{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,29]],"date-time":"2026-01-29T21:20:37Z","timestamp":1769721637981,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":29,"publisher":"ACM","license":[{"start":{"date-parts":[[2020,12,21]],"date-time":"2020-12-21T00:00:00Z","timestamp":1608508800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Japan Society for the Promotion of Science","award":["18H04094, 18H03221, 18KT0013, 20K19774"],"award-info":[{"award-number":["18H04094, 18H03221, 18KT0013, 20K19774"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2020,12,21]]},"DOI":"10.1145\/3324884.3421838","type":"proceedings-article","created":{"date-parts":[[2021,1,27]],"date-time":"2021-01-27T23:38:56Z","timestamp":1611790736000},"page":"1199-1203","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":14,"title":["Code-based vulnerability detection in Node.js applications"],"prefix":"10.1145","author":[{"given":"Bodin","family":"Chinthanet","sequence":"first","affiliation":[{"name":"Nara Institute of Science and Technology, Japan"}]},{"given":"Serena Elisa","family":"Ponta","sequence":"additional","affiliation":[{"name":"SAP Security Research, France"}]},{"given":"Henrik","family":"Plate","sequence":"additional","affiliation":[{"name":"SAP Security Research, France"}]},{"given":"Antonino","family":"Sabetta","sequence":"additional","affiliation":[{"name":"SAP Security Research, France"}]},{"given":"Raula Gaikovina","family":"Kula","sequence":"additional","affiliation":[{"name":"Nara Institute of Science and Technology, Japan"}]},{"given":"Takashi","family":"Ishio","sequence":"additional","affiliation":[{"name":"Nara Institute of Science and Technology, Japan"}]},{"given":"Kenichi","family":"Matsumoto","sequence":"additional","affiliation":[{"name":"Nara Institute of Science and Technology, Japan"}]}],"member":"320","published-online":{"date-parts":[[2021,1,27]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"ANTLR. 2017. grammars-v4\/javascript at master antlr\/grammars-v4. https:\/\/github.com\/antlr\/grammars-v4\/tree\/master\/javascript. (Accessed on 08\/11\/2020)."},{"key":"e_1_3_2_1_2_1","unstructured":"National Vulnerability Database. 2007. NVD - Home. https:\/\/nvd.nist.gov\/. (Accessed on 08\/11\/2020)."},{"key":"e_1_3_2_1_3_1","volume-title":"Node.Fz: Fuzzing the Server-Side Event-Driven Architecture. In <u>Proceedings of the 12th European Conference on Computer Systems (EuroSys).<\/u&gt","author":"Davis James","unstructured":"James Davis, Arun Thekumparampil, and Dongyoon Lee. 2017. Node.Fz: Fuzzing the Server-Side Event-Driven Architecture. In <u>Proceedings of the 12th European Conference on Computer Systems (EuroSys).<\/u> 145--160."},{"key":"e_1_3_2_1_4_1","volume-title":"On the Evolution of Technical Lag in the npm Package Dependency Network. In <u>the 34th International Conference on Software Maintenance and Evolution (ICSME).<\/u&gt","author":"Decan Alexandre","unstructured":"Alexandre Decan, Tom Mens, and Eleni Constantinou. 2018. On the Evolution of Technical Lag in the npm Package Dependency Network. In <u>the 34th International Conference on Software Maintenance and Evolution (ICSME).<\/u> 404--414."},{"key":"e_1_3_2_1_5_1","volume-title":"On the impact of security vulnerabilities in the npm package dependency network. In <u>Proceedings of the 15th International Conference on Mining Software Repositories (MSR).<\/u&gt","author":"Decan Alexandre","unstructured":"Alexandre Decan, Tom Mens, and Eleni Constantinou. 2018. On the impact of security vulnerabilities in the npm package dependency network. In <u>Proceedings of the 15th International Conference on Mining Software Repositories (MSR).<\/u> 181--191."},{"key":"e_1_3_2_1_6_1","unstructured":"Eclipse. 