Internet Archive Scholar
Filters
























592 Hits in 5.5 sec

On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks [article]

Ahmed Zerouali, Tom Mens, Alexandre Decan, Coen De Roover
2022 arXiv   pre-print

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (823.1 kB)
https://web.archive.org/web/20210616041023/https://arxiv.org/pdf/2106.06747v1.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2021; you can also visit the original URL. The file type is application/pdf.

Note that this fulltext copy is not of the "primary" version of this work. The version it corresponds to is:

2021 pre-print arXiv:2106.06747v1 fatcat:v35ntwxbzjbzjf6r755vryv3ky
We distinguish between two types of dependents: packages distributed via the package manager, and external GitHub projects depending on npm packages.  ...  We observe that the number of vulnerabilities in npm is increasing and being disclosed faster than vulnerabilities in RubyGems.  ...  We express our gratitude to the security team of Snyk for granting us permission to use their dataset of vulnerability reports for research purposes.  ... 
arXiv:2106.06747v2 fatcat:s62ogooowrgilayondf5x5leqa
Open Access Multiple Versions
Citation

Ahmed Zerouali, Tom Mens, Alexandre Decan, Coen De Roover. "On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks." arXiv (2022)

Small World with High Risks: A Study of Security Threats in the npm Ecosystem [article]

Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, Michael Pradel
2019 arXiv   pre-print

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (914.0 kB)
https://web.archive.org/web/20191016134938/https://arxiv.org/pdf/1902.09217v1.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2019; you can also visit the original URL. The file type is application/pdf.

Note that this fulltext copy is not of the "primary" version of this work. The version it corresponds to is:

2019 pre-print arXiv:1902.09217v1 fatcat:cavgypv4bzfr3k4ro5oan7bifa
Studying the potential for running vulnerable or malicious code due to third-party dependencies, we find that individual packages could impact large parts of the entire ecosystem.  ...  Studying the potential for accidentally using vulnerable code, we find that lack of maintenance causes many packages to depend on vulnerable code, even years after a vulnerability has become public.  ...  Acknowledgments This work was supported by the German Federal Ministry of Education and Research and by the Hessian Ministry of Science and the Arts within CRISP, by the German Research Foundation within  ... 
arXiv:1902.09217v2 fatcat:qd6hy2ntyvgpplads6t7trjbwa
Multiple Versions
Citation

Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, Michael Pradel. "Small World with High Risks: A Study of Security Threats in the npm Ecosystem." arXiv (2019)

Node package manager's dependency network robustness [article]

Andrej Hafner, Anže Mur, Jaka Bernard
2021 arXiv   pre-print

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (1.4 MB)
https://web.archive.org/web/20211108144202/https://arxiv.org/pdf/2110.11695v1.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2021; you can also visit the original URL. The file type is application/pdf.

The robustness of npm dependency network is a crucial property, since many projects and web applications heavily rely on the functionalities of packages, especially popular ones that have many dependant  ...  In the past, there have been instances where the removal or update of certain npm packages has caused widespread chaos and web-page downtime on the internet.  ...  Authors of (8) analyzed the impact of security vulnerabilities in the npm package dependency network.  ... 
arXiv:2110.11695v1 fatcat:q6eyotd3yvgvtapdoswqndvtz4
Open Access
Citation

Andrej Hafner, Anže Mur, Jaka Bernard. "Node package manager's dependency network robustness." arXiv (2021)

On the Threat of npm Vulnerable Dependencies in Node.js Applications [article]

Mahmoud Alfadel, Diego Elias Costa, Mouafak Mokhallalati, Emad Shihab, Bram Adams
2020 arXiv   pre-print

Preserved Fulltext

Web Archive Capture PDF (2.0 MB)
https://web.archive.org/web/20200923001638/https://arxiv.org/pdf/2009.09019v1.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL. The file type is application/pdf.

Our findings show that although 67.93% of the examined applications depend on at least one vulnerable package, 94.91% of the vulnerable packages in those affected applications are classified as having  ...  Software vulnerabilities have a large negative impact on the software systems that we depend on daily.  ...  Contrast Security, a software security company, reported that 80% of the code written in today's applications depend on external packages, and approximately one fourth of package downloads have known vulnerabilities  ... 
arXiv:2009.09019v1 fatcat:pgsi6ptzmvhsddrazedk63wcv4
Citation

Mahmoud Alfadel, Diego Elias Costa, Mouafak Mokhallalati, Emad Shihab, Bram Adams. "On the Threat of npm Vulnerable Dependencies in Node.js Applications." arXiv (2020)

2020 State of the Octoverse: Securing the World's Software [article]

Nicole Forsgren, Bas Alberts, Kevin Backhouse, Grey Baker, Greg Cecarelli, Derek Jedamski, Scot Kelly, Clair Sullivan
2021 arXiv   pre-print

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (1.3 MB)
https://web.archive.org/web/20211024104309/https://arxiv.org/ftp/arxiv/papers/2110/2110.10246.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2021; you can also visit the original URL. The file type is application/pdf.

