English
Related papers

Related papers: Dependency Practices for Vulnerability Mitigation

200 papers
Original Sin of npm: A Study on Vulnerability Propagation in JavaScript Dependency Networks

Understanding vulnerability propagation is essential for assessing how vulnerabilities spread across components of a software package. This supports more accurate impact analysis and enhances threat detection and mitigation. In this paper,…

Cryptography and Security · Computer Science 2026-04-21 Michael Robinson , Sajal Halder , Muhammad Ejaz Ahmed , Muhammad Ikram , Seyit Camtepe , Hyoungshick Kim
Dependency Update Strategies and Package Characteristics

Managing project dependencies is a key maintenance issue in software development. Developers need to choose an update strategy that allows them to receive important updates and fixes while protecting them from breaking changes. Semantic…

Software Engineering · Computer Science 2023-05-26 Abbas Javan Jafari , Diego Elias Costa , Emad Shihab , Rabe Abdalkareem
On the Threat of npm Vulnerable Dependencies in Node.js Applications

Software vulnerabilities have a large negative impact on the software systems that we depend on daily. Reports on software vulnerabilities always paint a grim picture, with some reports showing that 83% of organizations depend on vulnerable…

Software Engineering · Computer Science 2020-09-22 Mahmoud Alfadel , Diego Elias Costa , Mouafak Mokhallalati , Emad Shihab , Bram Adams
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks

The increasing interest in open source software has led to the emergence of large language-specific package distributions of reusable software libraries, such as npm and RubyGems. These software packages can be subject to vulnerabilities…

Software Engineering · Computer Science 2022-03-29 Ahmed Zerouali , Tom Mens , Alexandre Decan , Coen De Roover
Understanding npm Developers' Practices, Challenges, and Recommendations for Secure Package Development

Background: The Node Package Manager (npm) ecosystem plays a vital role in modern software development by providing a vast repository of packages and tools that developers can use to implement their software systems. However, recent…

Software Engineering · Computer Science 2026-01-29 Anthony Peruma , Truman Choy , Gerald Lee , Italo De Oliveira Santos
Not All Dependencies are Equal: An Empirical Study on Production Dependencies in NPM

Modern software systems are often built by leveraging code written by others in the form of libraries and packages to accelerate their development. While there are many benefits to using third-party packages, software projects often become…

Software Engineering · Computer Science 2022-08-30 Jasmine Latendresse , Suhaib Mujahid , Diego Elias Costa , Emad Shihab
Lags in the Release, Adoption, and Propagation of npm Vulnerability Fixes

Security vulnerability in third-party dependencies is a growing concern not only for developers of the affected software, but for the risks it poses to an entire software ecosystem, e.g., Heartbleed vulnerability. Recent studies show that…

Software Engineering · Computer Science 2021-06-24 Bodin Chinthanet , Raula Gaikovina Kula , Shane McIntosh , Takashi Ishio , Akinori Ihara , Kenichi Matsumoto
Small World with High Risks: A Study of Security Threats in the npm Ecosystem

The popularity of JavaScript has lead to a large ecosystem of third-party packages available via the npm software package registry. The open nature of npm has boosted its growth, providing over 800,000 free and reusable software packages.…

Cryptography and Security · Computer Science 2019-06-10 Markus Zimmermann , Cristian-Alexandru Staicu , Cam Tenny , Michael Pradel
PyPitfall: Dependency Chaos and Software Supply Chain Vulnerabilities in Python

Python software development heavily relies on third-party packages. Direct and transitive dependencies create a labyrinth of software supply chains. While it is convenient to reuse code, vulnerabilities within these dependency chains can…

Cryptography and Security · Computer Science 2026-03-11 Jacob Mahon , Chenxi Hou , Zhihao Yao
On the evolution of technical lag in the npm package dependency network

Software packages developed and distributed through package managers extensively depend on other packages. These dependencies are regularly updated, for example to add new features, resolve bugs or fix security issues. In order to take full…

Software Engineering · Computer Science 2018-06-14 Alexandre Decan , Tom Mens , Eleni Constantinou
Towards Sustainable and Secure Reuse in Dependency Supply Chains: Initial Analysis of NPM packages at the End of the Chain

