DI-UMONS : Dépôt institutionnel de l’université de Mons

Recherche transversale
(titres de publication, de périodique et noms de colloque inclus)
2018-05-28 - Colloque/Article dans les actes avec comité de lecture - Anglais - 11 page(s)

Decan Alexandre , Mens Tom , Constantinou Eleni , "On the impact of security vulnerabilities in the npm package dependency network" in IEEE Working Conference on Mining Software Repositories, Gothenburg, Sweden, 2018

  • Codes CREF : Informatique mathématique (DI1160)
  • Unités de recherche UMONS : Génie Logiciel (S852)
  • Instituts UMONS : Institut de Recherche sur les Systèmes Complexes (Complexys)
Texte intégral :

Abstract(s) :

(Anglais) Security vulnerabilities are among the most pressing problems in open source software package libraries. It may take a long time to discover and fix vulnerabilities in packages. In addition, vulnerabilities may propagate to dependent packages, making them vulnerable too. This paper presents an empirical study of nearly 400 security reports over a 6-year period in the npm dependency network containing over 610k JavaScript packages. Taking into account the severity of vulnerabilities, we analyse how and when these vulnerabilities are discovered and fixed, and to which extent they affect other packages in the packaging ecosystem in presence of dependency constraints. We report our findings and provide guidelines for package maintainers and tool developers to improve the process of dealing with security issues.

Identifiants :
  • DOI : 10.1145/3196398.3196401