# Lags in the Release, Adoption, and Propagation of npm Vulnerability   Fixes

**Authors:** Bodin Chinthanet, Raula Gaikovina Kula, Shane McIntosh and, Takashi Ishio, Akinori Ihara, Kenichi Matsumoto

arXiv: 1907.03407 · 2021-06-24

## TL;DR

This paper investigates delays in releasing, adopting, and propagating npm vulnerability fixes, revealing that fixes are often bundled with unrelated commits and that client-side adoption lags depend on various factors.

## Contribution

It provides an empirical analysis of release and adoption lags in npm vulnerabilities, highlighting the complexity and factors influencing fix propagation.

## Key findings

- Up to 85.72% of fixing releases contain unrelated commits.
- Stale clients require extra effort for migration despite quick fixes.
- Factors like branch choice and vulnerability severity affect fix propagation.

## Abstract

Security vulnerability in third-party dependencies is a growing concern not only for developers of the affected software, but for the risks it poses to an entire software ecosystem, e.g., Heartbleed vulnerability. Recent studies show that developers are slow to respond to the threat of vulnerability, sometimes taking four to eleven months to act. To ensure quick adoption and propagation of a release that contains the fix (fixing release), we conduct an empirical investigation to identify lags that may occur between the vulnerable release and its fixing release (package-side fixing release). Through a preliminary study of 231 package-side fixing release of npm projects on GitHub, we observe that a fixing release is rarely released on its own, with up to 85.72% of the bundled commits being unrelated to a fix. We then compare the package-side fixing release with changes on a client-side (client-side fixing release). Through an empirical study of the adoption and propagation tendencies of 1,290 package-side fixing releases that impact throughout a network of 1,553,325 releases of npm packages, we find that stale clients require additional migration effort, even if the package-side fixing release was quick (i.e., package patch landing). Furthermore, we show the influence of factors such as the branch that the package-side fixing release lands on and the severity of vulnerability on its propagation. In addition to these lags we identify and characterize, this paper lays the groundwork for future research on how to mitigate lags in an ecosystem.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1907.03407/full.md

## Figures

18 figures with captions in the complete paper: https://tomesphere.com/paper/1907.03407/full.md

## References

57 references — full list in the complete paper: https://tomesphere.com/paper/1907.03407/full.md

---
Source: https://tomesphere.com/paper/1907.03407