104
Show More Cited By

Recommendations

An empirical comparison of dependency network evolution in seven software packaging ecosystems

Nearly every popular programming language comes with one or more package managers. The software packages distributed by such package managers form large software ecosystems. These packaging ecosystems contain a large number of package releases that are ...
On the impact of security vulnerabilities in the npm and RubyGems dependency networks
Abstract
The increasing interest in open source software has led to the emergence of large language-specific package distributions of reusable software libraries, such as npm and RubyGems. These software packages can be subject to vulnerabilities that may ...
Präzi: from package-based to call-based dependency networks
Abstract
Modern programming languages such as Java, JavaScript, and Rust encourage software reuse by hosting diverse and fast-growing repositories of highly interdependent packages (i.e., reusable libraries) for their users. The standard way to study the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MSR '18: Proceedings of the 15th International Conference on Mining Software Repositories

May 2018

627 pages

ISBN:9781450357166

DOI:10.1145/3196398

General Chair:
Andy Zaidman
Delft University of Technology, Netherlands
,
Program Chairs:
Yasutaka Kamei
Kyushu University, Japan
,
Emily Hill
Drew University

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering
IEEE-CS: Computer Society

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 May 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

FRS - FNRS Belgium
FRQ (Québec) and F.R.S- FNRS (Belgium)
FWO - Vlaanderen and F.R.S.-FNRS

Conference

ICSE '18

Sponsor:

SIGSOFT
IEEE-CS

ICSE '18: 40th International Conference on Software Engineering

May 28 - 29, 2018

Gothenburg, Sweden

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

147
Total Citations
View Citations
4,291
Total Downloads

Downloads (Last 12 months)772
Downloads (Last 6 weeks)112

Reflects downloads up to 20 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Di Rocco JNguyen PDi Sipio CRubei RDi Ruscio DDi Penta M(2025)DeepMigInformation and Software Technology10.1016/j.infsof.2024.107588177:COnline publication date: 1-Jan-2025
https://dl.acm.org/doi/10.1016/j.infsof.2024.107588
Sheneamer A(2024)Vulnerable JavaScript functions detection using stacking of convolutional neural networksPeerJ Computer Science10.7717/peerj-cs.183810(e1838)Online publication date: 29-Feb-2024
https://doi.org/10.7717/peerj-cs.1838
Dr. Paresh R Rathod Parthiv Andharia Vivek Baraiya (2024)A Review of Protection Mechanisms and Examination of Security and Access Control Measures in Java PackagesInternational Journal of Scientific Research in Science and Technology10.32628/IJSRST2411510411:5(280-284)Online publication date: 10-Oct-2024
https://doi.org/10.32628/IJSRST24115104
Schueller WWachs J(2024)Modeling interconnected social and technical risks in open source software ecosystemsCollective Intelligence10.1177/263391372412319123:1Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1177/26339137241231912
Butler AFilkov VRay BZhou M(2024)Software Supply Chain Risk: Characterization, Measurement & AttenuationProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695608(2506-2509)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695608
Wyss EDavidson DDe Carli LTorres-Arias SDe Carli LZhang Y(2024)What's in a URL? An Analysis of Hardcoded URLs in npm PackagesProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696168(26-32)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696168
Dietrich JRasheed SJordan AWhite TTorres-Arias SDe Carli LZhang Y(2024)On the Security Blind Spots of Software Composition AnalysisProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696165(77-87)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696165
Sammak RRotthaler ARamulu HWermke DAcar YTorres-Arias SDe Carli LZhang Y(2024)Developers' Approaches to Software Supply Chain Security: An Interview StudyProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696160(56-66)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696160
Ma KWang ZZhao YWang H(2024)Decoding Web3: In-depth Analysis of the Third-Party Package Supply ChainProceedings of the 15th Asia-Pacific Symposium on Internetware10.1145/3671016.3671402(457-466)Online publication date: 24-Jul-2024
https://dl.acm.org/doi/10.1145/3671016.3671402
Tsakpinis APretschner A(2024)Analyzing the Accessibility of GitHub Repositories for PyPI and NPM LibrariesProceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering10.1145/3661167.3661231(345-350)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3661167.3661231
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten