Original Sin of npm: A Study on Vulnerability Propagation in JavaScript Dependency Networks

TL;DR

This study analyzes how a small number of vulnerable npm packages lead to widespread vulnerabilities across JavaScript dependency networks, highlighting propagation patterns and mitigation strategies.

Contribution

It provides a comprehensive analysis of vulnerability propagation in npm, revealing the concentration of vulnerabilities and proposing mitigation recommendations.

Findings

61.30% of packages depend on others, facilitating vulnerability spread.

21.60% of packages have at least one known vulnerability.

Top 7 vulnerabilities account for 25% of cases.

Abstract

Understanding vulnerability propagation is essential for assessing how vulnerabilities spread across components of a software package. This supports more accurate impact analysis and enhances threat detection and mitigation. In this paper, we investigate how a small number of vulnerable JavaScript packages contribute to the creation of a disproportionately large number of vulnerable packages. This paper presents insights from 1,515 reported vulnerabilities gathered from a custom-built vulnerability database containing 1,077,946 JavaScript packages sourced from `npm-follower' and their associated dependency networks. Dependency networks were constructed using the deps.dev API, with vulnerabilities identified by parsing package names and version numbers through the Google Open Source Vulnerability API. Our findings reveal that 61.30% (660,748) of packages are reliant on one or more dependency packages, and 21.60% (232,836) of total packages have at least one known vulnerability throughout their dependency networks -- of which most (42%) are of High severity. We also found that it takes, on average, approximately 4 years and 11 months to fix a vulnerable package from when the first vulnerable version is published on npm -- although publication times of vulnerabilities occur approximately 19 days after a fix is available. Finally, we observe a high concentration of frequently present vulnerabilities throughout dependency networks, with the top-7 most frequent vulnerabilities accounting for 25% of vulnerability cases and the top-23 most frequent accounting for 50%. Based on these findings, we propose recommendations for developers and package managers to mitigate the threat and occurrence of vulnerabilities within the npm dependency network and the broader software repository community.