{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,8]],"date-time":"2026-02-08T01:13:45Z","timestamp":1770513225703,"version":"3.49.0"},"reference-count":54,"publisher":"Springer Science and Business Media LLC","issue":"5","license":[{"start":{"date-parts":[[2022,5,30]],"date-time":"2022-05-30T00:00:00Z","timestamp":1653868800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2022,5,30]],"date-time":"2022-05-30T00:00:00Z","timestamp":1653868800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"funder":[{"DOI":"10.13039\/501100002661","name":"fonds de la recherche scientifique - fnrs","doi-asserted-by":"publisher","award":["J015120"],"award-info":[{"award-number":["J015120"]}],"id":[{"id":"10.13039\/501100002661","id-type":"DOI","asserted-by":"publisher"}]},{"name":"fwo-vlaanderen","award":["30446992"],"award-info":[{"award-number":["30446992"]}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2022,9]]},"DOI":"10.1007\/s10664-022-10154-1","type":"journal-article","created":{"date-parts":[[2022,5,30]],"date-time":"2022-05-30T09:03:03Z","timestamp":1653901383000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":50,"title":["On the impact of security vulnerabilities in the npm and RubyGems dependency networks"],"prefix":"10.1007","volume":"27","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2676-3730","authenticated-orcid":false,"given":"Ahmed","family":"Zerouali","sequence":"first","affiliation":[]},{"given":"Tom","family":"Mens","sequence":"additional","affiliation":[]},{"given":"Alexandre","family":"Decan","sequence":"additional","affiliation":[]},{"given":"Coen","family":"De Roover","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2022,5,30]]},"reference":[{"issue":"2","key":"10154_CR1","first-page":"119","volume":"52","author":"A Agresti","year":"1998","unstructured":"Agresti A, Coull BA (1998) Approximate is better than \u201cexact\u201d for interval estimation of binomial proportions. The American Statistician 52 (2):119\u2013126","journal-title":"The American Statistician"},{"key":"10154_CR2","doi-asserted-by":"crossref","unstructured":"Alexopoulos N, Meneely A, Arnouts D, M\u00fchlh\u00e4user M. (2021) Who are vulnerability reporters? a large-scale empirical study on floss. In: Proceedings of the 15th ACM\/IEEE international symposium on empirical software engineering and measurement (ESEM), pp 1\u201312","DOI":"10.1145\/3475716.3475783"},{"key":"10154_CR3","doi-asserted-by":"crossref","unstructured":"Alfadel M, Costa DE, Shihab E (2021) Empirical analysis of security vulnerabilities in Python packages. In: International conference on software analysis, evolution and reengineering. IEEE","DOI":"10.1109\/SANER50967.2021.00048"},{"key":"10154_CR4","doi-asserted-by":"crossref","unstructured":"Aranovich R, Wu M, Yu D, Katsy K, Ahmadnia K, Bishop M, Filkov V, Sagae K (2021) Beyond nvd: Cybersecurity meets the semantic web","DOI":"10.1145\/3498891.3501259"},{"key":"10154_CR5","unstructured":"Birsan A (2021) Dependency confusion: How I hacked into Apple, Microsoft and dozens of other companies. https:\/\/medium.com\/@alex.birsan\/dependency-confusion-4a5d60fec610. Accessed 7 May 2021"},{"key":"10154_CR6","doi-asserted-by":"crossref","unstructured":"Bogart C, K\u00e4stner C., Herbsleb J, Thung F (2016) How to break an API: Cost negotiation and community values in three software ecosystems. In: Int\u2019l Symp foundations of software engineering (FSE). ACM, pp 109\u2013120","DOI":"10.1145\/2950290.2950325"},{"key":"10154_CR7","doi-asserted-by":"crossref","unstructured":"Bogart C, K\u00e4stner C, Herbsleb J, Thung F (2021) When and how to make breaking changes: Policies and