{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,24]],"date-time":"2025-08-24T01:40:42Z","timestamp":1755999642108,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":85,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,11,26]],"date-time":"2023-11-26T00:00:00Z","timestamp":1700956800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,30]]},"DOI":"10.1145\/3605770.3625216","type":"proceedings-article","created":{"date-parts":[[2023,11,23]],"date-time":"2023-11-23T11:46:12Z","timestamp":1700739972000},"page":"53-63","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["(Nothing But) Many Eyes Make All Bugs Shallow"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-2228-9912","authenticated-orcid":false,"given":"Elizabeth","family":"Wyss","sequence":"first","affiliation":[{"name":"University of Kansas, Lawrence, KS, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0432-3686","authenticated-orcid":false,"given":"Lorenzo","family":"De Carli","sequence":"additional","affiliation":[{"name":"University of Calgary, Calgary, AB, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5096-1446","authenticated-orcid":false,"given":"Drew","family":"Davidson","sequence":"additional","affiliation":[{"name":"University of Kansas, Lawrence, KS, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,11,26]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2021. Executive Order on Improving the Nation's Cybersecurity. https:\/\/www.whitehouse.gov\/briefing-room\/presidentialactions\/ 2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/."},{"volume-title":"USENIX Security 22","key":"e_1_3_2_1_2_1","unstructured":"2022. Mining Node.js Vulnerabilities via Object Dependence Graph and Query. In USENIX Security 22. USENIX Association, Boston, MA. https:\/\/www.usenix.o rg\/conference\/usenixsecurity22\/presentation\/li-song"},{"key":"e_1_3_2_1_3_1","unstructured":"2022. Open Science Framework. https:\/\/osf.io"},{"key":"e_1_3_2_1_4_1","unstructured":"2022. OpenSSF Scorecard. https:\/\/github.com\/ossf\/scorecard"},{"key":"e_1_3_2_1_5_1","unstructured":"2022. Software Security in Supply Chains. https:\/\/www.nist.gov\/itl\/executive-or der-14028-improving-nations-cybersecurity\/software-security-supply-chains"},{"key":"e_1_3_2_1_6_1","unstructured":"2023. GitHub Advisory Database. https:\/\/github.com\/advisories?query=type%3 Areviewedecosystem%3Anpm"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106267"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-019-"},{"key":"e_1_3_2_1_9_1","unstructured":"Nitai Aharoni. 2020. How to Choose the Right NPM Package for Your Project. https:\/\/betterprogramming.pub\/how-to-choose-the-right-npm-package-foryour- project-c3d1cc25285e"},{"key":"e_1_3_2_1_10_1","volume-title":"Luiz Fernando Capretz, and Faheem Ahmed","author":"Aleem Saiqa","year":"2015","unstructured":"Saiqa Aleem, Luiz Fernando Capretz, and Faheem Ahmed. 2015. Benchmarking machine learning technologies for software defect detection. arXiv preprint arXiv:1506.07563 (2015)."},{"key":"e_1_3_2_1_12_1","unstructured":"Adrian Bece. 2019. Checklist for choosing an optimal npm package. https:\/\/dev. to\/adrianbdesigns\/checklist-for-choosing-an-optimal-npm-package-4dpm"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","unstructured":"Paul E. Black Vadim Okun and Barbara Guttman. 2021. Guidelines on Minimum Standards for Developer Verification of Software. https:\/\/doi.org\/10.6028\/NIST.I R.8397","DOI":"10.6028\/NIST.I"},{"key":"e_1_3_2_1_14_1","volume-title":"What's in a GitHub Star? Understanding Repository Starring Practices in a Social Coding Platform. CoRR abs\/1811.07643","author":"Borges Hudson","year":"2018","unstructured":"Hudson Borges and Marco T\u00falio Valente. 2018. What's in a GitHub Star? Understanding Repository Starring Practices in a Social Coding Platform. CoRR abs\/1811.07643 (2018). arXiv:1811.07643 http:\/\/arxiv.org\/abs\/1811.07643"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"crossref","unstructured":"Mircea Cadariu Eric Bouwers Joost Visser and Arie van Deursen. 