DeepAI AI Chat
Log In Sign Up

On The Lag of Library Vulnerability Updates: An Investigation into the Repackage and Delivery of Security Fixes Within The npm JavaScript Ecosystem

by   Bodin Chinthanet, et al.
Nara Institute of Science and Technology
Wakayama University

Vulnerabilities in third-party libraries is a growing concern for the software developer, as it poses risks not only to the software client itself but to the entire software ecosystem. To mitigate these risks, developers are strongly recommended to update their dependencies. Recent studies show that affected developers are not likely to respond to the vulnerability threat. However, another reason for the lag of vulnerability updates is due to slow repackaging (i.e., package the vulnerability fix into a new version) and delivery (i.e., affected client adopt the new version) of the fix. To understand these lags of updates, we use both qualitative and quantitative approaches to conduct an empirical study on how 188 fixes were repackaged and delivered across over eight hundred thousand releases of npm software clients hosted on GitHub. We report two lags: (1) lags in repackaging occur as vulnerability fixes are more likely to be bundled with other non-related updates (i.e., about 83.33% of commits are not related to the fix) and (2) lags in the delivery are caused by clients that are more likely to adopt the minor fix than adopt the patch fix. Furthermore, other factors such as downstream dependencies and severity do have an impact. We also find that freshness of packages does not impact the amount of lags. The identification of these two lags opens up different avenues on how to facilitate faster fix delivery throughout a library ecosystem.


page 1

page 2

page 3

page 4


I depended on you and you broke me: An empirical study of manifesting breaking changes in client packages

Complex software systems have a network of dependencies. Developers ofte...

An Empirical Study on the Impact of Refactoring Activities on Evolving Client-Used APIs

Context: Refactoring is recognized as an effective practice to maintain ...

An Empirical Study of Usages, Updates and Risks of Third-Party Libraries in Java Projects

Third-party libraries are a central building block to develop software s...

On the Effect of Transitivity and Granularity on Vulnerability Propagation in the Maven Ecosystem

Reusing software libraries is a pillar of modern software engineering. I...

SōjiTantei: Function-Call Reachability Detection of Vulnerable Code for npm Packages

It has become common practice for software projects to adopt third-party...

Giving Back: Contributions Congruent to Library Dependency Changes in a Software Ecosystem

Popular adoption of third-party libraries for contemporary software deve...