{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,14]],"date-time":"2026-04-14T09:26:51Z","timestamp":1776158811287,"version":"3.50.1"},"reference-count":67,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2023,5,26]],"date-time":"2023-05-26T00:00:00Z","timestamp":1685059200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2023,10,31]]},"abstract":"<jats:p>The reliance on vulnerable dependencies is a major threat to software systems. Dependency vulnerabilities are common and remain undisclosed for years. However, once the vulnerability is discovered and publicly known to the community, the risk of exploitation reaches its peak, and developers have to work fast to remediate the problem. While there has been a lot of research to characterize vulnerabilities in software ecosystems, none have explored the problem taking the discoverability into account.<\/jats:p>\n          <jats:p>Therefore, we perform a large-scale empirical study examining 6,546 Node.js applications. We define three discoverability levels based on vulnerabilities lifecycle (undisclosed, reported, and public). We find that although the majority of the affected applications (99.42%) depend on undisclosed vulnerable packages, 206\u00a0(4.63%) applications were exposed to dependencies with public vulnerabilities. The major culprit for the applications being affected by public vulnerabilities is the lack of dependency updates; in 90.8% of the cases, a fix is available but not patched by application maintainers. Moreover, we find that applications remain affected by public vulnerabilities for a long time (103 days). Finally, we devise DepReveal, a tool that supports our discoverability analysis approach, to help developers better understand vulnerabilities in their application dependencies and plan their project maintenance.<\/jats:p>","DOI":"10.1145\/3571848","type":"journal-article","created":{"date-parts":[[2022,11,21]],"date-time":"2022-11-21T12:52:17Z","timestamp":1669035137000},"page":"1-27","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":14,"title":["On the Discoverability of npm Vulnerabilities in Node.js Projects"],"prefix":"10.1145","volume":"32","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2621-6104","authenticated-orcid":false,"given":"Mahmoud","family":"Alfadel","sequence":"first","affiliation":[{"name":"Concordia University, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7084-2594","authenticated-orcid":false,"given":"Diego Elias","family":"Costa","sequence":"additional","affiliation":[{"name":"Concordia University, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1285-9878","authenticated-orcid":false,"given":"Emad","family":"Shihab","sequence":"additional","affiliation":[{"name":"Concordia University, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7213-4006","authenticated-orcid":false,"given":"Bram","family":"Adams","sequence":"additional","affiliation":[{"name":"Queen\u2019s University, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,5,26]]},"reference":[{"key":"e_1_3_1_2_2","unstructured":"GitHub. 2022. About coordinated disclosure of security vulnerabilities. https:\/\/docs.github.com\/en\/code-security\/security-advisories\/guidance-on-reporting-and-writing\/about-coordinated-disclosure-of-security-vulnerabilities#about-disclosing-vulnerabilities-in-the-industry."},{"key":"e_1_3_1_3_2","unstructured":"GitHub. 2015. Commit to the atom project. https:\/\/github.com\/atom\/atom\/commit\/41b799aebc7f40201219d8ec435d1520cf057285."},{"key":"e_1_3_1_4_2","unstructured":"GitHub. 2022. Atom repository. https:\/\/github.com\/atom\/atom."},{"key":"e_1_3_1_5_2","unstructured":"CWE. 2022. Tops 25 most dangerous software weaknesses. https:\/\/cwe.mitre.org\/top25\/archive\/2022\/2022_cwe_top25.html."},{"key":"e_1_3_1_6_2","unstructured":"R2C. 2022. Code scanning. https:\/\/r2c.dev\/."},{"key":"e_1_3_1_7_2","unstructured":"Synopsys. 2020. The HeartBleed bug. https:\/\/heartbleed.com\/."},{"key":"e_1_3_1_8_2","unstructured":"DeepScan. 2022. DeepScan tool. https:\/\/deepscan.io\/."},{"key":"e_1_3_1_9_2","unstructured":"Mahmoud Alfadel. 2021. DepReveal: A tool for identifying npm discoverability of npm vulnerabilities. https:\/\/github.com\/mahmoud-alfadel\/DepReveal."},{"key":"e_1_3_1_10_2","unstructured":"GitHub Advisories. 2021. SQL Injection in Sequelize project. https:\/\/github.com\/advisories\/GHSA-xqg8-cv3h-xppv."},{"key":"e_1_3_1_11_2","unstructured":"Libraries.io. 2022. Package data for ecosystems. https:\/\/libraries.io\/NPM."