{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,8]],"date-time":"2026-03-08T01:41:19Z","timestamp":1772934079700,"version":"3.50.1"},"reference-count":54,"publisher":"IEEE","license":[{"start":{"date-parts":[[2025,12,8]],"date-time":"2025-12-08T00:00:00Z","timestamp":1765152000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2025,12,8]],"date-time":"2025-12-08T00:00:00Z","timestamp":1765152000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,12,8]]},"DOI":"10.1109\/bigdata66926.2025.11401557","type":"proceedings-article","created":{"date-parts":[[2026,3,6]],"date-time":"2026-03-06T20:57:57Z","timestamp":1772830677000},"page":"7825-7834","source":"Crossref","is-referenced-by-count":0,"title":["PyPitfall: Dependency Chaos and Software Supply Chain Vulnerabilities in Python"],"prefix":"10.1109","author":[{"given":"Jacob","family":"Mahon","sequence":"first","affiliation":[{"name":"New Jersey Institute of Technology,Computer Science Department,Newark,New Jersey,USA"}]},{"given":"Chenxi","family":"Hou","sequence":"additional","affiliation":[{"name":"New Jersey Institute of Technology,Computer Science Department,Newark,New Jersey,USA"}]},{"given":"Zhihao","family":"Yao","sequence":"additional","affiliation":[{"name":"New Jersey Institute of Technology,Computer Science Department,Newark,New Jersey,USA"}]}],"member":"263","reference":[{"key":"ref1","volume-title":"Evaluating and mitigating software supply chain security risks","author":"Ellison","year":"2010"},{"issue":"1","key":"ref2","first-page":"1","article-title":"Python programming language","volume-title":"USENIX annual technical conference","volume":"41","author":"Van Rossum","year":"2007"},{"key":"ref3","volume-title":"PyPI - the Python Package Index","year":"2025"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.2139\/ssrn.3426281"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1145\/3640336"},{"key":"ref6","first-page":"1393","article-title":"in-toto: Providing farm-to-table guarantees for bits and bytes","volume-title":"Proc. USENIX Security 2019","author":"Torres-Arias","year":"2019"},{"key":"ref7","volume-title":"pip-audit","year":"2025"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00052"},{"key":"ref9","volume-title":"Python Packaging Authority","year":"2023"},{"key":"ref10","volume-title":"Statistics - PyPI","year":"2025"},{"key":"ref11","volume-title":"Packaging Python Projects - Python Packaging User Guide","year":"2020"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00135"},{"key":"ref13","article-title":"Detecting active and stealthy typosquatting threats in package registries","author":"Jiang","year":"2025","journal-title":"arXiv preprint"},{"key":"ref14","volume-title":"GitHub - Microsoft OSSGadget","year":"2025"},{"key":"ref15","volume-title":"GitHub - Bandit4Mal","year":"2022"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW51379.2020.00074"},{"key":"ref17","volume-title":"PEP 508 - Conditional Dependencies","year":"2015"},{"key":"ref18","volume-title":"PEP 440 - Version Identification and Dependency Specification","year":"2014"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380426"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2022.3191353"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/QRS62785.2024.00057"},{"key":"ref22","volume-title":"cdk-sns-notify - PyPI","year":"2024"},{"key":"ref23","volume-title":"The Nine Circles of Python Dependency Hell","year":"2015"},{"key":"ref24","volume-title":"Breaking Changes, Breaking Trust","year":"2024"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/SCAM63643.2024.00014"},{"key":"ref26","volume-title":"pip resolver","year":"2025"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1145\/3551349.3560437"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00031"},{"key":"ref29","article-title":"Automatically fixing dependency breaking changes","volume-title":"Proc. ACM FSE","author":"Lukas","year":"2025"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2022.3142338"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179378"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1145\/3627106.3627138"},{"key":"ref33","article-title":"$Ztd_\\{J A V A\\}$: Mitigating software supply chain vulnerabilities via zero-trust dependencies","author":"Amusuo","year":"2023","journal-title":"arXiv preprint"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2011.36"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2023.3273491"},{"key":"ref36","volume-title":"aait-store-cut-part-016 - PyPI","year":"2024"},{"key":"ref37","volume-title":"square-0\u20135 - PyPI","year":"2024"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/ACSACW65225.2024.00033"},{"key":"ref39","volume-title":"PyPI Simple Index","year":"2025"},{"key":"ref40","volume-title":"PEP 503 - Simple Repository API","year":"2015"},{"key":"ref41","volume-title":"johnnydep - PyPI","year":"2024"},{"key":"ref42","volume-title":"National Vulnerability Database","year":"2017"},{"key":"ref43","volume-title":"GitHub - Advisory database for Python packages published on pypi.org","year":"2025"},{"key":"ref44","volume-title":"MITRE - Common Vulnerabilities and Exposures","year":"2024"},{"key":"ref45","volume-title":"The \u2018sklearn\u2019 PyPI package is deprecated","year":"2024"},{"key":"ref46","volume-title":"ijson - PyPI","year":"2024"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179304"},{"key":"ref48","volume-title":"GitHub - OSV-SCALIBR: A library for Software Composition Analysis","year":"2025"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2004.111"},{"key":"ref50","article-title":"Undo Workarounds for Kernel Bugs","volume-title":"Proc. USENIX Security Symposium","author":"Talebi","year":"2021"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1109\/pst52912.2021.9647791"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00137"},{"key":"ref53","article-title":"GLeeFuzz: Fuzzing WebGL Through Error Message Guided Mutation","volume-title":"Proc. USENIX Security Symposium","author":"Peng","year":"2023"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623166"}],"event":{"name":"2025 IEEE International Conference on Big Data (BigData)","location":"Macau, China","start":{"date-parts":[[2025,12,8]]},"end":{"date-parts":[[2025,12,11]]}},"container-title":["2025 IEEE International Conference on Big Data (BigData)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/11400704\/11400712\/11401557.pdf?arnumber=11401557","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,7]],"date-time":"2026-03-07T06:59:09Z","timestamp":1772866749000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11401557\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,12,8]]},"references-count":54,"URL":"https:\/\/doi.org\/10.1109\/bigdata66926.2025.11401557","relation":{},"subject":[],"published":{"date-parts":[[2025,12,8]]}}}