592 Hits in 5.5 sec

On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks [article]

Ahmed Zerouali, Tom Mens, Alexandre Decan, Coen De Roover
2022 arXiv   pre-print
We distinguish between two types of dependents: packages distributed via the package manager, and external GitHub projects depending on npm packages.  ...  We observe that the number of vulnerabilities in npm is increasing and being disclosed faster than vulnerabilities in RubyGems.  ...  We express our gratitude to the security team of Snyk for granting us permission to use their dataset of vulnerability reports for research purposes.  ... 
arXiv:2106.06747v2 fatcat:s62ogooowrgilayondf5x5leqa

Small World with High Risks: A Study of Security Threats in the npm Ecosystem [article]

Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, Michael Pradel
2019 arXiv   pre-print
Studying the potential for running vulnerable or malicious code due to third-party dependencies, we find that individual packages could impact large parts of the entire ecosystem.  ...  Studying the potential for accidentally using vulnerable code, we find that lack of maintenance causes many packages to depend on vulnerable code, even years after a vulnerability has become public.  ...  Acknowledgments This work was supported by the German Federal Ministry of Education and Research and by the Hessian Ministry of Science and the Arts within CRISP, by the German Research Foundation within  ... 
arXiv:1902.09217v2 fatcat:qd6hy2ntyvgpplads6t7trjbwa

Node package manager's dependency network robustness [article]

Andrej Hafner, Anže Mur, Jaka Bernard
2021 arXiv   pre-print
The robustness of npm dependency network is a crucial property, since many projects and web applications heavily rely on the functionalities of packages, especially popular ones that have many dependant  ...  In the past, there have been instances where the removal or update of certain npm packages has caused widespread chaos and web-page downtime on the internet.  ...  Authors of (8) analyzed the impact of security vulnerabilities in the npm package dependency network.  ... 
arXiv:2110.11695v1 fatcat:q6eyotd3yvgvtapdoswqndvtz4

On the Threat of npm Vulnerable Dependencies in Node.js Applications [article]

Mahmoud Alfadel, Diego Elias Costa, Mouafak Mokhallalati, Emad Shihab, Bram Adams
2020 arXiv   pre-print
Our findings show that although 67.93% of the examined applications depend on at least one vulnerable package, 94.91% of the vulnerable packages in those affected applications are classified as having  ...  Software vulnerabilities have a large negative impact on the software systems that we depend on daily.  ...  Contrast Security, a software security company, reported that 80% of the code written in today's applications depend on external packages, and approximately one fourth of package downloads have known vulnerabilities  ... 
arXiv:2009.09019v1 fatcat:pgsi6ptzmvhsddrazedk63wcv4

2020 State of the Octoverse: Securing the World's Software [article]

Nicole Forsgren, Bas Alberts, Kevin Backhouse, Grey Baker, Greg Cecarelli, Derek Jedamski, Scot Kelly, Clair Sullivan
2021 arXiv   pre-print
The artifacts of open source code serve as critical i infrastructure for much of the global economy, making the security of open source software mission-critical to the world.  ...  Many of the services and technology we all rely on, from banking to healthcare, also rely on open source software.  ...  These vulnerabilities were severe in terms of the number of developers they affected and their potential impact on vulnerable networks and endpoints.  ... 
arXiv:2110.10246v1 fatcat:rikir3wbz5e53n37kaasjpxqki

Demystifying the Vulnerability Propagation and Its Evolution via Dependency Trees in the NPM Ecosystem [article]

Chengwei Liu, Sen Chen, Lingling Fan, Bihuan Chen, Yang Liu, Xin Peng
2022 arXiv   pre-print
Our study unveils lots of useful findings, and we further discuss the lessons learned and solutions for different stakeholders to mitigate the vulnerability impact in NPM.  ...  For example, we implement a dependency tree based vulnerability remediation method (DTReme) for NPM packages, and receive much better performance than the official tool (npm audit fix).  ...  Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not reflect the views of the Ministry of Education, Singapore.  ... 
arXiv:2201.03981v2 fatcat:d4vhm6mzxbgrph66p3akuvricu

Lags in the release, adoption, and propagation of npm vulnerability fixes

Bodin Chinthanet, Raula Gaikovina Kula, Shane McIntosh, Takashi Ishio, Akinori Ihara, Kenichi Matsumoto
2021 Empirical Software Engineering  
Through an empirical study of the adoption and propagation tendencies of 1,290 package-side fixing releases that impact throughout a network of 1,553,325 releases of npm packages, we find that stale clients  ...  Furthermore, we show the influence of factors such as the branch that the package-side fixing release lands on and the severity of vulnerability on its propagation.  ...  Decan et al. (2018b) explored the impact of vulnerability within the npm ecosystem by analyzing the reaction time of developers from both vulnerable packages and their direct dependent packages to fix  ... 
doi:10.1007/s10664-021-09951-x fatcat:55o4c7qinrcirppzeyer5ufbry

On the evolution of technical lag in the npm package dependency network [article]

Alexandre Decan, Tom Mens, Eleni Constantinou
2018 arXiv   pre-print
In this paper, we perform an empirical study of technical lag in the npm dependency network by investigating its evolution for over 1.4M releases of 120K packages and 8M dependencies between these releases  ...  In order to take full advantage of the benefits of this type of reuse, developers should keep their dependencies up to date by relying on the latest releases.  ...  This practice resulted in different version adoption ratios. Decan et al. [8] compared the topology of npm with the one of the CRAN and RubyGems package dependency networks.  ... 
arXiv:1806.01545v2 fatcat:gy2o5i3s4bhsvi7wfgbcrqzeaq

