{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,12]],"date-time":"2026-03-12T01:09:39Z","timestamp":1773277779766,"version":"3.50.1"},"reference-count":64,"publisher":"Association for Computing Machinery (ACM)","issue":"PLDI","license":[{"start":{"date-parts":[[2024,6,20]],"date-time":"2024-06-20T00:00:00Z","timestamp":1718841600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Program. Lang."],"published-print":{"date-parts":[[2024,6,20]]},"abstract":"<jats:p>While static analysis tools that rely on Code Property Graphs (CPGs) to detect security vulnerabilities have proven effective, deciding how much information to include in the graphs remains a challenge. Including less information can lead to a more scalable analysis but at the cost of reduced effectiveness in identifying vulnerability patterns, potentially resulting in classification errors. Conversely, more information in the graph allows for a more effective analysis but may affect scalability. For example, scalability issues have been recently highlighted in ODGen, the state-of-the-art CPG-based tool for detecting Node.js vulnerabilities.<\/jats:p>\n          <jats:p>\n            This paper examines a new point in the design space of CPGs for JavaScript vulnerability detection. We introduce the Multiversion Dependency Graph (MDG), a novel graph-based data structure that captures the state evolution of objects and their properties during program execution. Compared to the graphs used by ODGen, MDGs are significantly simpler without losing key information needed for vulnerability detection. We implemented Graph.js, a new MDG-based static vulnerability scanner specialized in analyzing\n            <jats:italic toggle=\"yes\">npm<\/jats:italic>\n            packages and detecting taint-style and prototype pollution vulnerabilities. Our evaluation shows that Graph.js outperforms ODGen by significantly reducing both the false negatives and the analysis time. Additionally, we have identified 49 previously undiscovered vulnerabilities in\n            <jats:inline-formula>\n              <mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\" display=\"inline\">\n                <mml:mi mathvariant=\"italic\">npm<\/mml:mi>\n              <\/mml:math>\n            <\/jats:inline-formula>\n            packages.\n          <\/jats:p>","DOI":"10.1145\/3656394","type":"journal-article","created":{"date-parts":[[2024,6,20]],"date-time":"2024-06-20T16:27:20Z","timestamp":1718900840000},"page":"417-441","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":11,"title":["Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs"],"prefix":"10.1145","volume":"8","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5307-4279","authenticated-orcid":false,"given":"Mafalda","family":"Ferreira","sequence":"first","affiliation":[{"name":"INESC-ID, Lisboa, Portugal"},{"name":"Instituto Superior T\u00e9cnico, Universidade de Lisboa, Lisboa, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6346-7340","authenticated-orcid":false,"given":"Miguel","family":"Monteiro","sequence":"additional","affiliation":[{"name":"INESC-ID, Lisboa, Portugal"},{"name":"Instituto Superior T\u00e9cnico, Universidade de Lisboa, Lisboa, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5982-9794","authenticated-orcid":false,"given":"Tiago","family":"Brito","sequence":"additional","affiliation":[{"name":"INESC-ID, Lisboa, Portugal"},{"name":"Instituto Superior T\u00e9cnico, Universidade de Lisboa, Lisboa, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7191-5895","authenticated-orcid":false,"given":"Miguel E.","family":"Coimbra","sequence":"additional","affiliation":[{"name":"INESC-ID, Lisboa, Portugal"},{"name":"Instituto Superior T\u00e9cnico, Universidade de Lisboa, Lisboa, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9938-0653","authenticated-orcid":false,"given":"Nuno","family":"Santos","sequence":"additional","affiliation":[{"name":"INESC-ID, Lisboa, Portugal"},{"name":"Instituto