{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,13]],"date-time":"2026-01-13T21:15:18Z","timestamp":1768338918904,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":35,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,11,30]],"date-time":"2023-11-30T00:00:00Z","timestamp":1701302400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"JSPS KAKENHI","award":["20K19774, 23H03375, 20H05706"],"award-info":[{"award-number":["20K19774, 23H03375, 20H05706"]}]},{"name":"JST SICORP","award":["JPMJSC2206"],"award-info":[{"award-number":["JPMJSC2206"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,30]]},"DOI":"10.1145\/3611643.3613086","type":"proceedings-article","created":{"date-parts":[[2023,11,30]],"date-time":"2023-11-30T23:14:38Z","timestamp":1701386078000},"page":"2077-2081","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Lessons from the Long Tail: Analysing Unsafe Dependency Updates across Software Ecosystems"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9978-9889","authenticated-orcid":false,"given":"Supatsara","family":"Wattanakriengkrai","sequence":"first","affiliation":[{"name":"NAIST, Nara, Japan"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2324-0608","authenticated-orcid":false,"given":"Raula Gaikovina","family":"Kula","sequence":"additional","affiliation":[{"name":"NAIST, Nara, Japan"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6919-2149","authenticated-orcid":false,"given":"Christoph","family":"Treude","sequence":"additional","affiliation":[{"name":"University of Melbourne, Melbourne, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7418-9323","authenticated-orcid":false,"given":"Kenichi","family":"Matsumoto","sequence":"additional","affiliation":[{"name":"NAIST, Nara, Japan"}]}],"member":"320","published-online":{"date-parts":[[2023,11,30]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"1998. eval() - JavaScript | MDN. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/JavaScript\/Reference\/Global_Objects\/eval"},{"key":"e_1_3_2_2_2_1","unstructured":"2009. File system | Node.js v20.0.0 Documentation. https:\/\/nodejs.org\/api\/fs.html#fs_file_system"},{"key":"e_1_3_2_2_3_1","unstructured":"2009. Net | Node.js v20.0.0 Documentation. https:\/\/nodejs.org\/api\/net.html"},{"key":"e_1_3_2_2_4_1","unstructured":"2011. veged\/coa: Command-Option-Argument: Get more from defining your command line interface. https:\/\/github.com\/veged\/coa"},{"key":"e_1_3_2_2_5_1","unstructured":"2012. dominictarr\/rc: The non-configurable configuration loader for lazy people.. https:\/\/github.com\/dominictarr\/rc"},{"key":"e_1_3_2_2_6_1","unstructured":"2012. faisalman\/ua-parser-js: UAParser.js - Detect Browser Engine OS CPU and Device type\/model from User-Agent data. Supports browser & node.js environment.. https:\/\/github.com\/faisalman\/ua-parser-js"},{"key":"e_1_3_2_2_7_1","unstructured":"2014. About npm | npm Docs. https:\/\/docs.npmjs.com\/about-npm"},{"key":"e_1_3_2_2_8_1","unstructured":"2015. Libraries.io - The Open Source Discovery Service. https:\/\/libraries.io\/"},{"key":"e_1_3_2_2_9_1","unstructured":"2019. The complete package: Everything you need to know about npm security | The Daily Swig. https:\/\/portswigger.net\/daily-swig\/the-complete-package-everything-you-need-to-know-about-npm-security"},{"key":"e_1_3_2_2_10_1","unstructured":"2020. Alpha-Omega - Open Source Security Foundation. https:\/\/openssf.org\/community\/alpha-omega\/"},{"key":"e_1_3_2_2_11_1","unstructured":"2020. GitHub - ossf\/criticality_score: Gives criticality score for an open source project. https:\/\/github.com\/ossf\/criticality_score"},{"key":"e_1_3_2_2_12_1","unstructured":"2020. GitHub - ossf\/scorecard: OpenSSF Scorecard - Security health metrics for Open Source. https:\/\/github.com\/ossf\/scorecard"},{"key":"e_1_3_2_2_13_1","unstructured":"2020. GitHub - ossf\/wg-best-practices-os-developers: The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.. https:\/\/github.com\/ossf\/wg-best-practices-os-developers"},{"key":"e_1_3_2_2_14_1","unstructured":"2021. Sonatype\u2019s 2021 Software Supply Chain Report. https:\/\/www.sonatype.com\/resources\/state-of-the-software-supply-chain-2021"},{"key":"e_1_3_2_2_15_1","unstructured":"2021. YfryTchsGD\/Log4jAttackSurface. https:\/\/github.com\/YfryTchsGD\/Log4jAttackSurface"},{"key":"e_1_3_2_2_16_1","unstructured":"2022. Top-100 npm package maintainers now require 