On The Lag of Library Vulnerability Updates: An Investigation into the Repackage and Delivery of Security Fixes Within The npm JavaScript Ecosystem
Vulnerabilities in third-party libraries is a growing concern for the software developer, as it poses risks not only to the software client itself but to the entire software ecosystem. To mitigate these risks, developers are strongly recommended to update their dependencies. Recent studies show that affected developers are not likely to respond to the vulnerability threat. However, another reason for the lag of vulnerability updates is due to slow repackaging (i.e., package the vulnerability fix into a new version) and delivery (i.e., affected client adopt the new version) of the fix. To understand these lags of updates, we use both qualitative and quantitative approaches to conduct an empirical study on how 188 fixes were repackaged and delivered across over eight hundred thousand releases of npm software clients hosted on GitHub. We report two lags: (1) lags in repackaging occur as vulnerability fixes are more likely to be bundled with other non-related updates (i.e., about 83.33% of commits are not related to the fix) and (2) lags in the delivery are caused by clients that are more likely to adopt the minor fix than adopt the patch fix. Furthermore, other factors such as downstream dependencies and severity do have an impact. We also find that freshness of packages does not impact the amount of lags. The identification of these two lags opens up different avenues on how to facilitate faster fix delivery throughout a library ecosystem.
READ FULL TEXT