A dataset on vulnerabilities affecting dependencies in software package managers
A. Germán Márquez, Ángel Jesús Varela-Vaca, María Teresa Gómez López

TL;DR
This paper introduces a dataset mapping vulnerabilities in dependencies across major software package managers to help improve software supply chain security.
Contribution
The paper provides a comprehensive, structured dataset of vulnerabilities in dependencies for NPM, PyPI, Cargo, and RubyGems.
Findings
6.93% of NPM versions rely on at least one vulnerable dependency, the highest among the package managers studied.
The dataset includes 270,430 known vulnerabilities linked to package versions, enabling detailed security risk analysis.
NPM has 14,858 latest versions affected by vulnerabilities, significantly more than the other package managers.
Abstract
The increasing reliance on third-party dependencies in software development introduces significant security risk challenges. This study presents a dataset that maps the vulnerabilities that affect dependencies in three major package managers: Node Package Manager (NPM), Python Package Index (PyPI), Cargo Crates and RubyGems. The dataset comprises information on 4437,679 unique packages and 60,950,846 versions of packages, with vulnerability data sourced from Open Source Vulnerabilities (OSV). It includes 270,430 known vulnerabilities linked to package versions, allowing a detailed analysis of security risks in software supply chains. Our methodology involved extracting dependency and version data from official package manager sources, correlating them with vulnerability reports, and storing the results in structured formats, including CSV and database dumps. The resultant dataset…
Genes, proteins, chemicals, diseases, species, mutations and cell lines named across the full text — each resolved to its canonical identifier and authoritative record.
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsNetwork Security and Intrusion Detection · Advanced Malware Detection Techniques · Information and Cyber Security
