On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks
The increasing interest in open source software has led to the emergence of large package distributions of reusable software libraries, such as npm and RubyGems. These software packages can be subject to security vulnerabilities that may expose dependent packages through explicitly declared dependencies. This article empirically studies security vulnerabilities affecting npm and RubyGems packages. We analyse how and when these vulnerabilities are discovered and fixed, and how their prevalence changes over time. We also analyse how vulnerable packages expose their direct and indirect dependents to vulnerabilities. We distinguish between two types of dependents: packages distributed via the package manager, and external GitHub projects. Compared to RubyGems, we observe that the number of vulnerabilities is increasing faster in npm, but vulnerabilities are also discovered faster in npm. For both package distributions, the time required to discover vulnerabilities is increasing, but npm is improving the time needed to fix vulnerabilities. A large proportion of external GitHub projects are exposed to vulnerabilities coming from direct or indirect dependencies. Around one out of three direct vulnerable dependencies to which projects or packages are exposed could be avoided, if software developers would update their dependencies to more recent releases within the same major release range.
READ FULL TEXT 
  
  
     share
 share