2FA. https:\/\/github.blog\/2022-02-01-top-100-npm-package-maintainers-require-2fa-additional-security\/"},{"key":"e_1_3_2_2_17_1","unstructured":"2023. JavaScript eval security best practices. https:\/\/www.codiga.io\/blog\/javascript-eval-best-practices\/"},{"key":"e_1_3_2_2_18_1","unstructured":"2023. JavaScript require vs import. https:\/\/flexiple.com\/javascript\/javascript-require-vs-import\/#how-it-works"},{"key":"e_1_3_2_2_19_1","unstructured":"2023. JavaScript Require \u2013 How to Use the require() Function in JS. https:\/\/www.freecodecamp.org\/news\/how-to-use-the-javascript-require-function\/"},{"key":"e_1_3_2_2_20_1","unstructured":"2023. Unsafe Rust - The Rust Programming Language. https:\/\/doc.rust-lang.org\/book\/ch19-01-unsafe-rust.html"},{"key":"e_1_3_2_2_21_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-019-09792-9"},{"key":"e_1_3_2_2_22_1","doi-asserted-by":"publisher","DOI":"10.48550\/ARXIV.2002.01139"},{"key":"e_1_3_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00121"},{"key":"e_1_3_2_2_24_1","doi-asserted-by":"publisher","unstructured":"Kalil Garrett Gabriel Ferreira Limin Jia Joshua Sunshine and Christian K\u00e4stner. 2019. Detecting Suspicious Package Updates. In ICSE: New Ideas and Emerging Results. 13\u201316. https:\/\/doi.org\/10.1109\/ICSE-NIER.2019.00012 10.1109\/ICSE-NIER.2019.00012","DOI":"10.1109\/ICSE-NIER.2019.00012"},{"key":"e_1_3_2_2_25_1","doi-asserted-by":"publisher","unstructured":"Mehdi Golzadeh. 2019. Analysing Socio-technical Congruence in the Package Dependency Network of Cargo. In ESEC\/FSE. https:\/\/doi.org\/10.1145\/3338906.3342497 10.1145\/3338906.3342497","DOI":"10.1145\/3338906.3342497"},{"key":"e_1_3_2_2_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3533767.3534398"},{"key":"e_1_3_2_2_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.36"},{"key":"e_1_3_2_2_28_1","doi-asserted-by":"publisher","unstructured":"Vittunyuta Maeprasart Supatsara Wattanakriengkrai Raula Kula Christoph Treude and Kenichi Matsumoto. 2023. Understanding the Role of External Pull Requests in the NPM Ecosystem. EMSE 03 https:\/\/doi.org\/10.1007\/s10664-023-10315-w 10.1007\/s10664-023-10315-w","DOI":"10.1007\/s10664-023-10315-w"},{"key":"e_1_3_2_2_29_1","volume-title":"26th USENIX Security Symposium. 1271\u20131287","author":"Nikitin Kirill","year":"2017","unstructured":"Kirill Nikitin, Eleftherios Kokoris-Kogias, Philipp Jovanovic, Nicolas Gailly, Linus Gasser, Ismail Khoffi, Justin Cappos, and Bryan Ford. 2017. CHAINIAC: Proactive Software-Update Transparency via Collectively Signed Skipchains and Verified Builds. In 26th USENIX Security Symposium. 1271\u20131287."},{"key":"e_1_3_2_2_30_1","doi-asserted-by":"publisher","unstructured":"A. Sejfia and M. Schafer. 2022. Practical Automated Detection of Malicious npm Packages. In ICSE. 1681\u20131692. https:\/\/doi.org\/10.1145\/3510003.3510104 10.1145\/3510003.3510104","DOI":"10.1145\/3510003.3510104"},{"key":"e_1_3_2_2_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2020.3041241"},{"key":"e_1_3_2_2_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2022.3225197"},{"key":"e_1_3_2_2_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179378"},{"key":"e_1_3_2_2_34_1","doi-asserted-by":"publisher","unstructured":"Nusrat Zahan Shohanuzzaman Shohan Dan Harris and Laurie Williams. 2023. Do Software Security Practices Yield Fewer Vulnerabilities? In ICSE: Software Engineering in Practice. https:\/\/doi.org\/10.1109\/ICSE-SEIP58684.2023.00032 10.1109\/ICSE-SEIP58684.2023.00032","DOI":"10.1109\/ICSE-SEIP58684.2023.00032"},{"key":"e_1_3_2_2_35_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-022-10154-1"}],"event":{"name":"ESEC\/FSE '23: 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering","location":"San Francisco CA USA","acronym":"ESEC\/FSE '23","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"]},"container-title":["Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3611643.3613086","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3611643.3613086","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:37:10Z","timestamp":1750178230000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3611643.3613086"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,30]]},"references-count":35,"alternative-id":["10.1145\/3611643.3613086","10.1145\/3611643"],"URL":"https:\/\/doi.org\/10.1145\/3611643.3613086","relation":{},"subject":[],"published":{"date-parts":[[2023,11,30]]},"assertion":[{"value":"2023-11-30","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}