(Master Thesis) A study on the spread of vulnerability fixes within the npm JavaScript ecosystem


In recent times, the vulnerability of library has become a big concern for the developer because of its impact on many packages in the ecosystem. The recent studies show that developers do not update the vulnerability fix. This behavior of developers may lead the ecosystem prone to risk to be attacked. From this problem, we have three hypotheses including (1) how are vulnerability fixes packaged would affect the speed of releasing and spreading of vulnerability patch in the ecosystem, (2) using the supported branch of libraries are likely to less target by vulnerability compare with using the latest branch, and (3) proximity, severity, and branch influence the spread of vulnerability fixes. In this thesis, to test our hypotheses, we perform the empirical study to investigate the factors that impact the speed and spread of vulnerability fixes. We choose 10 vulnerabilities that have references to GitHub pull request or issue page. We manually investigate how developers create the fix for the vulnerability and how they package them for the new release. We then analyze the targeted branch of vulnerability fixes from 188 fixed vulnerabilities. We finally analyze the factors that influence the spread of vulnerability fixes into the dependency network by using 188 fixed vulnerabilities with 88,222 releases of npm package. We find that (1) vulnerability fixes repackage with the other updates (4.46% of commits in the release are related to the fix), (2) vulnerability fixes do not target the supported branch because most of them target ever branch, and (3) the factors influence the spread of the fix. According to our results, we suggest that (1) developers should not repackage the fix with the other updates, (2) developers should update their dependencies despite choosing the supported branch, and (3) developers should aware and quickly apply their dependencies’ fixes. For the future work, we would like to study more about why the developers repackage the fix and more factors that influence the spread in the network of dependency to mitigate the risk to be attacked in the ecosystem.

Nara Institute of Science and Technology (NAIST)