Lags in the Release, Adoption, and Propagation of npm Vulnerability Fixes
release_wyjytsi2enb7dbiqsnbcuy27ea
by
Bodin Chinthanet and Raula Gaikovina Kula and Shane McIntosh and Takashi Ishio and Akinori Ihara and Kenichi Matsumoto
2021
Abstract
Security vulnerability in third-party dependencies is a growing concern not
only for developers of the affected software, but for the risks it poses to an
entire software ecosystem, e.g., Heartbleed vulnerability. Recent studies show
that developers are slow to respond to the threat of vulnerability, sometimes
taking four to eleven months to act. To ensure quick adoption and propagation
of a release that contains the fix (fixing release), we conduct an empirical
investigation to identify lags that may occur between the vulnerable release
and its fixing release (package-side fixing release). Through a preliminary
study of 231 package-side fixing release of npm projects on GitHub, we observe
that a fixing release is rarely released on its own, with up to 85.72% of the
bundled commits being unrelated to a fix. We then compare the package-side
fixing release with changes on a client-side (client-side fixing release).
Through an empirical study of the adoption and propagation tendencies of 1,290
package-side fixing releases that impact throughout a network of 1,553,325
releases of npm packages, we find that stale clients require additional
migration effort, even if the package-side fixing release was quick (i.e.,
package patch landing). Furthermore, we show the influence of factors such as
the branch that the package-side fixing release lands on and the severity of
vulnerability on its propagation. In addition to these lags we identify and
characterize, this paper lays the groundwork for future research on how to
mitigate lags in an ecosystem.
In text/plain
format
Archived Content
There are no accessible files associated with this release. You could check other releases for this work for an accessible version.
Know of a fulltext copy of on the public web? Submit a URL and we will archive it
1907.03407v4
access all versions, variants, and formats of this works (eg, pre-prints)