See to Believe: Using Visualization To Motivate Updating Third-party Dependencies
Chaiyong Ragkhitwetsagul, Vipawan Jarukitpipat, Raula Gaikovina Kula, Morakot Choetkiertikul, Klinton Chhun, Wachirayana Wanprasert, Thanwadee Sunetnanta
TL;DR
The paper addresses the challenge of updating vulnerable third-party dependencies in npm ecosystems, where vulnerabilities may be indirect through transitive dependencies. It introduces V-Achilles, a Dependency Graph Visualization (DGV) tool, and evaluates whether visualizing dependency graphs motivates developers to re-prioritize updates more effectively than traditional tools like Dependabot and npm audit. Through a 20-participant user study across two tasks (complex graphs and transitive vulnerabilities), the authors show that the DGV approach prompts more frequent re-prioritization (7/10 in both tasks) compared to the baselines (3/10 and 6/10, respectively), with qualitative feedback highlighting the role of graph complexity and transitivity. The results suggest that integrating dependency graph visualization into tooling can meaningfully influence security-update decisions and reduce lag in vulnerability remediation, with data and materials made publicly available for replication.
Abstract
Security vulnerabilities introduced by applications using third-party dependencies are on the increase, caused by the emergence of large ecosystems of libraries such as the NPM packages for JavaScript. Nowadays, libraries depend on each other. Relying on these large ecosystems thus means that vulnerable dependencies are not only direct but also indirect (transitive) dependencies. There are automated tool supports to manage these complex dependencies but recent work still shows that developers are wary of library updates, even to fix vulnerabilities, citing that being unaware, or that the migration effort to update outweighs the decision. In this paper, we hypothesize that the dependency graph visualization (DGV) approach will motivate developers to update, especially when convincing developers. To test this hypothesis, we performed a user study involving 20 participants divided equally into experimental and control groups, comparing the state-of-the-art tools with the tasks of reviewing vulnerabilities with complexities and vulnerabilities with indirect dependencies. We find that 70% of the participants who saw the visualization did re-prioritize their updates in both tasks. This is higher than the 30% and 60% of the participants who used the npm audit tool in both tasks, respectively.