See to Believe: Using Visualization To Motivate Updating Third-party Dependencies

TL;DR

This study investigates whether visualizing dependency graphs can motivate developers to update vulnerable third-party libraries, showing that visualizations significantly increase update prioritization compared to traditional tools.

Contribution

The paper introduces a visualization approach for dependency graphs and empirically evaluates its effectiveness in motivating updates among developers.

Findings

70% of participants with visualization re-prioritized updates

Visualization outperformed npm audit tool in motivating updates

Visualizations increased update prioritization in complex dependency scenarios

Abstract

Security vulnerabilities introduced by applications using third-party dependencies are on the increase, caused by the emergence of large ecosystems of libraries such as the NPM packages for JavaScript. Nowadays, libraries depend on each other. Relying on these large ecosystems thus means that vulnerable dependencies are not only direct but also indirect (transitive) dependencies. There are automated tool supports to manage these complex dependencies but recent work still shows that developers are wary of library updates, even to fix vulnerabilities, citing that being unaware, or that the migration effort to update outweighs the decision. In this paper, we hypothesize that the dependency graph visualization (DGV) approach will motivate developers to update, especially when convincing developers. To test this hypothesis, we performed a user study involving 20 participants divided equally into experimental and control groups, comparing the state-of-the-art tools with the tasks of reviewing vulnerabilities with complexities and vulnerabilities with indirect dependencies. We find that 70% of the participants who saw the visualization did re-prioritize their updates in both tasks. This is higher than the 30% and 60% of the participants who used the npm audit tool in both tasks, respectively.