2015. Tracking known security vulnerabilities in proprietary software systems. In SANER.","DOI":"10.1109\/SANER.2015.7081868"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455841"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196465"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2952130"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2003.1201219"},{"key":"e_1_3_2_1_20_1","unstructured":"Erik DeBill. 2021. Modulecounts. http:\/\/www.modulecounts.com\/"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196401"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017--9589-y"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3273934.3273942"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-019-09791-w"},{"key":"e_1_3_2_1_25_1","volume-title":"Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages. In NDSS","author":"Duan Ruian","year":"2021","unstructured":"Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2021. Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages. In NDSS 2021. Internet Society."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSM.2003.1235403"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-NIER.2019.00012"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/3236454.3236502"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"crossref","unstructured":"Daniel M German Bram Adams and Ahmed E Hassan. 2013. The evolution of the R software ecosystem. In CSMR.","DOI":"10.1109\/CSMR.2013.33"},{"volume-title":"GitHub Application Marketplace","key":"e_1_3_2_1_30_1","unstructured":"GitHub. 2023. GitHub Application Marketplace; Code Coverage. https:\/\/github.c om\/marketplace?type=apps&query=codecoveragesort%3Apopularity-desc"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/32.859533"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2015.8"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/1806799.1806871"},{"key":"e_1_3_2_1_34_1","unstructured":"Joseph Hejderup. 2015. In DependenciesWe Trust: How vulnerable are dependencies in software modules? Master's thesis. Delft University of Technology."},{"key":"e_1_3_2_1_35_1","volume-title":"Interpreting the Magnitude of Correlation Coefficients. The American psychologist 58 (02","author":"Hemphill James","year":"2003","unstructured":"James Hemphill. 2003. Interpreting the Magnitude of Correlation Coefficients. The American psychologist 58 (02 2003), 78--9."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/WCRE.2011.34"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/52.536459"},{"key":"e_1_3_2_1_38_1","volume-title":"Davis","author":"Jiang Wenxin","year":"2023","unstructured":"Wenxin Jiang, Nicholas Synovic, Matt Hyatt, Taylor R. Schorlemmer, Rohan Sethi, Yung-Hsiang Lu, George K. Thiruvathukal, and James C. Davis. 2023. An Empirical Study of Pre-Trained Model Reuse in the Hugging Face Deep Learning Model Registry. arXiv:2303.02552 [cs.SE]"},{"key":"e_1_3_2_1_39_1","volume-title":"Steering Insight: An Exploration of the Ruby Software Ecosystem. In Software Business","author":"Kabbedijk Jaap","year":"2011","unstructured":"Jaap Kabbedijk and Slinger Jansen. 2011. Steering Insight: An Exploration of the Ruby Software Ecosystem. In Software Business. Springer Berlin Heidelberg."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE.1996.558896"},{"key":"e_1_3_2_1_41_1","volume-title":"RAID 2020","author":"Koishybayev Igibek","year":"2020","unstructured":"Igibek Koishybayev and Alexandros Kapravelos. 2020. Mininode: Reducing the Attack Surface of Node.js Applications. In RAID 2020. USENIX Association. https:\/\/www.usenix.org\/conference\/raid2020\/presentation\/koishybayev"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"crossref","unstructured":"R. G. Kula C. D. Roover D. German T. Ishio and K. Inoue. 2014. Visualizing the Evolution of Systems and Their Library Dependencies. In IEEE VISSOFT.","DOI":"10.1109\/VISSOFT.2014.29"},{"key":"e_1_3_2_1_43_1","volume-title":"Diplomat: Using delegations to protect community repositories. In NSDI 16.","author":"Kuppusamy Trishank Karthik","year":"2016","unstructured":"Trishank Karthik Kuppusamy, Santiago Torres-Arias, Vladimir Diaz, and Justin Cappos. 2016. Diplomat: Using delegations to protect community repositories. In NSDI 16."