Characterising Contributions that Coincide with Vulnerability Mitigation in NPM Libraries

TL;DR

This study analyzes how concurrent contributions like PRs and Issues impact vulnerability mitigation in NPM libraries, highlighting the need for better tools and workload management to improve security response times.

Contribution

It provides an empirical characterization of coinciding contributions during vulnerability fixes in NPM projects, offering insights for enhancing mitigation processes.

Findings

Identified 4,699 coinciding PRs and Issues across 554 vulnerabilities

Most contributions occur during the vulnerability fixing period

Tool development and workload management can improve mitigation efficiency

Abstract

With the urgent need to secure supply chains among Open Source libraries, attention has focused on mitigating vulnerabilities detected in these libraries. Although awareness has improved recently, most studies still report delays in the mitigation process. This suggests that developers still have to deal with other contributions that occur during the period of fixing vulnerabilities, such as coinciding Pull Requests (PRs) and Issues, yet the impact of these contributions remains unclear. To characterize these contributions, we conducted a mixed-method empirical study to analyze NPM GitHub projects affected by 554 different vulnerability advisories, mining a total of 4,699 coinciding PRs and Issues. We believe that tool development and improved workload management for developers have the potential to create a more efficient and effective vulnerability mitigation process.