},{"key":"e_1_3_1_12_2","unstructured":"npmjs. 2020. A Day in the Life of npm Security. https:\/\/blog.npmjs.org\/post\/190665497245\/a-day-in-the-life-of-npm-security.html."},{"key":"e_1_3_1_13_2","unstructured":"npmjs. 2019. AppSec POV on Dependency Management. https:\/\/blog.npmjs.org\/post\/187496869845\/appsec-pov-on-dependency-management."},{"key":"e_1_3_1_14_2","unstructured":"GitHub. 2022. Node-semver: The semver parser for node. https:\/\/github.com\/npm\/node-semver."},{"key":"e_1_3_1_15_2","unstructured":"Zenodo. 2021. Replication package. https:\/\/zenodo.org\/record\/5153319#.YQfhBFP0nUI."},{"key":"e_1_3_1_16_2","unstructured":"Semver.org. 2022. Semantic Versioning 2.0.0. https:\/\/semver.org\/."},{"key":"e_1_3_1_17_2","unstructured":"Mahmoud Alfadel. 2022. DepReveal Web-UI. http:\/\/104.237.154.205:9098\/."},{"key":"e_1_3_1_18_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-68560-1"},{"key":"e_1_3_1_19_2","article-title":"On the threat of npm vulnerable dependencies in Node.js applications","author":"Alfadel Mahmoud","year":"2020","unstructured":"Mahmoud Alfadel, Diego Elias Costa, Mouafak Mokhallalati, Emad Shihab, and Bram Adams. 2020. On the threat of npm vulnerable dependencies in Node.js applications. arXiv preprint arXiv:2009.09019 (2020).","journal-title":"arXiv preprint arXiv:2009.09019"},{"key":"e_1_3_1_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER50967.2021.00048"},{"key":"e_1_3_1_21_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSR52588.2021.00037"},{"key":"e_1_3_1_22_2","doi-asserted-by":"publisher","DOI":"10.1145\/236156.236184"},{"key":"e_1_3_1_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASEW.2015.21"},{"key":"e_1_3_1_24_2","first-page":"109","volume-title":"24th ACM SIGSOFT International Symposium on Foundations of Software Engineering","author":"Bogart Christopher","year":"2016","unstructured":"Christopher Bogart, Christian K\u00e4stner, James Herbsleb, and Ferdian Thung. 2016. How to break an API: Cost negotiation and community values in three software ecosystems. In 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering. ACM, 109\u2013120."},{"key":"e_1_3_1_25_2","doi-asserted-by":"publisher","DOI":"10.1145\/3447245"},{"key":"e_1_3_1_26_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-021-09951-x"},{"key":"e_1_3_1_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/3324884.3421838"},{"key":"e_1_3_1_28_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2021.3068901"},{"key":"e_1_3_1_29_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2952130"},{"key":"e_1_3_1_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/3236024.3236027"},{"key":"e_1_3_1_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2918315"},{"key":"e_1_3_1_32_2","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196401"},{"key":"e_1_3_1_33_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9589-y"},{"key":"e_1_3_1_34_2","doi-asserted-by":"publisher","DOI":"10.1145\/2663716.2663755"},{"key":"e_1_3_1_35_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2022.3142338"},{"key":"e_1_3_1_36_2","unstructured":"Equifax. 2017. Equifax Releases Details on Cybersecurity Incident Announces Personnel Changes. Retrieved from https:\/\/investor.equifax.com\/news-and-events\/news\/2017\/09-15-2017-22401883."},{"key":"e_1_3_1_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2017.28"},{"key":"e_1_3_1_38_2","unstructured":"Github. 2022. Dependabot. Retrieved from https:\/\/dependabot.com\/."},{"key":"e_1_3_1_39_2","volume-title":"Dynamic Analysis for JavaScript Code","author":"Gong Liang","year":"2018","unstructured":"Liang Gong. 2018. Dynamic Analysis for JavaScript Code. Ph.D. Dissertation. UC Berkeley."},{"key":"e_1_3_1_40_2","doi-asserted-by":"publisher","DOI":"10.5555\/2487085.2487132"},{"key":"e_1_3_1_41_2","doi-asserted-by":"publisher","DOI":"10.1145\/2597073.2597074"},{"key":"e_1_3_1_42_2","doi-asserted-by":"publisher","DOI":"10.1080\/01621459.1958.10501452"},{"key":"e_1_3_1_43_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9521-5"},{"key":"e_1_3_1_44_2","article-title":"On the impact of micro-packages: An empirical study of the npm JavaScript ecosystem","author":"Kula Raula Gaikovina","year":"2017","unstructured":"Raula Gaikovina Kula, Ali Ouni, Daniel M. German, and Katsuro Inoue. 