The artifacts of open source code serve as critical i infrastructure for much of the global economy, making the security of open source software mission-critical to the world.  ...  Many of the services and technology we all rely on, from banking to healthcare, also rely on open source software.  ...  These vulnerabilities were severe in terms of the number of developers they affected and their potential impact on vulnerable networks and endpoints.  ... 
arXiv:2110.10246v1 fatcat:rikir3wbz5e53n37kaasjpxqki
Open Access
Citation

Nicole Forsgren, Bas Alberts, Kevin Backhouse, Grey Baker, Greg Cecarelli, Derek Jedamski, Scot Kelly, Clair Sullivan. "2020 State of the Octoverse: Securing the World's Software." arXiv (2021)

Demystifying the Vulnerability Propagation and Its Evolution via Dependency Trees in the NPM Ecosystem [article]

Chengwei Liu, Sen Chen, Lingling Fan, Bihuan Chen, Yang Liu, Xin Peng
2022 arXiv   pre-print

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (1.3 MB)
https://web.archive.org/web/20220211005548/https://arxiv.org/pdf/2201.03981v2.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2022; you can also visit the original URL. The file type is application/pdf.

Other Versions

2022 pre-print
arXiv:2201.03981v1 fatcat:yfhl2ulinfde3lngcaoadqu4ke
Our study unveils lots of useful findings, and we further discuss the lessons learned and solutions for different stakeholders to mitigate the vulnerability impact in NPM.  ...  For example, we implement a dependency tree based vulnerability remediation method (DTReme) for NPM packages, and receive much better performance than the official tool (npm audit fix).  ...  Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not reflect the views of the Ministry of Education, Singapore.  ... 
arXiv:2201.03981v2 fatcat:d4vhm6mzxbgrph66p3akuvricu
Multiple Versions
Citation

Chengwei Liu, Sen Chen, Lingling Fan, Bihuan Chen, Yang Liu, Xin Peng. "Demystifying the Vulnerability Propagation and Its Evolution via Dependency Trees in the NPM Ecosystem." arXiv (2022)

Lags in the release, adoption, and propagation of npm vulnerability fixes

Bodin Chinthanet, Raula Gaikovina Kula, Shane McIntosh, Takashi Ishio, Akinori Ihara, Kenichi Matsumoto
2021 Empirical Software Engineering  

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (2.1 MB)
https://web.archive.org/web/20210718110209/https://link.springer.com/content/pdf/10.1007/s10664-021-09951-x.pdf?error=cookies_not_supported&code=6e936c18-26ea-4c02-a431-2120a56e197d

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2021; you can also visit the original URL. The file type is application/pdf.

Through an empirical study of the adoption and propagation tendencies of 1,290 package-side fixing releases that impact throughout a network of 1,553,325 releases of npm packages, we find that stale clients  ...  Furthermore, we show the influence of factors such as the branch that the package-side fixing release lands on and the severity of vulnerability on its propagation.  ...  Decan et al. (2018b) explored the impact of vulnerability within the npm ecosystem by analyzing the reaction time of developers from both vulnerable packages and their direct dependent packages to fix  ... 
doi:10.1007/s10664-021-09951-x fatcat:55o4c7qinrcirppzeyer5ufbry
Open Access
Citation

Bodin Chinthanet, Raula Gaikovina Kula, Shane McIntosh, Takashi Ishio, Akinori Ihara, Kenichi Matsumoto. "Lags in the release, adoption, and propagation of npm vulnerability fixes." Empirical Software Engineering (2021)

On the evolution of technical lag in the npm package dependency network [article]

Alexandre Decan, Tom Mens, Eleni Constantinou
2018 arXiv   pre-print

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (571.6 kB)
https://web.archive.org/web/20200831214332/https://arxiv.org/pdf/1806.01545v2.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL. The file type is application/pdf.

