Systematic literature review of the trust reinforcement mechanisms exist in package ecosystems
Angel Temelko, Fang Hou, Siamak Farshidi, Slinger Jansen
TL;DR
The paper tackles the problem of ensuring trust in package ecosystems, with a specific focus on npm security tools and the behavior of software engineers toward third-party libraries. It employs a systematic literature review, design science, and interviews to map existing trust reinforcement mechanisms, evaluate their effectiveness, and understand security-attention dynamics in decision-making. The study reveals a significant gap: most trust tools operate post-install, offering limited pre-install safeguards, and engineers often prioritize functionality over security, leading to under-addressed vulnerabilities. The findings inform future tool design and policy development, highlighting the need for proactive, pre-install trust assessments to reduce risk in the npm ecosystem and similar SECOs.
Abstract
We conducted a thorough SLR to better grasp the challenges and possible solutions associated with existing npm security tools. Our goal was to delve into documented experiences and findings. Specifically, we were keen to learn about the motivations behind choosing third-party packages, software engineers' responses to warning messages, and their overall understanding of security issues. The main aim of this review was to pinpoint prevailing trends, methods, and concerns in trust tools for the present npm environment. Furthermore, we sought to understand the complexities of integrating SECO into platforms such as npm. By analyzing earlier studies, our intention was to spot any overlooked areas and steer our research to address them.