2018. Eclipse Steady 3.1.11 (Incubator Project). https:\/\/eclipse.github.io\/steady\/. (Accessed on 08\/11\/2020)."},{"key":"e_1_3_2_1_7_1","unstructured":"GitHub. 2017. About security alerts for vulnerable dependencies. https:\/\/help.github.com\/articles\/about-security-alerts-for-vulnerable-dependencies\/. (Accessed on 08\/11\/2020)."},{"key":"e_1_3_2_1_8_1","unstructured":"GitHub. 2019. GitHub Advisory Database. https:\/\/github.com\/advisories. (Accessed on 08\/11\/2020)."},{"key":"e_1_3_2_1_9_1","volume-title":"ES2016 and ES2017 support. https:\/\/node.green\/. (Accessed on 08\/11\/2020)","author":"Kapke William","year":"2016","unstructured":"William Kapke. 2016. Node.js ES2015\/ES6, ES2016 and ES2017 support. https:\/\/node.green\/. (Accessed on 08\/11\/2020)."},{"key":"e_1_3_2_1_10_1","volume-title":"Structure and Evolution of Package Dependency Networks. In <u>Proceedings of the 14th International Conference on Mining Software Repositories (MSR).<\/u&gt","author":"Kikas Riivo","unstructured":"Riivo Kikas, Georgios Gousios, Marlon Dumas, and Dietmar Pfahl. 2017. Structure and Evolution of Package Dependency Networks. In <u>Proceedings of the 14th International Conference on Mining Software Repositories (MSR).<\/u> 102--112."},{"key":"e_1_3_2_1_11_1","volume-title":"Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. In <u>Proceedings of the 24th Network and Distributed System Security Symposium (NDSS).<\/u&gt","author":"Lauinger Tobias","unstructured":"Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. In <u>Proceedings of the 24th Network and Distributed System Security Symposium (NDSS).<\/u>"},{"key":"e_1_3_2_1_12_1","unstructured":"Lodash. 2012. lodash\/lodash: A modern JavaScript utility library delivering modularity performance & extras. https:\/\/github.com\/Iodash\/lodash. (Accessed on 08\/11\/2020)."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"crossref","unstructured":"Magnus Madsen Frank Tip and Ond\u0159ej Lhot\u00e1k. 2015. Static Analysis of Event-Driven Node.Js JavaScript Applications. In <u>Proceedings of the International Conference on Object-Oriented Programming Systems Languages and Applications (OOPSLA).<\/u> 505--519.","DOI":"10.1145\/2814270.2814272"},{"key":"e_1_3_2_1_14_1","unstructured":"NAIST-SE. 2020. NAIST-SE\/steady: Analyses your Java and Python applications for open-source dependencies with known vulnerabilities using both static analysis and testing to determine code context and usage for greater accuracy. https:\/\/github.com\/NAIST-SE\/steady. (Accessed on 08\/11\/2020)."},{"key":"e_1_3_2_1_15_1","unstructured":"npm. 2011. debug - npm. https:\/\/www.npmjs.com\/package\/debug. (Accessed on 08\/11\/2020)."},{"key":"e_1_3_2_1_16_1","unstructured":"npm. 2012. lodash - npm. https:\/\/www.npmjs.com\/package\/lodash. (Accessed on 08\/11\/2020)."},{"key":"e_1_3_2_1_17_1","unstructured":"NPM. 2018. Auditing package dependencies for security vulnerabilities. https:\/\/docs.npmjs.com\/auditing-package-dependencies-for-security-vulnerabilities. (Accessed on 08\/11\/2020)."},{"key":"e_1_3_2_1_18_1","unstructured":"npm. 2020. npm - most dependend upon. https:\/\/www.npmjs.com\/browse\/depended. (Accessed on 08\/11\/2020)."},{"key":"e_1_3_2_1_19_1","unstructured":"npm blog. 2020. npm blog: Next Phase Montage. https:\/\/blog.npmjs.org\/post\/612764866888007680\/next-phase-montage. (Accessed on 05\/20\/2020)."},{"key":"e_1_3_2_1_20_1","unstructured":"Dmitri Pavlutin. 2016. 6 Ways to Declare JavaScript Functions. https:\/\/dmitripavlutin.com\/6-ways-to-declare-javascript-functions\/. (Accessed on 08\/11\/2020)."},{"key":"e_1_3_2_1_21_1","unstructured":"Serena Elisa Ponta Henrik Plate and Antonino Sabetta. 2018. Beyond Metadata: Code-centric and Usage-based Analysis of Known Vulnerabilities in Open-source Software. In <u>Proceedings of the 34th International Conference on Software Maintenance and Evolution (ICSME).