practices in 18 open source software ecosystems. ACM Trans. Softw. Eng. Methodol., 30(4)","DOI":"10.1145\/3447245"},{"key":"10154_CR8","doi-asserted-by":"crossref","unstructured":"Chinthanet B, Ponta SE, Plate H, Sabetta A, Kula RG, Ishio T, Matsumoto K (2020) Code-based vulnerability detection in Node. js applications: How far are we?. In: International conference on automated software engineering (ASE). IEEE, pp 1199\u20131203","DOI":"10.1145\/3324884.3421838"},{"key":"10154_CR9","doi-asserted-by":"crossref","unstructured":"Cox J, Bouwers E, Eekelen M, Visser J (2015) Measuring dependency freshness in software systems. In: International conference on software engineering. IEEE Press, pp 109\u2013118","DOI":"10.1109\/ICSE.2015.140"},{"key":"10154_CR10","doi-asserted-by":"crossref","unstructured":"Cox J, Bouwers E, van Eekelen M, Visser J (2015) Measuring dependency freshness in software systems. In: International Conference on Software Engineering, pp 109\u2013118","DOI":"10.1109\/ICSE.2015.140"},{"issue":"10","key":"10154_CR11","doi-asserted-by":"publisher","first-page":"945","DOI":"10.1109\/TSE.2018.2816033","volume":"45","author":"S Dashevskyi","year":"2018","unstructured":"Dashevskyi S, Brucker AD, Massacci F (2018) A screening test for disclosed vulnerabilities in foss components. IEEE Trans Softw Eng 45(10):945\u2013966","journal-title":"IEEE Trans Softw Eng"},{"key":"10154_CR12","unstructured":"Decan A, Mens T (2019) What do package dependencies tell us about semantic versioning?. IEEE Transactions on Software Engineering"},{"key":"10154_CR13","doi-asserted-by":"crossref","unstructured":"Decan A, Mens T, Claes M (2017) An empirical comparison of dependency issues in OSS packaging ecosystems. In: International conference on software analysis, evolution and reengineering. IEEE, pp 2\u201312","DOI":"10.1109\/SANER.2017.7884604"},{"key":"10154_CR14","doi-asserted-by":"crossref","unstructured":"Decan A, Mens T, Constantinou E (2018) On the evolution of technical lag in the npm package dependency network. In: Int\u2019l Conf software maintenance and evolution. IEEE, pp 404\u2013414","DOI":"10.1109\/ICSME.2018.00050"},{"key":"10154_CR15","doi-asserted-by":"crossref","unstructured":"Decan A, Mens T, Constantinou E (2018) On the impact of security vulnerabilities in the npm package dependency network. In: International conference on mining software repositories","DOI":"10.1145\/3196398.3196401"},{"issue":"1","key":"10154_CR16","doi-asserted-by":"publisher","first-page":"381","DOI":"10.1007\/s10664-017-9589-y","volume":"24","author":"A Decan","year":"2019","unstructured":"Decan A, Mens T, Grosjean P (2019) An empirical comparison of dependency network evolution in seven software packaging ecosystems. Empir Softw Eng 24(1):381\u2013416","journal-title":"Empir Softw Eng"},{"key":"10154_CR17","doi-asserted-by":"crossref","unstructured":"Decan A, Mens T, Zerouali A, Roover CD (2021) Back to the past\u2013analysing backporting practices in package dependency networks. IEEE Transactions on Software Engineering","DOI":"10.1109\/TSE.2021.3112204"},{"key":"10154_CR18","doi-asserted-by":"crossref","unstructured":"Gkortzis A, Feitosa D, Spinellis D (2020) Software reuse cuts both ways: An empirical analysis of its relationship with security vulnerabilities. Journal of Systems and Software","DOI":"10.1016\/j.jss.2020.110653"},{"key":"10154_CR19","doi-asserted-by":"crossref","unstructured":"Gonzalez-Barahona JM, Sherwood P, Robles G, Izquierdo D (2017) Technical lag in software compilations: Measuring how outdated a software deployment is. In: IFIP international conference on open source systems. Springer, pp 