Write a Blog >>
MSR 2018
Mon 28 - Tue 29 May 2018 Gothenburg, Sweden
co-located with * ICSE 2018 *
* ICSE 2018 * (series) / MSR 2018 (series) / Technical Papers /

On the impact of security vulnerabilities in the npm package dependency network

Alexandre Decan , Tom Mens, Eleni Constantinou
MSR 2018 Technical Papers
Mon 28 May 2018 11:17 - 11:34 at E3 room - Modularity and Dependency Chair(s): Moritz Beller

Security vulnerabilities are among the most pressing problems in open source software package libraries. It may take a long time to discover and fix vulnerabilities in packages. In addition, vulnerabilities may propagate to dependent packages, making them vulnerable too. This paper presents an empirical study of nearly 400 security reports over a 6-year period in the npm dependency network containing over 610k JavaScript packages. Taking into account the severity of vulnerabilities, we analyse how and when these vulnerabilities are discovered and fixed, and to which extent they a ect other packages in the packaging ecosystem in presence of dependency constraints. We report our findings and provide guidelines for package maintainers and tool developers to improve the process of dealing with security issues.

http://applications.umons.ac.be/docnum/c7b423fd-d183-486c-9cec-966066b9b364/C9345D51-B92C-4551-BF50-1FA8CF0A6691/paper.pdf
https://doi.org/10.1145/3196398.3196401
Alexandre Decan
Alexandre Decan Author
Tom Mens
Tom MensAuthor
Eleni Constantinou
Eleni ConstantinouAuthor
University of Mons
Belgium

Mon 28 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

11:00 - 12:30
Modularity and DependencyTechnical Papers at E3 room
Chair(s): Moritz Beller Delft University of Technology
11:00
17m
Full-paper
An Empirical Evaluation of OSGi Dependencies Best Practices in the Eclipse IDE
Technical Papers
A: Lina Ochoa , A: Thomas Degueule CWI, Netherlands, A: Jurgen Vinju Centrum Wiskunde & Informatica / Technische Universiteit Eindhoven / SWAT.engineering BV
11:17
17m
Full-paper
On the impact of security vulnerabilities in the npm package dependency network
Technical Papers
A: Alexandre Decan , A: Tom Mens , A: Eleni Constantinou University of Mons
Link to publication DOI
11:34
17m
Full-paper
Feature Location using Crowd-based Screencasts
Technical Papers
A: Parisa Moslehi , A: Bram Adams MCIS, École Polytechnique de Montréal, A: Juergen Rilling
Pre-print
11:51
17m
Full-paper
Profiling call changes via motif mining
Technical Papers
A: Barbara Russo Free University of Bolzano
Pre-print
12:08
7m
Short-paper
Toward Predicting Architectural Significance of Implementation Issues
Technical Papers
A: Arman Shahbazian University of Southern California, A: Daye Nam University of Southern California, USA, A: Nenad Medvidović University of Southern California
Pre-print
12:15
15m
Other
Discussion phase
Technical Papers