Much of the success of modern software development can be attributed to code reuse. The ability to reuse existing functionality via third-party dependencies has enabled massive gains in productivity, but for a long time the dominant…

Software Engineering · Computer Science 2025-10-07 Brittany Anne Reid , Raula Gaikovina Kula
What About Our Bug? A Study on the Responsiveness of NPM Package Maintainers

Background: Widespread use of third-party libraries makes ecosystems like Node Package Manager (npm) critical to modern software development. However, this interconnected chain of dependencies also creates challenges: bugs in one library…

Software Engineering · Computer Science 2025-11-10 Mohammadreza Saeidi , Ethan Thoma , Raula Gaikovina Kula , Gema Rodríguez-Pérez
The Hitchhiker's Guide to Malicious Third-Party Dependencies

The increasing popularity of certain programming languages has spurred the creation of ecosystem-specific package repositories and package managers. Such repositories (e.g., npm, PyPI) serve as public databases that users can query to…

Cryptography and Security · Computer Science 2023-10-09 Piergiorgio Ladisa , Merve Sahin , Serena Elisa Ponta , Marco Rosa , Matias Martinez , Olivier Barais
Node package manager's dependency network robustness

The robustness of npm dependency network is a crucial property, since many projects and web applications heavily rely on the functionalities of packages, especially popular ones that have many dependant packages. In the past, there have…

Social and Information Networks · Computer Science 2021-10-25 Andrej Hafner , Anže Mur , Jaka Bernard
I depended on you and you broke me: An empirical study of manifesting breaking changes in client packages

Complex software systems have a network of dependencies. Developers often configure package managers (e.g., npm) to automatically update dependencies with each publication of new releases containing bug fixes and new features. When a…

Software Engineering · Computer Science 2024-01-24 Daniel Venturini , Filipe Roseiro Cogo , Ivanilton Polato , Marco A Gerosa , Igor Scaliante Wiese
On the Effect of Transitivity and Granularity on Vulnerability Propagation in the Maven Ecosystem

Reusing software libraries is a pillar of modern software engineering. In 2022, the average Java application depends on 40 third-party libraries. Relying on such libraries exposes a project to potential vulnerabilities and may put an…

Software Engineering · Computer Science 2023-01-20 Amir M. Mir , Mehdi Keshani , Sebastian Proksch
Decoding Dependency Risks: A Quantitative Study of Vulnerabilities in the Maven Ecosystem

This study investigates vulnerabilities within the Maven ecosystem by analyzing a comprehensive dataset of 14,459,139 releases. Our analysis reveals the most critical weaknesses that pose significant threats to developers and their projects…

Software Engineering · Computer Science 2025-03-31 Costain Nachuma , Md Mosharaf Hossan , Asif Kamal Turzo , Minhaz F. Zibran
Demystifying the Vulnerability Propagation and Its Evolution via Dependency Trees in the NPM Ecosystem

Third-party libraries with rich functionalities facilitate the fast development of Node.js software, but also bring new security threats that vulnerabilities could be introduced through dependencies. In particular, the threats could be…

Software Engineering · Computer Science 2022-08-30 Chengwei Liu , Sen Chen , Lingling Fan , Bihuan Chen , Yang Liu , Xin Peng
An Empirical Study of Vulnerable Package Dependencies in LLM Repositories

Large language models (LLMs) have developed rapidly in recent years, revolutionizing various fields. Despite their widespread success, LLMs heavily rely on external code dependencies from package management systems, creating a complex and…

Cryptography and Security · Computer Science 2025-09-01 Shuhan Liu , Xing Hu , Xin Xia , David Lo , Xiaohu Yang
Trust, but Verify: Evaluating Developer Behavior in Mitigating Security Vulnerabilities in Open-Source Software Projects

This study investigates vulnerabilities in dependencies of sampled open-source software (OSS) projects, the relationship between these and overall project security, and how developers' behaviors and practices influence their mitigation.…

Cryptography and Security · Computer Science 2024-08-27 Janislley Oliveira de Sousa , Bruno Carvalho de Farias , Eddie Batista de Lima Filho , Lucas Carvalho Cordeiro
‹ Prev 1 2 3 10 Next ›