182\u2013192","DOI":"10.1007\/978-3-319-57735-7_17"},{"key":"10154_CR20","doi-asserted-by":"crossref","unstructured":"Imtiaz N, Thorne S, Williams L (2021) A comparative study of vulnerability reporting by software composition analysis tools. arXiv preprint arXiv:2108.12078","DOI":"10.1145\/3475716.3475769"},{"key":"10154_CR21","unstructured":"Katz J (2020) Libraries.io Open Source Repository and Dependency Metadata"},{"key":"10154_CR22","doi-asserted-by":"crossref","unstructured":"Kikas R, Gousios G, Dumas M, Pfahl D (2017) Structure and evolution of package dependency networks. In: International conference on mining software repositories (MSR). IEEE, pp 102\u2013112","DOI":"10.1109\/MSR.2017.55"},{"key":"10154_CR23","volume-title":"Survival Analysis: Techniques for Censored and Truncated Data","author":"JP Klein","year":"2013","unstructured":"Klein JP, Moeschberger ML (2013) Survival Analysis: Techniques for Censored and Truncated Data. Springer, Berlin"},{"key":"10154_CR24","doi-asserted-by":"crossref","unstructured":"Lauinger T, Chaabane A, Arshad S, Robertson W, Wilson C, Kirda E (2017) Thou shalt not depend on me: Analysing the use of outdated JavaScript libraries on the web. In: NDSS symposium","DOI":"10.14722\/ndss.2017.23414"},{"issue":"2","key":"10154_CR25","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1093\/cybsec\/tyx008","volume":"3","author":"T Maillart","year":"2017","unstructured":"Maillart T, Zhao M, Grossklags J, Chuang J (2017) Given enough eyeballs, all bugs are shallow? revisiting eric raymond with bug bounty programs. Journal of Cybersecurity 3(2):81\u201390","journal-title":"Journal of Cybersecurity"},{"key":"10154_CR26","doi-asserted-by":"crossref","unstructured":"Massacci F, Pashchenko I (2021) Technical leverage in a software ecosystem: Development opportunities and security risks. In: 2021 IEEE\/ACM 43rd international conference on software engineering (ICSE). IEEE, pp 1386\u20131397","DOI":"10.1109\/ICSE43902.2021.00125"},{"key":"10154_CR27","doi-asserted-by":"crossref","unstructured":"Meneely A, Srinivasan H, Musa A, Tejeda AR, Mokary M, Spates B (2013) When a patch goes bad: Exploring the properties of vulnerability-contributing commits. In: 2013 ACM\/IEEE international symposium on empirical software engineering and measurement. IEEE, pp 65\u201374","DOI":"10.1109\/ESEM.2013.19"},{"key":"10154_CR28","doi-asserted-by":"crossref","unstructured":"Mujahid S, Costa DE, Abdalkareem R, Shihab E, Saied MA, Adams B (2021) Towards using package centrality trend to identify packages in decline. arXiv preprint arXiv:2107.10168","DOI":"10.1109\/TEM.2021.3122012"},{"issue":"6","key":"10154_CR29","doi-asserted-by":"publisher","first-page":"2268","DOI":"10.1007\/s10664-015-9408-2","volume":"21","author":"VH Nguyen","year":"2016","unstructured":"Nguyen VH, Dashevskyi S, Massacci F (2016) An automatic method for assessing the versions affected by a vulnerability. Empir Softw Eng 21 (6):2268\u20132297","journal-title":"Empir Softw Eng"},{"key":"10154_CR30","doi-asserted-by":"crossref","unstructured":"Nguyen DC, Derr E, Backes M, Bugiel S (2020) Up2dep: Android tool support to fix insecure code dependencies. In: Annual Computer Security Applications Conference, pp 263\u2013276","DOI":"10.1145\/3427228.3427658"},{"key":"10154_CR31","unstructured":"OWASP (2017) Owasp top ten web application security risks. https:\/\/owasp.org\/www-project-top-ten\/, accessed: 24\/04\/2021"},{"key":"10154_CR32","doi-asserted-by":"crossref","unstructured":"Ohm M, Plate H, Sykosch A, Meier M (2020) Backstabber\u2019s knife collection: A review of open source software supply chain attacks. In: International