Search papers, labs, and topics across Lattice.
This paper introduces a predecessor-aware release-authority record that evaluates package releases by comparing them to their immediate predecessors across various factors, such as publisher and signing evidence. The study analyzes a dataset of over 45,000 releases from multiple package ecosystems, identifying 204 policy-triggering discontinuities in public release paths. The findings reveal that specific semantic-distance and regime-specific rules can effectively flag releases for review, highlighting the importance of monitoring public release paths for security vulnerabilities in software dependencies.
A novel approach to measuring release authority reveals critical vulnerabilities in public release paths, with 204 discontinuities identified across major package ecosystems.
Dependency graphs show where released code can flow, while leaving implicit whether the public path used to publish a release changed. We introduce a predecessor-aware release-authority record that compares each package release with its immediate predecessor across publisher, repository, workflow, provenance, signing, and mediation evidence. We instantiate the record over a purposefully sampled, audited April 2024--June 2026 cohort from npm, PyPI, Maven Central, crates.io, and RubyGems: 45,812 releases, 43,100 eligible predecessor comparisons, and 942 package coordinates. Go is reported separately as a VCS/proxy/checksum-log boundary adapter. Transparent rules identify 204 policy-triggering public release-path discontinuities. The exact trigger policy is the primary candidate queue. A uniform semantic-distance rule selects 320 releases and covers 190/204 triggers; a descriptive regime-specific rule selects 337 releases and covers all 204. In a blinded 60-row shared core, three practitioners rated 20/30 triggers as immediate review, 9/30 as monitoring, 1/30 as no review, and all 30 controls as no review. These signals are review cues over public release-path evidence. Exact malicious versions in our external alignment have zero overlap with the policy triggers. Same-path compromise, unchanged compromised CI, and versions absent from public snapshots require separate evidence beyond this release-path record.