Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Exploring the SECURITY.md in the Dependency Chain: Preliminary Analysis of the PyPI Ecosystem

Chayanid Termphaiboon, Raula Gaikovina Kula, Youmei Fan, Morakot Choetkiertikul, Chaiyong Ragkhitwetsagul, Thanwadee Sunetnanta, Kenichi Matsumoto

TL;DR

<3-5 sentences high-level summary> The paper investigates whether adopting a SECURITY.md security policy influences how PyPI projects manage dependencies. Using a dataset of 211 projects with a policy and 249 without, it analyzes dependency trees via pipdeptree/pipforester and tracks dependency-file changes with PyDriller, applying nonparametric statistics. Key findings show that policy-bearing projects have more direct dependencies, while depth and transitive dependencies are similar, and that later adopters exhibit higher rates of dependency-file commits, particularly in setup.py and pyproject.toml. The work highlights security policy signals as indicators of proactive maintenance and provides actionable guidance for tooling and future cross-ecosystem studies.

Abstract

Security policies, such as SECURITY.md files, are now common in open-source projects. They help guide responsible vulnerability reporting and build trust among users and contributors. Despite their growing use, it is still unclear how these policies influence the structure and evolution of software dependencies. Software dependencies are external packages or libraries that a project relies on, and their interconnected nature affects both functionality and security. This study explores the relationship between security policies and dependency management in PyPI projects. We analyzed projects with and without a SECURITY.md file by examining their dependency trees and tracking how dependencies change over time. The analysis shows that projects with a security policy tend to rely on a broader set of direct dependencies, while overall depth and transitive dependencies remain similar. Historically, projects created after the introduction of SECURITY.md, particularly later adopters, show more frequent dependency updates. These results suggest that security policies are linked to more modular and feature-rich projects, and highlight the role of SECURITY.md in promoting proactive dependency management and reducing risks in the software supply chain.

Exploring the SECURITY.md in the Dependency Chain: Preliminary Analysis of the PyPI Ecosystem

TL;DR

<3-5 sentences high-level summary> The paper investigates whether adopting a SECURITY.md security policy influences how PyPI projects manage dependencies. Using a dataset of 211 projects with a policy and 249 without, it analyzes dependency trees via pipdeptree/pipforester and tracks dependency-file changes with PyDriller, applying nonparametric statistics. Key findings show that policy-bearing projects have more direct dependencies, while depth and transitive dependencies are similar, and that later adopters exhibit higher rates of dependency-file commits, particularly in setup.py and pyproject.toml. The work highlights security policy signals as indicators of proactive maintenance and provides actionable guidance for tooling and future cross-ecosystem studies.

Abstract

Security policies, such as SECURITY.md files, are now common in open-source projects. They help guide responsible vulnerability reporting and build trust among users and contributors. Despite their growing use, it is still unclear how these policies influence the structure and evolution of software dependencies. Software dependencies are external packages or libraries that a project relies on, and their interconnected nature affects both functionality and security. This study explores the relationship between security policies and dependency management in PyPI projects. We analyzed projects with and without a SECURITY.md file by examining their dependency trees and tracking how dependencies change over time. The analysis shows that projects with a security policy tend to rely on a broader set of direct dependencies, while overall depth and transitive dependencies remain similar. Historically, projects created after the introduction of SECURITY.md, particularly later adopters, show more frequent dependency updates. These results suggest that security policies are linked to more modular and feature-rich projects, and highlight the role of SECURITY.md in promoting proactive dependency management and reducing risks in the software supply chain.

Paper Structure

This paper contains 15 sections, 5 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Security Policies in Open-Source Ecosystems
  4. Software Dependencies Supply Chain in Open-Source Projects
  5. Related Works
  6. Methodology
  7. Overview
  8. Data Collection
  9. Data Pre-Processing and Data Extraction
  10. Data Analysis
  11. Study Result
  12. RQ1: How Do The Dependency Trees Differ Between Projects With And Without A Security Policy?
  13. RQ2: Do Projects With a Security Policy Have More Dependencies Over Time?
  14. Discussion and Implications
  15. Conclusion

Figures (5)

  • Figure 1: An example of a software dependency supply chain, showing both dependencies and dependents
  • Figure 2: Overview of the research methodology
  • Figure 3: Distribution of dependency metrics in projects with and without a security policy
  • Figure 4: Distribution and timeline of project creation and SECURITY.md adoption in projects with a security policy, categorized into Pre- and Post-SECURITY.md eras
  • Figure 5: Timeline of SECURITY.md Adoption Relative to Initial Commit in Pre- and Post-SECURITY.md Projects