{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,13]],"date-time":"2026-05-13T01:18:18Z","timestamp":1778635098274,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":48,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,10,10]],"date-time":"2022-10-10T00:00:00Z","timestamp":1665360000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,10,10]]},"DOI":"10.1145\/3551349.3556896","type":"proceedings-article","created":{"date-parts":[[2023,1,5]],"date-time":"2023-01-05T20:43:54Z","timestamp":1672951434000},"page":"1-12","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":16,"title":["Not All Dependencies are Equal: An Empirical Study on Production Dependencies in NPM"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7084-2594","authenticated-orcid":false,"given":"Jasmine","family":"Latendresse","sequence":"first","affiliation":[{"name":"Concordia University, Canada"}]},{"given":"Suhaib","family":"Mujahid","sequence":"additional","affiliation":[{"name":"Concordia University, Canada"}]},{"given":"Diego Elias","family":"Costa","sequence":"additional","affiliation":[{"name":"Concordia University, Canada"}]},{"given":"Emad","family":"Shihab","sequence":"additional","affiliation":[{"name":"Concordia University, Canada"}]}],"member":"320","published-online":{"date-parts":[[2023,1,5]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[n. d.]. Software Bill of Materials | CISA. https:\/\/www.cisa.gov\/sbom"},{"key":"e_1_3_2_1_2_1","unstructured":"2019. 2019 State of the Software Supply Chain. https:\/\/www.sonatype.com\/hubfs\/SSC\/2019%20SSC\/SON_SSSC-Report-2019_jun16-DRAFT.pdf"},{"key":"e_1_3_2_1_3_1","unstructured":"2019. Eight Key Findings Illustrating How to Make Open Source Work Even Better for Developers. https:\/\/cdn2.hubspot.net\/hubfs\/4008838\/Resources\/The-2019-Tidelift-managed-open-source-survey-results.pdf"},{"key":"e_1_3_2_1_4_1","unstructured":"2019. webpack. https:\/\/webpack.js.org\/"},{"key":"e_1_3_2_1_5_1","volume-title":"Do \u201ddependencies","unstructured":"2020. Do \u201ddependencies\u201d and \u201ddevDependencies\u201d matter when using Webpack?https:\/\/jsramblings.com\/do-dependencies-devdependencies-matter-when-using-webpack\/"},{"key":"e_1_3_2_1_6_1","unstructured":"2020. npm-deps-parser. https:\/\/github.com\/nVisium\/npm-deps-parser"},{"key":"e_1_3_2_1_7_1","unstructured":"2020. Securing the World\u2019s Software. https:\/\/octoverse.github.com\/static\/github-octoverse-2020-security-report.pdf"},{"key":"e_1_3_2_1_8_1","unstructured":"2021. Create react app. https:\/\/create-react-app.dev\/"},{"key":"e_1_3_2_1_9_1","unstructured":"2021. Help \u2018npm audit\u2018 says I have a vulnerability in react-scripts! \u00b7 Issue #11174 \u00b7 facebook\/create-react-app. https:\/\/github.com\/facebook\/create-react-app\/issues\/11174"},{"key":"e_1_3_2_1_10_1","unstructured":"2021. rollup.js. https:\/\/rollupjs.org\/guide\/en\/"},{"key":"e_1_3_2_1_11_1","unstructured":"2022. The Complete Guide to Software Composition Analysis - FOSSA. https:\/\/fossa.com\/complete-guide-software-composition-analysis"},{"key":"e_1_3_2_1_12_1","unstructured":"2022. GitHub Advisory Database. https:\/\/github.com\/advisories"},{"key":"e_1_3_2_1_13_1","unstructured":"2022. Snyk | Developer security | Develop fast. Stay secure.https:\/\/snyk.io\/"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106267"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-019-09792-9"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSR52588.2021.00037"},{"key":"e_1_3_2_1_17_1","volume-title":"On the Untriviality of Trivial Packages: An Empirical Study of npm JavaScript Packages","author":"Atique Md","year":"2019","unstructured":"Md Atique, Reza Chowdhury, Rabe Abdalkareem, and Emad Shihab. 2019. On the Untriviality of Trivial Packages: An Empirical Study of npm JavaScript Packages. Journal of IEEE Transactions on Software Engineering 01 (2019). http:\/\/das.encs.concordia.ca\/uploads\/atique_tse2021.pdf"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/236156.236184"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/3447245"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-020-09904-w"},{"key":"e_1_3_2_1_21_1","unstructured":"Jailton Coelho Marco\u00a0T\u00falio Valente Luciano Milen and Luciana\u00a0Lourdes Silva. 2020. Is this GitHub Project Maintained? Measuring the Level of Maintenance Activity of Open-Source Projects. CoRR abs\/2003.04755(2020). arXiv:2003.04755https:\/\/arxiv.org\/abs\/2003.04755"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2021.3057720"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2021.3057720"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2015.140"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9589-y"},{"key":"e_1_3_2_1_26_1","unstructured":"Josh Fruhlinger. 