},{"key":"e_1_3_2_1_44_1","volume-title":"Evaluating defect detection techniques for software requirements inspections. ISERN","author":"Lanubile Filippo","year":"2000","unstructured":"Filippo Lanubile and Giuseppe Visaggio. 2000. Evaluating defect detection techniques for software requirements inspections. ISERN (2000)."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3409711"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","unstructured":"Song Li Mingqing Kang Jianwei Hou and Yinzhi Cao. 2021. Detecting Node.Js Prototype Pollution Vulnerabilities via Object Lookup Analysis. 268--279. https: \/\/doi.org\/10.1145\/3468264.3468542","DOI":"10.1145\/3468264.3468542"},{"key":"e_1_3_2_1_47_1","volume-title":"Demystifying the vulnerability propagation and its evolution via dependency trees in the npm ecosystem. arXiv preprint arXiv:2201.03981","author":"Liu Chengwei","year":"2022","unstructured":"Chengwei Liu, Sen Chen, Lingling Fan, Bihuan Chen, Yang Liu, and Xin Peng. 2022. Demystifying the vulnerability propagation and its evolution via dependency trees in the npm ecosystem. arXiv preprint arXiv:2201.03981 (2022)."},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","unstructured":"Suhaib Mujahid Rabe Abdalkareem and Emad Shihab. 2022. What are the characteristics of highly-selected packages? A case study on the npm ecosystem. https:\/\/doi.org\/10.48550\/ARXIV.2204.04562","DOI":"10.48550\/ARXIV.2204.04562"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2005.1553571"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/ESEM.2007.13"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/1134285.1134349"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2019.110460"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338933"},{"key":"e_1_3_2_1_54_1","unstructured":"Kranti Nikam. 2022. Screening NPM Packages: Best Practices. https:\/\/medium.c om\/globant\/screening-npm-packages-best-practices-a24930b2624e"},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/3560835.3564556"},{"key":"e_1_3_2_1_56_1","volume-title":"SEDE","author":"Perreault Logan","year":"2017","unstructured":"Logan Perreault, Seth Berardinelli, Clemente Izurieta, and John Sheppard. 2017. Using classifiers for software defect detection. In SEDE 2017."},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"crossref","unstructured":"Brian Pfretzschner and Lotfi ben Othmane. 2017. Identification of Dependencybased Attacks on Node.Js. In ARES.","DOI":"10.1145\/3098954.3120928"},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"crossref","unstructured":"H. Plate S. E. Ponta and A. Sabetta. 2015. Impact assessment for vulnerabilities in open-source software libraries. In ICSME.","DOI":"10.1109\/ICSM.2015.7332492"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"crossref","unstructured":"Steven Raemaekers Arie van Deursen and Joost Visser. 2013. The maven repository dataset of metrics changes and dependencies. In MSR.","DOI":"10.1109\/MSR.2013.6624031"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"crossref","unstructured":"Eric S Raymond. 1999. The Cathedral and the Bazaar. http:\/\/www.catb.org\/~esr \/writings\/cathedral-bazaar\/cathedral-bazaar\/ar01s04.html","DOI":"10.5210\/fm.v3i2.578"},{"key":"e_1_3_2_1_61_1","unstructured":"Alexis Regnaud. 2021. 7 Tools to Choose the Right NPM Package. https:\/\/javasc ript.plainenglish.io\/7-tools-to-choose-the-right-npm-package-7baf47259ae0"},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1145\/1159733.1159739"},{"key":"e_1_3_2_1_63_1","unstructured":"Sentry. 2023. Codecov.io. https:\/\/about.codecov.io\/"},{"key":"e_1_3_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2009.5069481"},{"key":"e_1_3_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/1083142.1083147"},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.entcs.2009.02.058"},{"key":"e_1_3_2_1_67_1","volume-title":"SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS. In NDSS.","author":"Staicu Cristian-Alexandru","year":"2018","unstructured":"Cristian-Alexandru Staicu, Michael Pradel, and Benjamin Livshits. 2018. SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS. In NDSS."