conference on detection of intrusions and malware, and vulnerability assessment. Springer, pp 23\u201343","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"10154_CR33","first-page":"10","volume":"6","author":"A Ozment","year":"2006","unstructured":"Ozment A, Schechter SE (2006) Milk or wine: does software security improve with age? In. USENIX Security Symposium 6:10\u20135555","journal-title":"USENIX Security Symposium"},{"key":"10154_CR34","doi-asserted-by":"crossref","unstructured":"Pashchenko I, Duc-Ly V, Massacci F (2020) A qualitative study of dependency management and its security implications. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp 1513\u20131531","DOI":"10.1145\/3372297.3417232"},{"key":"10154_CR35","doi-asserted-by":"crossref","unstructured":"Pashchenko I, Plate H, Ponta SE, Sabetta A, Massacci F (2018) Vulnerable open source dependencies: Counting those that matter. In: International symposium on empirical software engineering and measurement. ACM","DOI":"10.1145\/3239235.3268920"},{"key":"10154_CR36","unstructured":"Pashchenko I, Plate H, Ponta SE, Sabetta A, Massacci F (2020) Vuln4real: A methodology for counting actually vulnerable dependencies. IEEE Transactions on Software Engineering"},{"key":"10154_CR37","doi-asserted-by":"crossref","unstructured":"Pham NH, Nguyen TT, Nguyen HA, Wang X, Nguyen AT, Nguyen TN (2010) Detecting recurring and similar software vulnerabilities. In: Int\u2019l Conf software engineering, pp 227\u2013230","DOI":"10.1145\/1858996.1859089"},{"issue":"5","key":"10154_CR38","doi-asserted-by":"publisher","first-page":"3175","DOI":"10.1007\/s10664-020-09830-x","volume":"25","author":"SE Ponta","year":"2020","unstructured":"Ponta SE, Plate H, Sabetta A (2020) Detection, assessment and mitigation of vulnerabilities in open source dependencies. Empir Softw Eng 25 (5):3175\u20133215","journal-title":"Empir Softw Eng"},{"key":"10154_CR39","doi-asserted-by":"crossref","unstructured":"Prana GAA, Sharma A, Shar LK, Foo D, Santosa A, Sharma A, Lo D (2021) Out of sight, out of mind? How vulnerable dependencies affect open-source projects. Empirical Software Engineering, 26","DOI":"10.1007\/s10664-021-09959-3"},{"key":"10154_CR40","unstructured":"Preston-Werner T (2013) Semantic versioning 2.0.0. https:\/\/semver.org\/"},{"key":"10154_CR41","unstructured":"Romano J, Kromrey JD, Coraggio J, Skowronek J, Devine L (2006) Exploring methods for evaluating group differences on the NSSE and other surveys: Are the t-test and Cohen\u2019s d indices the most appropriate choices?. In: Annual Meeting of the Southern Association for Institutional Research"},{"key":"10154_CR42","doi-asserted-by":"crossref","unstructured":"Ruohonen J (2018) An empirical analysis of vulnerabilities in Python packages for web applications. In: International workshop on empirical software engineering in practice (IWESEP). IEEE, pp 25\u201330","DOI":"10.1109\/IWESEP.2018.00013"},{"issue":"6","key":"10154_CR43","doi-asserted-by":"publisher","first-page":"772","DOI":"10.1109\/TSE.2010.81","volume":"37","author":"Y Shin","year":"2010","unstructured":"Shin Y, Meneely A, Williams L, Osborne JA (2010) Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Trans Softw Eng 37(6):772\u2013787","journal-title":"IEEE Trans Softw Eng"},{"key":"10154_CR44","unstructured":"Snyk (2017) The state of open source security. https:\/\/snyk.io\/wp-content\/uploads\/The-State-of-Open-Source-2017.pdfhttps:\/\/snyk.io\/wp-content\/uploads\/The-State-of-Open-Source-2017.pdf, accessed: 10\/06\/2021"},{"issue":"3","key":"10154_CR45","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10664-020-09914-8","volume":"26","author":"C