Other Versions

2018 pre-print
arXiv:1806.01545v1 fatcat:sb5tjwaihzh6hou4wwoxgvgw5i
In this paper, we perform an empirical study of technical lag in the npm dependency network by investigating its evolution for over 1.4M releases of 120K packages and 8M dependencies between these releases  ...  In order to take full advantage of the benefits of this type of reuse, developers should keep their dependencies up to date by relying on the latest releases.  ...  This practice resulted in different version adoption ratios. Decan et al. [8] compared the topology of npm with the one of the CRAN and RubyGems package dependency networks.  ... 
arXiv:1806.01545v2 fatcat:gy2o5i3s4bhsvi7wfgbcrqzeaq
Multiple Versions
Citation

Alexandre Decan, Tom Mens, Eleni Constantinou. "On the evolution of technical lag in the npm package dependency network." arXiv (2018)

Structure and Evolution of Package Dependency Networks

Riivo Kikas, Georgios Gousios, Marlon Dumas, Dietmar Pfahl
2017 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR)  

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (419.8 kB)
https://web.archive.org/web/20180722151945/https://repository.tudelft.nl/islandora/object/uuid%3Ad4f3b461-a0c8-4b23-8041-3f2f55dd773e/datastream/OBJ/download

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2018; you can also visit the original URL. The file type is application/pdf.

The study also reveals that vulnerability to a removal of the most popular package is increasing, yet most other packages have a decreasing impact on vulnerability.  ...  This paper analyzes the dependency network structure and evolution of the JavaScript, Ruby, and Rust ecosystems. The reported results reveal significant differences across language ecosystems.  ...  We define vulnerability of a package as the fraction of the network nodes that is impacted by a removal of a single package or a single package version.  ... 
doi:10.1109/msr.2017.55 dblp:conf/msr/KikasGDP17 fatcat:kfimmxd7jbggfdwzjcl3mrfgrm
Citation

Riivo Kikas, Georgios Gousios, Marlon Dumas, Dietmar Pfahl. "Structure and Evolution of Package Dependency Networks." 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR) (2017) 102-112

Lags in the Release, Adoption, and Propagation of npm Vulnerability Fixes [article]

Bodin Chinthanet and Raula Gaikovina Kula and Shane McIntosh and Takashi Ishio and Akinori Ihara and Kenichi Matsumoto
2021 arXiv   pre-print

Preserved Fulltext

Web Archive Capture PDF (1.2 MB)
https://web.archive.org/web/20200623071644/https://arxiv.org/pdf/1907.03407v3.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL. The file type is application/pdf.

Note that this fulltext copy is not of the "primary" version of this work. The version it corresponds to is:

2020 pre-print arXiv:1907.03407v3 fatcat:f3llztyz4vc2jcta7ra7dwir74

Other Versions

2019 pre-print
arXiv:1907.03407v1 fatcat:ejcld6er7vclhcufrv5fftismm
2019 pre-print
arXiv:1907.03407v2 fatcat:nobbwke2mfb7hoznidg27cqspy
2021 accepted
arXiv:1907.03407v5 fatcat:sppjzztmhfh67ojjnbazb7kckq
Security vulnerability in third-party dependencies is a growing concern not only for developers of the affected software, but for the risks it poses to an entire software ecosystem, e.g., Heartbleed vulnerability  ...  Through an empirical study of the adoption and propagation tendencies of 1,290 package-side fixing releases that impact throughout a network of 1,553,325 releases of npm packages, we find that stale clients  ...  Acknowledgment This work was supported by the Japan Society for Promotion of Science (JSPS) KAKENHI Grant Numbers JP18H04094, JP18H03221.  ... 
arXiv:1907.03407v4 fatcat:wyjytsi2enb7dbiqsnbcuy27ea
Multiple Versions
Citation

Bodin Chinthanet and Raula Gaikovina Kula and Shane McIntosh and Takashi Ishio and Akinori Ihara and Kenichi Matsumoto. "Lags in the Release, Adoption, and Propagation of npm Vulnerability Fixes." arXiv (2021)

Software ecosystem call graph for dependency management

Joseph Hejderup, Arie van Deursen, Georgios Gousios
2018 Proceedings of the 40th International Conference on Software Engineering New Ideas and Emerging Results - ICSE-NIER '18  

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (831.6 kB)
https://web.archive.org/web/20190426191447/https://repository.tudelft.nl/islandora/object/uuid%3A6f088b70-bccb-476e-b092-395078dec39b/datastream/OBJ/download

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2019; you can also visit the original URL. The file type is application/pdf.

Recent incidents, such as the Equifax data breach and the leftpad package removal, demonstrate the difficulty in assessing the severity, impact and spread of bugs in dependency networks.  ...  A popular form of software reuse is the use of open source software libraries hosted on centralized code repositories, such as Maven or npm.  ...  The first use case evaluates the impact of a security bug in the npm ecosystem.  ... 
doi:10.1145/3183399.3183417 dblp:conf/icse/HejderupDG18 fatcat:hy7zb237nngvnhsn5vduuvc2e4
Citation

Joseph Hejderup, Arie van Deursen, Georgios Gousios. "Software ecosystem call graph for dependency management." Proceedings of the 40th International Conference on Software Engineering New Ideas and Emerging Results - ICSE-NIER '18 (2018) 101-104

CD3T: Cross-Project Dependency Defect Detection Tool

Yao Yongming, Huang Song, Feng Cuiyi, Liu Chen, Xu Chenying
2019 International Journal of Performability Engineering  

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (510.6 kB)
https://web.archive.org/web/20220303093824/http://www.ijpe-online.com/EN/article/downloadArticleFile.do?attachType=PDF&id=4220

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2022; you can also visit the original URL. The file type is application/pdf.

