Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Characterising Contributions that Coincide with Vulnerability Mitigation in NPM Libraries

Ruksit Rojpaisarnkit, Hathaichanok Damrongsiri, Christoph Treude, Ali Ouni, Raula Gaikovina Kula

TL;DR

The paper investigates how coinciding PRs and Issues influence vulnerability mitigation in the NPM ecosystem, addressing persistent update delays and workload during fixes. It uses a mixed-method empirical study of 554 advisories affecting 348 repositories, yielding 2,159 coinciding PRs and 2,547 coinciding issues, and conducts qualitative sampling to understand types, timing, and vulnerability relatedness. Key findings show that most coinciding changes are non-vulnerability-related (with 37.99% of coinciding PRs and 20.18% of coinciding issues sharing maintainers with the vulnerability fix) and that practitioners spend substantial mitigation time on these contributions (average 45.89%), highlighting a need for workload management and better information access. The authors propose tool support and information-recommendation approaches to help developers prioritize and coordinate mitigation efforts, aiming to reduce delays and improve the security posture of OSS dependencies.

Abstract

With the urgent need to secure supply chains among Open Source libraries, attention has focused on mitigating vulnerabilities detected in these libraries. Although awareness has improved recently, most studies still report delays in the mitigation process. This suggests that developers still have to deal with other contributions that occur during the period of fixing vulnerabilities, such as coinciding Pull Requests (PRs) and Issues, yet the impact of these contributions remains unclear. To characterize these contributions, we conducted a mixed-method empirical study to analyze NPM GitHub projects affected by 554 different vulnerability advisories, mining a total of 4,699 coinciding PRs and Issues. We believe that tool development and improved workload management for developers have the potential to create a more efficient and effective vulnerability mitigation process.

Characterising Contributions that Coincide with Vulnerability Mitigation in NPM Libraries

TL;DR

The paper investigates how coinciding PRs and Issues influence vulnerability mitigation in the NPM ecosystem, addressing persistent update delays and workload during fixes. It uses a mixed-method empirical study of 554 advisories affecting 348 repositories, yielding 2,159 coinciding PRs and 2,547 coinciding issues, and conducts qualitative sampling to understand types, timing, and vulnerability relatedness. Key findings show that most coinciding changes are non-vulnerability-related (with 37.99% of coinciding PRs and 20.18% of coinciding issues sharing maintainers with the vulnerability fix) and that practitioners spend substantial mitigation time on these contributions (average 45.89%), highlighting a need for workload management and better information access. The authors propose tool support and information-recommendation approaches to help developers prioritize and coordinate mitigation efforts, aiming to reduce delays and improve the security posture of OSS dependencies.

Abstract

With the urgent need to secure supply chains among Open Source libraries, attention has focused on mitigating vulnerabilities detected in these libraries. Although awareness has improved recently, most studies still report delays in the mitigation process. This suggests that developers still have to deal with other contributions that occur during the period of fixing vulnerabilities, such as coinciding Pull Requests (PRs) and Issues, yet the impact of these contributions remains unclear. To characterize these contributions, we conducted a mixed-method empirical study to analyze NPM GitHub projects affected by 554 different vulnerability advisories, mining a total of 4,699 coinciding PRs and Issues. We believe that tool development and improved workload management for developers have the potential to create a more efficient and effective vulnerability mitigation process.
Paper Structure (22 sections, 3 figures, 3 tables)

This paper contains 22 sections, 3 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Data Preparation
  3. Collecting Vulnerabilities from the NPM Ecosystem
  4. Data Sources
  5. Extracting Advisories
  6. Extract and Identifying Coinciding Contributions
  7. Findings
  8. (RQ1) What kinds of coinciding contributions occur during the mitigation period?
  9. Approach
  10. Results
  11. (RQ2) How do developers distribute coinciding contributions during the mitigation period?
  12. Approach
  13. Results
  14. (RQ3) How related are coinciding contributions to the vulnerability?
  15. Approach
  16. ...and 7 more sections

Figures (3)

  • Figure 1: Kinds of coinciding contributions
  • Figure 2: Terminology of Coinciding Contributions
  • Figure 3: Distribution of the proportion of time used for closing coinciding contribution.