Soto-Valero","year":"2021","unstructured":"Soto-Valero C, Harrand N, Monperrus M, Baudry B (2021) A comprehensive study of bloated dependencies in the maven ecosystem. Empir Softw Eng 26(3):1\u201344","journal-title":"Empir Softw Eng"},{"key":"10154_CR46","doi-asserted-by":"crossref","unstructured":"Wittern E, Suter P, Rajagopalan S (2016) A look at the dynamics of the JavaScript package ecosystem. In: Int\u2019l Conf mining software repositories (MSR). IEEE, pp 351\u2013361","DOI":"10.1145\/2901739.2901743"},{"key":"10154_CR47","doi-asserted-by":"crossref","unstructured":"Wohlin C, Runeson P, Host M, Ohlsson MC, Regnell B, Wesslen A (2000) Experimentation in Software Engineering - An Introduction. Kluwer","DOI":"10.1007\/978-1-4615-4625-2"},{"key":"10154_CR48","unstructured":"Zapata RE, Kula RG, Chinthanet B, Ishio T, Matsumoto K, Ihara A (2018) Towards smoother library migrations: A look at vulnerable dependency migrations at function level for npm JavaScript packages. In: International conference on software maintenance and evolution. IEEE, pp 559\u2013563"},{"key":"10154_CR49","unstructured":"Zerouali J (2019) A Measurement Framework for Analyzing Technical Lag in Open-Source Software Ecosystems. PhD thesis, University of Mons"},{"key":"10154_CR50","doi-asserted-by":"crossref","unstructured":"Zerouali A, Constantinou E, Mens T, Robles G, Gonz\u00e1lez-Barahona J (2018) An empirical analysis of technical lag in npm package dependencies. In: International conference on software reuse. Springer, pp 95\u2013110","DOI":"10.1007\/978-3-319-90421-4_6"},{"issue":"2","key":"10154_CR51","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10664-020-09908-6","volume":"26","author":"A Zerouali","year":"2021","unstructured":"Zerouali A, Mens T, Decan A, Gonzalez-Barahona J, Robles G (2021a) A multi-dimensional analysis of technical lag in Debian-based Docker images. Empir Softw Eng 26(2):1\u201345","journal-title":"Empir Softw Eng"},{"key":"10154_CR52","doi-asserted-by":"crossref","unstructured":"Zerouali A, Mens T, Robles G, Gonzalez-Barahona JM (2019) On the relation between outdated Docker containers, severity vulnerabilities, and bugs. In: International conference on software analysis, evolution and reengineering. IEEE, pp 491\u2013501","DOI":"10.1109\/SANER.2019.8668013"},{"key":"10154_CR53","doi-asserted-by":"crossref","unstructured":"Zerouali A, Mens T, Roover CD (2021b) On the usage of JavaScript, Python and Ruby packages in Docker Hub images. Science of Computer Programming, pp 102653","DOI":"10.1016\/j.scico.2021.102653"},{"key":"10154_CR54","unstructured":"Zimmermann M, Staicu C-A, Tenny C, Pradel M (2019) Small world with high risks: A study of security threats in the npm ecosystem. In: USENIX security symposium, pp 995\u20131010"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-022-10154-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-022-10154-1\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-022-10154-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,7,26]],"date-time":"2022-07-26T05:08:24Z","timestamp":1658812104000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-022-10154-1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,5,30]]},"references-count":54,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2022,9]]}},"alternative-id":["10154"],"URL":"https:\/\/doi.org\/10.1007\/s10664-022-10154-1","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,5,30]]},"assertion":[{"value":"17 March 2022","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"30 May 2022","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}],"article-number":"107"}}