Nowadays, every software project usually has a large number of third-party components depending on the repository, some of which have some unsafe code.  ...  In this paper, we design a cross-project dependency defect detection system based on Java, called CD3T.  ...  Acknowledgements This research is supported by the National Key R&D Program of China (Grant No.2018YFB1403400) and the Tongda College of Nanjing University of Posts and Telecommunications (Grant No.  ... 
doi:10.23940/ijpe.19.09.p5.23292337 fatcat:ofyn4me4afddnptqpb37lhxc6q
Citation

Yao Yongming, Huang Song, Feng Cuiyi, Liu Chen, Xu Chenying. "CD3T: Cross-Project Dependency Defect Detection Tool." International Journal of Performability Engineering 15.9 (2019) 2329

Containing Malicious Package Updates in npm with a Lightweight Permission System [article]

Gabriel Ferreira, Limin Jia, Joshua Sunshine, Christian Kästner
2021 arXiv   pre-print

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (328.4 kB)
https://web.archive.org/web/20210315150157/https://arxiv.org/pdf/2103.05769v1.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2021; you can also visit the original URL. The file type is application/pdf.

Studying the npm repository, we observed that many packages in the npm repository that are used in Node.js applications perform only simple computations and do not need access to filesystem or network  ...  The large amount of third-party packages available in fast-moving software ecosystems, such as Node.js/npm, enables attackers to compromise applications by pushing malicious updates to their package dependencies  ...  Hejderup [40] analyzed dependencies among packages published on the npm repository and found that known vulnerabilities in packages often affect many other dependent packages in the ecosystem, with many  ... 
arXiv:2103.05769v1 fatcat:4fn7y6tipbdadizplqjhxs4hoa
Citation

Gabriel Ferreira, Limin Jia, Joshua Sunshine, Christian Kästner. "Containing Malicious Package Updates in npm with a Lightweight Permission System." arXiv (2021)

Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages [article]

Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, Wenke Lee
2020 arXiv   pre-print

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (851.0 kB)
https://web.archive.org/web/20201205203722/https://arxiv.org/pdf/2002.01139v2.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL. The file type is application/pdf.

Other Versions

2020 pre-print
arXiv:2002.01139v1 fatcat:434bwgxnmzdfrk5ajchdzrnd5a
For example, eslint-scope, a package with millions of weekly downloads in Npm, was compromised to steal credentials from developers.  ...  We outline the challenges of tailoring program analysis tools to interpreted languages and release our pipeline as a reference point for the community to build on and help in securing the software supply  ...  Any opinions, findings, and conclusions in this paper are those of the authors and do not necessarily reflect the views of our sponsors or collaborators.  ... 
arXiv:2002.01139v2 fatcat:n3k62ggdorag5ep5isqznct3z4
Multiple Versions
Citation

Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, Wenke Lee. "Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages." arXiv (2020)

What are Weak Links in the npm Supply Chain? [article]

Nusrat Zahan, Laurie Williams, Thomas Zimmermann, Patrice Godefroid, Brendan Murphy, Chandra Maddila
2021 arXiv   pre-print

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (670.3 kB)
https://web.archive.org/web/20211228051755/https://arxiv.org/pdf/2112.10165v1.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2021; you can also visit the original URL. The file type is application/pdf.

Other Versions

2022 accepted
doi:10.1145/3510457.3513044 arXiv:2112.10165v2 fatcat:oxdwhjfo45akxoh7wunjw4msma
In this paper, we analyzed the metadata of 1.63 million JavaScript npm packages.  ...  The goal of this work is to help software developers and security specialists identify weak links in a software supply chain by empirically studying npm package metadata.  ...  We acknowledge the npm package maintainers contributions to our study. We also thank the NCSU Realsearch group for valuable feedback.  ... 
arXiv:2112.10165v1 fatcat:njtpdwovqjcwncw6z5jt7g7tuy
Open Access Multiple Versions
Citation

Nusrat Zahan, Laurie Williams, Thomas Zimmermann, Patrice Godefroid, Brendan Murphy, Chandra Maddila. "What are Weak Links in the npm Supply Chain?." arXiv (2021)

« Previous Showing results 1 — 15 out of 592 results