<\/u> 58--68."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-020-09830-x"},{"key":"e_1_3_2_1_23_1","volume-title":"Static DOM Event Dependency Analysis for Testing Web Applications. In <u>Proceedings of the 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE).<\/u&gt","author":"Sung Chungha","unstructured":"Chungha Sung, Markus Kusano, Nishant Sinha, and Chao Wang. 2016. Static DOM Event Dependency Analysis for Testing Web Applications. In <u>Proceedings of the 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE).<\/u> 447--459."},{"key":"e_1_3_2_1_24_1","unstructured":"Synopsys. 2020. 2020 Open Source Security and Risk Analysis (OSSRA) Report | Synopsys. https:\/\/www.synopsys.com\/software-integrity\/resources\/analyst-reports\/2020-open-source-security-risk-analysis.html. (Accessed on 05\/27\/2020)."},{"key":"e_1_3_2_1_25_1","unstructured":"JavaScript Tutorial. 2020. JavaScript Anonymous Functions. https:\/\/www.javascripttutorial.net\/javascript-anonymous-functions\/. (Accessed on 08\/11\/2020)."},{"key":"e_1_3_2_1_26_1","unstructured":"Visionmedia. 2011. visionmedia\/debug: A tiny JavaScript debugging utility modelled after Node.js core's debugging technique. Works in Node.js and web browsers. https:\/\/github.com\/visionmedia\/debug. (Accessed on 08\/11\/2020)."},{"key":"e_1_3_2_1_27_1","unstructured":"MDN web docs. 2020. Inheritance and the prototype chain - JavaScript | MDN. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/JavaScript\/Inheritance_and_the_prototype_chain. (Accessed on 08\/11\/2020)."},{"key":"e_1_3_2_1_28_1","volume-title":"Bodin Chinthanet, Takashi Ishio, Kenichi Matsumoto, and Akinori Ihara.","author":"Zapata Rodrigo Elizalde","year":"2018","unstructured":"Rodrigo Elizalde Zapata, Raula Gaikovina Kula, Bodin Chinthanet, Takashi Ishio, Kenichi Matsumoto, and Akinori Ihara. 2018. Towards Smoother Library Migrations: A Look at Vulnerable Dependency Migrations at Function Level for npm JavaScript Packages. In <u>Proceedings of the 34th International Conference on Software Maintenance and Evolution (ICSME).<\/u> 559--563."},{"key":"e_1_3_2_1_29_1","volume-title":"An Empirical Analysis of Technical Lag in npm Package Dependencies. In <u>Proceedings of the 17th International Conference on Software Reuse (ICSR).<\/u&gt","author":"Zerouali Ahmed","unstructured":"Ahmed Zerouali, Eleni Constantinou, Tom Mens, Gregorio Robles, and Jesus Gonzalez-Barahona. 2018. An Empirical Analysis of Technical Lag in npm Package Dependencies. In <u>Proceedings of the 17th International Conference on Software Reuse (ICSR).<\/u> 95--110."}],"event":{"name":"ASE '20: 35th IEEE\/ACM International Conference on Automated Software Engineering","location":"Virtual Event Australia","acronym":"ASE '20","sponsor":["SIGAI ACM Special Interest Group on Artificial Intelligence","SIGSOFT ACM Special Interest Group on Software Engineering","IEEE CS"]},"container-title":["Proceedings of the 35th IEEE\/ACM International Conference on Automated Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3324884.3421838","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3324884.3421838","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T20:47:23Z","timestamp":1750193243000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3324884.3421838"}},"subtitle":["how far are we?"],"short-title":[],"issued":{"date-parts":[[2020,12,21]]},"references-count":29,"alternative-id":["10.1145\/3324884.3421838","10.1145\/3324884"],"URL":"https:\/\/doi.org\/10.1145\/3324884.3421838","relation":{},"subject":[],"published":{"date-parts":[[2020,12,21]]},"assertion":[{"value":"2021-01-27","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}