2017. On the impact of micro-packages: An empirical study of the npm JavaScript ecosystem. arXiv preprint arXiv:1709.04638 (2017).","journal-title":"arXiv preprint arXiv:1709.04638"},{"key":"e_1_3_1_45_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2020.2988396"},{"key":"e_1_3_1_46_2","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468542"},{"key":"e_1_3_1_47_2","doi-asserted-by":"publisher","DOI":"10.1109\/52.311048"},{"key":"e_1_3_1_48_2","doi-asserted-by":"publisher","DOI":"10.5555\/3155562.3155577"},{"key":"e_1_3_1_49_2","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338940"},{"key":"e_1_3_1_50_2","unstructured":"npm. 2022. About audit reports | npm Docs. Retrieved from https:\/\/bit.ly\/3uqn0uv."},{"key":"e_1_3_1_51_2","unstructured":"npm. 2022. npm advisories. Retrieved from https:\/\/www.npmjs.com\/advisories."},{"key":"e_1_3_1_52_2","unstructured":"npm. 2022. npm registry. Retrieved from https:\/\/docs.npmjs.com\/misc\/registry."},{"key":"e_1_3_1_53_2","unstructured":"OWASP. 2022. OWASP Risk Assessment Framework. Retrieved from https:\/\/owasp.org\/www-project-risk-assessment-framework\/."},{"key":"e_1_3_1_54_2","first-page":"1","volume-title":"12th ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement","author":"Pashchenko Ivan","year":"2018","unstructured":"Ivan Pashchenko, Henrik Plate, Serena Elisa Ponta, Antonino Sabetta, and Fabio Massacci. 2018. Vulnerable open source dependencies: Counting those that matter. In 12th ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement. 1\u201310."},{"key":"e_1_3_1_55_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417232"},{"key":"e_1_3_1_56_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSM.2015.7332492"},{"key":"e_1_3_1_57_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2018.00054"},{"key":"e_1_3_1_58_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-020-09830-x"},{"key":"e_1_3_1_59_2","unstructured":"semver. 2022. semver - npm. Retrieved from https:\/\/www.npmjs.com\/package\/semver."},{"key":"e_1_3_1_60_2","unstructured":"SOF. Stack Overflow Developer Survey 2019. Retrieved from https:\/\/insights.stackoverflow.com\/survey\/2019."},{"key":"e_1_3_1_61_2","volume-title":"Network and Distributed System Security Symposium (NDSS)","author":"Staicu Cristian-Alexandru","year":"2018","unstructured":"Cristian-Alexandru Staicu, Michael Pradel, and Benjamin Livshits. 2018. SYNODE: Understanding and automatically preventing injection attacks on NODE.JS. In Network and Distributed System Security Symposium (NDSS)."},{"key":"e_1_3_1_62_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER48275.2020.9054860"},{"key":"e_1_3_1_63_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME46990.2020.00014"},{"key":"e_1_3_1_64_2","doi-asserted-by":"publisher","DOI":"10.1145\/2901739.2901743"},{"key":"e_1_3_1_65_2","doi-asserted-by":"publisher","DOI":"10.1145\/3510457.3513044"},{"key":"e_1_3_1_66_2","first-page":"559","volume-title":"IEEE International Conference on Software Maintenance and Evolution (ICSME)","author":"Zapata Rodrigo Elizalde","year":"2018","unstructured":"Rodrigo Elizalde Zapata, Raula Gaikovina Kula, Bodin Chinthanet, Takashi Ishio, Kenichi Matsumoto, and Akinori Ihara. 2018. Towards smoother library migrations: A look at vulnerable dependency migrations at function level for npm JavaScript packages. In IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 559\u2013563."},{"key":"e_1_3_1_67_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2019.8667984"},{"key":"e_1_3_1_68_2","first-page":"995","volume-title":"28th USENIX Security Symposium (USENIX Security\u201919)","author":"Zimmermann Markus","year":"2019","unstructured":"Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small world with high risks: A study of security threats in the npm ecosystem. In 28th USENIX Security Symposium (USENIX Security\u201919). 995\u20131010."}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3571848","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3571848","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:48:48Z","timestamp":1750182528000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3571848"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,5,26]]},"references-count":67,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2023,10,31]]}},"alternative-id":["10.1145\/3571848"],"URL":"https:\/\/doi.org\/10.1145\/3571848","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,5,26]]},"assertion":[{"value":"2021-08-04","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-10-25","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-05-26","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}