Insecure Ingredients? Exploring Dependency Update Patterns of Bundled JavaScript Packages on the Web

TL;DR

This paper introduces Aletheia, a novel method for analyzing JavaScript bundle dependencies, revealing update patterns and security implications across popular websites.

Contribution

The paper presents Aletheia, a package-agnostic algorithm that outperforms existing methods in detecting package versions in JavaScript bundles at scale.

Findings

5% - 20% of domains update dependencies within 16 weeks

Bundled packages are updated faster than CDN-included ones

Up to 10 times fewer vulnerable versions are included after updates

Abstract

Reusable software components, typically distributed as packages, are a central paradigm of modern software development. The JavaScript ecosystem serves as a prime example, offering millions of packages with their use being promoted as idiomatic. However, download statistics on npm raise security concerns as they indicate a high popularity of vulnerable package versions while their real prevalence on production websites remains unknown. Package version detection mechanisms fill this gap by extracting utilized packages and versions from observed artifacts on the web. Prior research focuses on mechanisms for either hand-selected popular packages in bundles or for single-file resources utilizing the global namespace. This does not allow for a thorough analysis of modern web applications' dependency update behavior at scale. In this work, we improve upon this by presenting Aletheia, a package-agnostic method which dissects JavaScript bundles to identify package versions through algorithms originating from the field of plagiarism detection. We show that this method clearly outperforms the existing approaches in practical settings. Furthermore, we crawl the Tranco top 100,000 domains to reveal that 5% - 20% of domains update their dependencies within 16 weeks. Surprisingly, from a longitudinal perspective, bundled packages are updated significantly faster than their CDN-included counterparts, with consequently up to 10 times fewer known vulnerable package versions included. Still, we observe indicators that few widespread vendors seem to be a major driving force behind timely updates, implying that quantitative measures are not painting a complete picture.