},{"key":"e_1_3_2_1_68_1","volume-title":"Defending Against Package Typosquatting. In NSS","author":"Taylor Matthew","year":"2020","unstructured":"Matthew Taylor, Ruturaj Vaidya, Drew Davidson, Lorenzo De Carli, and Vaibhav Rastogi. 2020. Defending Against Package Typosquatting. In NSS 2020."},{"key":"e_1_3_2_1_69_1","volume-title":"Dependencies: No Software is an Island. Master's thesis","author":"Tellnes J\u00f8rgen","year":"2013","unstructured":"J\u00f8rgen Tellnes. 2013. Dependencies: No Software is an Island. Master's thesis. The University of Bergen."},{"key":"e_1_3_2_1_70_1","volume-title":"Drew Davidson, and Vaibhav Rastogi.","author":"Vaidya Ruturaj K.","year":"2019","unstructured":"Ruturaj K. Vaidya, Lorenzo De Carli, Drew Davidson, and Vaibhav Rastogi. 2019. Security Issues in Language-based Sofware Ecosystems. CoRR abs\/1903.02613 (2019). arXiv:1903.02613 http:\/\/arxiv.org\/abs\/1903.02613"},{"key":"e_1_3_2_1_71_1","doi-asserted-by":"publisher","unstructured":"D. Vu. 2021. py2src: Towards the Automatic (and Reliable) Identification of Sources for PyPI Package. In ASE. https:\/\/doi.org\/10.1109\/ASE51524.2021.9678526","DOI":"10.1109\/ASE51524.2021.9678526"},{"key":"e_1_3_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468592"},{"key":"e_1_3_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1145\/1159733.1159763"},{"key":"e_1_3_2_1_74_1","unstructured":"Yasas Sri Wickramasinghe. 2021. 5 Best Practices to Choosing Third-Party NPM Packages. https:\/\/blog.bitsrc.io\/5-best-practices-when-choosing-third-partynpm- packages-2198994357f9"},{"key":"e_1_3_2_1_75_1","doi-asserted-by":"crossref","unstructured":"Erik Wittern Philippe Suter and Shriram Rajagopalan. 2016. A look at the dynamics of the JavaScript package ecosystem. In MSR.","DOI":"10.1145\/2901739.2901743"},{"key":"e_1_3_2_1_76_1","doi-asserted-by":"crossref","unstructured":"Murray Wood Marc Roper Andrew Brooks and James Miller. 1997. Comparing and combining software defect detection techniques: a replicated empirical study. In ESEC\/FSE'97.","DOI":"10.1007\/3-540-63531-9_19"},{"key":"e_1_3_2_1_77_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510"},{"key":"e_1_3_2_1_78_1","doi-asserted-by":"publisher","DOI":"10.1145\/3488932.3523262"},{"key":"e_1_3_2_1_79_1","doi-asserted-by":"crossref","unstructured":"A. A. Younis Y. K. Malaiya and I. Ray. 2014. Using Attack Surface Entry Points and Reachability Analysis to Assess the Risk of Software Vulnerability Exploitability. In HASE.","DOI":"10.1109\/HASE.2014.10"},{"key":"e_1_3_2_1_80_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510457.3513044"},{"key":"e_1_3_2_1_81_1","doi-asserted-by":"publisher","unstructured":"Ahmed Zerouali Eleni Constantinou Tom Mens Gregorio Robles and Jesus Gonzalez-Barahona. 2018. An Empirical Analysis of Technical Lag in npm Package Dependencies. https:\/\/doi.org\/10.1007\/978--3--319--90421--4_6","DOI":"10.1007\/978--3--319--90421--4_6"},{"key":"e_1_3_2_1_82_1","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2019.8667997"},{"key":"e_1_3_2_1_83_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2011.39"},{"key":"e_1_3_2_1_84_1","unstructured":"Markus Zimmermann Cristian-Alexandru Staicu Cam Tenny and Michael Pradel. 2019. Small world with high risks: A study of security threats in the npm ecosystem. In USENIX Security 19."},{"key":"e_1_3_2_1_85_1","doi-asserted-by":"publisher","DOI":"10.1145\/1368088.1368161"},{"key":"e_1_3_2_1_86_1","doi-asserted-by":"publisher","DOI":"10.1109\/PROMISE.2007.10"}],"event":{"name":"CCS '23: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Copenhagen Denmark","acronym":"CCS '23"},"container-title":["Proceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3605770.3625216","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3605770.3625216","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:36:18Z","timestamp":1750178178000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3605770.3625216"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,26]]},"references-count":85,"alternative-id":["10.1145\/3605770.3625216","10.1145\/3605770"],"URL":"https:\/\/doi.org\/10.1145\/3605770.3625216","relation":{},"subject":[],"published":{"date-parts":[[2023,11,26]]},"assertion":[{"value":"2023-11-26","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}