Structure and Evolution of Package Dependency Networks

Riivo Kikas, Georgios Gousios, Marlon Dumas, Dietmar Pfahl
2017 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR)  
The study also reveals that vulnerability to a removal of the most popular package is increasing, yet most other packages have a decreasing impact on vulnerability.  ...  This paper analyzes the dependency network structure and evolution of the JavaScript, Ruby, and Rust ecosystems. The reported results reveal significant differences across language ecosystems.  ...  We define vulnerability of a package as the fraction of the network nodes that is impacted by a removal of a single package or a single package version.  ... 
doi:10.1109/msr.2017.55 dblp:conf/msr/KikasGDP17 fatcat:kfimmxd7jbggfdwzjcl3mrfgrm

Lags in the Release, Adoption, and Propagation of npm Vulnerability Fixes [article]

Bodin Chinthanet and Raula Gaikovina Kula and Shane McIntosh and Takashi Ishio and Akinori Ihara and Kenichi Matsumoto
2021 arXiv   pre-print
Security vulnerability in third-party dependencies is a growing concern not only for developers of the affected software, but for the risks it poses to an entire software ecosystem, e.g., Heartbleed vulnerability  ...  Through an empirical study of the adoption and propagation tendencies of 1,290 package-side fixing releases that impact throughout a network of 1,553,325 releases of npm packages, we find that stale clients  ...  Acknowledgment This work was supported by the Japan Society for Promotion of Science (JSPS) KAKENHI Grant Numbers JP18H04094, JP18H03221.  ... 
arXiv:1907.03407v4 fatcat:wyjytsi2enb7dbiqsnbcuy27ea

Software ecosystem call graph for dependency management

Joseph Hejderup, Arie van Deursen, Georgios Gousios
2018 Proceedings of the 40th International Conference on Software Engineering New Ideas and Emerging Results - ICSE-NIER '18  
Recent incidents, such as the Equifax data breach and the leftpad package removal, demonstrate the difficulty in assessing the severity, impact and spread of bugs in dependency networks.  ...  A popular form of software reuse is the use of open source software libraries hosted on centralized code repositories, such as Maven or npm.  ...  The first use case evaluates the impact of a security bug in the npm ecosystem.  ... 
doi:10.1145/3183399.3183417 dblp:conf/icse/HejderupDG18 fatcat:hy7zb237nngvnhsn5vduuvc2e4

CD3T: Cross-Project Dependency Defect Detection Tool

Yao Yongming, Huang Song, Feng Cuiyi, Liu Chen, Xu Chenying
2019 International Journal of Performability Engineering  
Nowadays, every software project usually has a large number of third-party components depending on the repository, some of which have some unsafe code.  ...  In this paper, we design a cross-project dependency defect detection system based on Java, called CD3T.  ...  Acknowledgements This research is supported by the National Key R&D Program of China (Grant No.2018YFB1403400) and the Tongda College of Nanjing University of Posts and Telecommunications (Grant No.  ... 
doi:10.23940/ijpe.19.09.p5.23292337 fatcat:ofyn4me4afddnptqpb37lhxc6q

Containing Malicious Package Updates in npm with a Lightweight Permission System [article]

Gabriel Ferreira, Limin Jia, Joshua Sunshine, Christian Kästner
2021 arXiv   pre-print
Studying the npm repository, we observed that many packages in the npm repository that are used in Node.js applications perform only simple computations and do not need access to filesystem or network  ...  The large amount of third-party packages available in fast-moving software ecosystems, such as Node.js/npm, enables attackers to compromise applications by pushing malicious updates to their package dependencies  ...  Hejderup [40] analyzed dependencies among packages published on the npm repository and found that known vulnerabilities in packages often affect many other dependent packages in the ecosystem, with many  ... 
arXiv:2103.05769v1 fatcat:4fn7y6tipbdadizplqjhxs4hoa

Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages [article]

Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, Wenke Lee
2020 arXiv   pre-print
For example, eslint-scope, a package with millions of weekly downloads in Npm, was compromised to steal credentials from developers.  ...  We outline the challenges of tailoring program analysis tools to interpreted languages and release our pipeline as a reference point for the community to build on and help in securing the software supply  ...  Any opinions, findings, and conclusions in this paper are those of the authors and do not necessarily reflect the views of our sponsors or collaborators.  ... 
arXiv:2002.01139v2 fatcat:n3k62ggdorag5ep5isqznct3z4

What are Weak Links in the npm Supply Chain? [article]

Nusrat Zahan, Laurie Williams, Thomas Zimmermann, Patrice Godefroid, Brendan Murphy, Chandra Maddila
2021 arXiv   pre-print
In this paper, we analyzed the metadata of 1.63 million JavaScript npm packages.  ...  The goal of this work is to help software developers and security specialists identify weak links in a software supply chain by empirically studying npm package metadata.  ...  We acknowledge the npm package maintainers contributions to our study. We also thank the NCSU Realsearch group for valuable feedback.  ... 
arXiv:2112.10165v1 fatcat:njtpdwovqjcwncw6z5jt7g7tuy
« Previous Showing results 1 — 15 out of 592 results