2020. Equifax data breach FAQ: What happened who was affected what was the impact?https:\/\/www.csoonline.com\/article\/3444488\/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/2597073.2597118"},{"key":"e_1_3_2_1_28_1","unstructured":"J.\u00a0I. Hejderup. 2015. In Dependencies We Trust: How vulnerable are dependencies in software modules?repository.tudelft.nl(2015). https:\/\/repository.tudelft.nl\/islandora\/object\/uuid:3a15293b-16f6-4e9d-b6a2-f02cd52f1a9e?collection=education"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3475716.3475769"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/tse.2021.3106247"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2017.55"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9521-5"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23414"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/tem.2021.3122012"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","unstructured":"Emerson Murphy-Hill Ciera Jaspan Caitlin Sadowski David Shepherd Michael Phillips Collin Winter Andrea Knight Edward Smith and Matt Jorde. 2019. What Predicts Software Developers\u2019 Productivity?IEEE Transactions on Software Engineering(2019) 1\u20131. https:\/\/doi.org\/10.1109\/tse.2019.2900308","DOI":"10.1109\/tse.2019.2900308"},{"key":"e_1_3_2_1_36_1","volume-title":"d.]. Stack Overflow Developer Survey","author":"Overflow Stack","year":"2021","unstructured":"Stack Overflow. [n. d.]. Stack Overflow Developer Survey 2021. https:\/\/insights.stackoverflow.com\/survey\/2021"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","unstructured":"Ivan Pashchenko Henrik Plate Serena Ponta Antonino Sabetta and Fabio Massacci. 2018. Vulnerable open source dependencies: counting those that matter. 1\u201310. https:\/\/doi.org\/10.1145\/3239235.3268920","DOI":"10.1145\/3239235.3268920"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2020.3025443"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417232"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","unstructured":"Henrik Plate Serena Ponta and Antonino Sabetta. 2015. Impact assessment for vulnerabilities in open-source software libraries. 411\u2013420. https:\/\/doi.org\/10.1109\/ICSM.2015.7332492","DOI":"10.1109\/ICSM.2015.7332492"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635922"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"crossref","unstructured":"Adriana Sejfia and Max Sch\u00e4fer. 2022. Practical Automated Detection of Malicious npm Packages. arXiv preprint arXiv:2202.13953(2022).","DOI":"10.1145\/3510003.3510104"},{"key":"e_1_3_2_1_43_1","unstructured":"unisil. 2021. Source Map Parser. https:\/\/github.com\/unisil\/source-map-parser"},{"key":"e_1_3_2_1_44_1","unstructured":"Haroen Viaene. 2021. feat(dependencies): update algoliasearch-helper. https:\/\/github.com\/algolia\/instantsearch.js\/pull\/4936. (Accessed on 05\/04\/2022)."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","unstructured":"Stefan Wagner and Emerson Murphy-Hill. 2019. Factors That Influence Productivity: A Checklist. 69\u201384. https:\/\/doi.org\/10.1007\/978-1-4842-4221-6_8","DOI":"10.1007\/978-1-4842-4221-6_8"},{"key":"e_1_3_2_1_46_1","volume-title":"The unfortunate reality of insecure libraries. Asp. Secur","author":"Williams Jeff","year":"2012","unstructured":"Jeff Williams and Arshan Dabirsiaghi. 2012. The unfortunate reality of insecure libraries. Asp. Secur. Inc (2012), 1\u201326."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/3546932.3547000"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","unstructured":"Rodrigo Zapata Raula Kula Bodin Chinthanet Takashi Ishio Kenichi Matsumoto and Akinori Ihara. 2018. Towards Smoother Library Migrations: A Look at Vulnerable Dependency Migrations at Function Level for npm JavaScript Packages. 559\u2013563. https:\/\/doi.org\/10.1109\/ICSME.2018.00067","DOI":"10.1109\/ICSME.2018.00067"}],"event":{"name":"ASE '22: 37th IEEE\/ACM International Conference on Automated Software Engineering","location":"Rochester MI USA","acronym":"ASE '22"},"container-title":["Proceedings of the 37th IEEE\/ACM International Conference on Automated Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3551349.3556896","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3551349.3556896","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T08:00:37Z","timestamp":1755849637000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3551349.3556896"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,10,10]]},"references-count":48,"alternative-id":["10.1145\/3551349.3556896","10.1145\/3551349"],"URL":"https:\/\/doi.org\/10.1145\/3551349.3556896","relation":{},"subject":[],"published":{"date-parts":[[2022,10,10]]},"assertion":[{"value":"2023-01-05","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}