Search papers, labs, and topics across Lattice.
This study analyzes vulnerability propagation within JavaScript dependency networks by examining 1,515 reported vulnerabilities across over a million npm packages. The research reveals that a small subset of vulnerable packages disproportionately contributes to the overall vulnerability landscape, with 21.60% of packages containing at least one known vulnerability, predominantly of high severity. Additionally, it highlights the lengthy average time to fix vulnerabilities, emphasizing the need for improved mitigation strategies in software development practices.
A small number of vulnerable packages are responsible for over 21% of all vulnerabilities in JavaScript, highlighting a critical risk in dependency management.
Understanding vulnerability propagation is essential for assessing how vulnerabilities spread across components of a software package. This supports more accurate impact analysis and enhances threat detection and mitigation. In this paper, we investigate how a small number of vulnerable JavaScript packages contribute to the creation of a disproportionately large number of vulnerable packages. This paper presents insights from 1,515 reported vulnerabilities gathered from a custom-built vulnerability database containing 1,077,946 JavaScript packages sourced from `npm-follower' and their associated dependency networks. Dependency networks were constructed using the deps.dev API, with vulnerabilities identified by parsing package names and version numbers through the Google Open Source Vulnerability API. Our findings reveal that 61.30% (660,748) of packages are reliant on one or more dependency packages, and 21.60% (232,836) of total packages have at least one known vulnerability throughout their dependency networks -- of which most (42%) are of High severity. We also found that it takes, on average, approximately 4 years and 11 months to fix a vulnerable package from when the first vulnerable version is published on npm -- although publication times of vulnerabilities occur approximately 19 days after a fix is available. Finally, we observe a high concentration of frequently present vulnerabilities throughout dependency networks, with the top-7 most frequent vulnerabilities accounting for 25% of vulnerability cases and the top-23 most frequent accounting for 50%. Based on these findings, we propose recommendations for developers and package managers to mitigate the threat and occurrence of vulnerabilities within the npm dependency network and the broader software repository community.