Not All Dependencies are Equal: An Empirical Study on Production Dependencies in NPM
Modern software systems are often built by leveraging code written by others in the form of libraries and packages to accelerate their development. While there are many benefits to using third-party packages, software projects often become dependent on a large number of software packages. Consequently, developers are faced with the difficult challenge of maintaining their project dependencies by keeping them up-to-date and free of security vulnerabilities. However, how often are project dependencies used in production where they could pose a threat to their project’s security?
We conduct an empirical study on 100 JavaScript projects using the Node Package Manager (npm) to quantify how often project dependencies are released to production and analyze their characteristics and their impact on security. Our results indicate that most project dependencies are not released to production. In fact, the majority of dependencies declared as runtime dependencies are not used in production, while some development dependencies are used in production, debunking two common assumptions of dependency management. Our analysis reveals that the functionality of a package is not enough to determine if it will be shipped to production or not. Findings also indicate that most security alerts target dependencies not used in production, making them highly unlikely to be a risk for the security of the software. Our study unveils a more complex side of dependency management: not all dependencies are equal. Dependencies used in production are more sensitive to security exposure and should be prioritized. However, current tools lack the appropriate support in identifying production dependencies.
Thu 13 OctDisplayed time zone: Eastern Time (US & Canada) change
16:00 - 18:00 | Technical Session 30 - Builds and DependenciesJournal-first Papers / Research Papers / Tool Demonstrations at Room 128 Chair(s): Christian Kästner Carnegie Mellon University | ||
16:00 20mResearch paper | Towards Understanding Third-party Library Dependency in C/C++ Ecosystem Research Papers Wei Tang Tsinghua University, Zhengzi Xu Nanyang Technological University, Chengwei Liu Nanyang Technological University, Singapore, Wu Jiahui Nanyang Technological University, shouguo yang Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China, Yi Li Nanyang Technological University, Singapore, Ping Luo Tsinghua University, Yang Liu Nanyang Technological University | ||
16:20 10mDemonstration | Snapshot Metrics Are Not Enough: Analyzing Software Repositories with Longitudinal Metrics Tool Demonstrations Nicholas Synovic Loyola University Chicago, Matt Hyatt Loyola University Chicago, Rohan Sethi Loyola University Chicago, Sohini Thota Loyola University Chicago, Shilpika University of California at Davis, Allan J. Miller Loyola University Chicago, Wenxin Jiang Purdue University, Emmanuel S. Amobi Loyola University Chicago, Austin Pinderski Duke University, Loyola University Chicago, Konstantin Läufer Loyola University Chicago, Nicholas J. Hayward Loyola University Chicago, Neil Klingensmith Loyola University Chicago, James C. Davis Purdue University, USA, George K. Thiruvathukal Loyola University Chicago and Argonne National Laboratory | ||
16:30 20mResearch paper | Not All Dependencies are Equal: An Empirical Study on Production Dependencies in NPM Research Papers Jasmine Latendresse Concordia University, Suhaib Mujahid Mozilla, Diego Costa Concordia University, Canada, Emad Shihab Concordia University | ||
16:50 20mResearch paper | Understanding and Predicting Docker Build Duration: An Empirical Study of Containerized Workflow of OSS ProjectsVirtual Research Papers Yiwen Wu National University of Defense Technology, Yang Zhang National University of Defense Technology, China, Kele Xu National University of Defense Technology, Tao Wang National University of Defense Technology, Huaimin Wang National University of Defense Technology | ||
17:10 20mPaper | CIT-daily: A Combinatorial Interaction Testing-Based Daily Build ProcessVirtual Journal-first Papers Hanefi Mercan Sabanci University, Atakan Aytar Sabanci University, Giray Coskun Sabanci University, Dilara Müstecep Sabanci University, Gülsüm Uzer Sabanci University, Cemal Yilmaz Sabancı University Link to publication DOI | ||
17:30 20mResearch paper | Using Consensual Biterms from Text Structures of Requirements and Code to Improve IR-Based Traceability RecoveryVirtual Research Papers Hui Gao Nanjing University, Hongyu Kuang Nanjing University, Kexin Sun Nanjing University, Xiaoxing Ma Nanjing University, Alexander Egyed Johannes Kepler University Linz, Patrick Mäder Technische Universität Ilmenau, Guoping Rong Nanjing University, Dong Shao Nanjing University, He Zhang Nanjing University Pre-print Media Attached | ||