Write a Blog >>

Modern software systems are often built by leveraging code written by others in the form of libraries and packages to accelerate their development. While there are many benefits to using third-party packages, software projects often become dependent on a large number of software packages. Consequently, developers are faced with the difficult challenge of maintaining their project dependencies by keeping them up-to-date and free of security vulnerabilities. However, how often are project dependencies used in production where they could pose a threat to their project’s security?

We conduct an empirical study on 100 JavaScript projects using the Node Package Manager (npm) to quantify how often project dependencies are released to production and analyze their characteristics and their impact on security. Our results indicate that most project dependencies are not released to production. In fact, the majority of dependencies declared as runtime dependencies are not used in production, while some development dependencies are used in production, debunking two common assumptions of dependency management. Our analysis reveals that the functionality of a package is not enough to determine if it will be shipped to production or not. Findings also indicate that most security alerts target dependencies not used in production, making them highly unlikely to be a risk for the security of the software. Our study unveils a more complex side of dependency management: not all dependencies are equal. Dependencies used in production are more sensitive to security exposure and should be prioritized. However, current tools lack the appropriate support in identifying production dependencies.

Thu 13 Oct

Displayed time zone: Eastern Time (US & Canada) change

16:00 - 18:00
Technical Session 30 - Builds and DependenciesJournal-first Papers / Research Papers / Tool Demonstrations at Room 128
Chair(s): Christian Kästner Carnegie Mellon University
Research paper
Towards Understanding Third-party Library Dependency in C/C++ Ecosystem
Research Papers
Wei Tang Tsinghua University, Zhengzi Xu Nanyang Technological University, Chengwei Liu Nanyang Technological University, Singapore, Wu Jiahui Nanyang Technological University, shouguo yang Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China, Yi Li Nanyang Technological University, Singapore, Ping Luo Tsinghua University, Yang Liu Nanyang Technological University
Snapshot Metrics Are Not Enough: Analyzing Software Repositories with Longitudinal Metrics
Tool Demonstrations
Nicholas Synovic Loyola University Chicago, Matt Hyatt Loyola University Chicago, Rohan Sethi Loyola University Chicago, Sohini Thota Loyola University Chicago, Shilpika University of California at Davis, Allan J. Miller Loyola University Chicago, Wenxin Jiang Purdue University, Emmanuel S. Amobi Loyola University Chicago, Austin Pinderski Duke University, Loyola University Chicago, Konstantin Läufer Loyola University Chicago, Nicholas J. Hayward Loyola University Chicago, Neil Klingensmith Loyola University Chicago, James C. Davis Purdue University, USA, George K. Thiruvathukal Loyola University Chicago and Argonne National Laboratory
Research paper
Not All Dependencies are Equal: An Empirical Study on Production Dependencies in NPM
Research Papers
Jasmine Latendresse Concordia University, Suhaib Mujahid Mozilla, Diego Costa Concordia University, Canada, Emad Shihab Concordia University
Research paper
Understanding and Predicting Docker Build Duration: An Empirical Study of Containerized Workflow of OSS ProjectsVirtual
Research Papers
Yiwen Wu National University of Defense Technology, Yang Zhang National University of Defense Technology, China, Kele Xu National University of Defense Technology, Tao Wang National University of Defense Technology, Huaimin Wang National University of Defense Technology
CIT-daily: A Combinatorial Interaction Testing-Based Daily Build ProcessVirtual
Journal-first Papers
Hanefi Mercan Sabanci University, Atakan Aytar Sabanci University, Giray Coskun Sabanci University, Dilara Müstecep Sabanci University, Gülsüm Uzer Sabanci University, Cemal Yilmaz Sabancı University
Link to publication DOI
Research paper
Using Consensual Biterms from Text Structures of Requirements and Code to Improve IR-Based Traceability RecoveryVirtual
Research Papers
Hui Gao Nanjing University, Hongyu Kuang Nanjing University, Kexin Sun Nanjing University, Xiaoxing Ma Nanjing University, Alexander Egyed Johannes Kepler University Linz, Patrick Mäder Technische Universität Ilmenau, Guoping Rong Nanjing University, Dong Shao Nanjing University, He Zhang Nanjing University
Pre-print Media Attached