Superior T\u00e9cnico, Universidade de Lisboa, Lisboa, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8160-349X","authenticated-orcid":false,"given":"Limin","family":"Jia","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5077-300X","authenticated-orcid":false,"given":"Jos\u00e9 Fragoso","family":"Santos","sequence":"additional","affiliation":[{"name":"INESC-ID, Lisboa, Portugal"},{"name":"Instituto Superior T\u00e9cnico, Universidade de Lisboa, Lisboa, Portugal"}]}],"member":"320","published-online":{"date-parts":[[2024,6,20]]},"reference":[{"key":"e_1_3_1_2_2","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106267"},{"key":"e_1_3_1_3_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2017.14"},{"key":"e_1_3_1_4_2","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635916"},{"key":"e_1_3_1_5_2","doi-asserted-by":"publisher","DOI":"10.1109\/CLOUD53861.2021.00014"},{"key":"e_1_3_1_6_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00096"},{"key":"e_1_3_1_7_2","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2023.3286301"},{"key":"e_1_3_1_8_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102745"},{"key":"e_1_3_1_9_2","doi-asserted-by":"publisher","DOI":"10.1145\/2664243.2664256"},{"key":"e_1_3_1_10_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP57164.2023.00068"},{"key":"e_1_3_1_11_2","unstructured":"CodeQL. 2024. https:\/\/codeql.github.com\/."},{"key":"e_1_3_1_12_2","doi-asserted-by":"publisher","DOI":"10.1145\/512950.512973"},{"key":"e_1_3_1_13_2","unstructured":"CVE - Mitre. 2024. Mitre corporation homepage. https:\/\/cve.mitre.org\/."},{"key":"e_1_3_1_14_2","doi-asserted-by":"publisher","DOI":"10.1109\/CGO.2015.7054185"},{"key":"e_1_3_1_15_2","unstructured":"Esprima. 2021. ECMAScript parsing infrastructure for multipurpose analysis. https:\/\/esprima.org\/index.html."},{"key":"e_1_3_1_16_2","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3345656"},{"key":"e_1_3_1_17_2","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359813"},{"key":"e_1_3_1_18_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484745"},{"key":"e_1_3_1_19_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2013.6606621"},{"key":"e_1_3_1_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179395"},{"key":"e_1_3_1_21_2","doi-asserted-by":"publisher","unstructured":"Mafalda Ferreira Miguel Monteiro Tiago Brito Miguel E. Coimbra Nuno Santos Limin Jia and Jos\u00e9 Fragoso Santos. 2024. Graph.js PLDI24 Artifact Evaluation. https:\/\/doi.org\/10.5281\/zenodo.10936488 10.5281\/zenodo.10936488","DOI":"10.5281\/zenodo.10936488"},{"key":"e_1_3_1_22_2","doi-asserted-by":"publisher","unstructured":"Mafalda Ferreira Miguel Monteiro Tiago Brito Miguel E. Coimbra Nuno Santos Limin Jia and Jos\u00e9 Fragoso Santos. 2024. Technical Report: Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs. https:\/\/doi.org\/10.5281\/zenodo.10933020 10.5281\/zenodo.10933020","DOI":"10.5281\/zenodo.10933020"},{"key":"e_1_3_1_23_2","unstructured":"GitHub Advisory Database. 2023. https:\/\/github.com\/advisories."},{"key":"e_1_3_1_24_2","volume-title":"Dynamic Analysis for JavaScript Code","author":"Gong Liang","year":"2018","unstructured":"Liang Gong. 2018. Dynamic Analysis for JavaScript Code. Ph. D. Dissertation. University of California, Berkeley."},{"key":"e_1_3_1_25_2","unstructured":"Huntr.dev. 2023. https:\/\/huntr.dev\/."},{"key":"e_1_3_1_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/1529282.1529711"},{"key":"e_1_3_1_27_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-03237-0_17"},{"key":"e_1_3_1_28_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179352"},{"key":"e_1_3_1_29_2","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635904"},{"key":"e_1_3_1_30_2","first-page":"2525","volume-title":"30th USENIX Security Symposium (SEC \u201921)","author":"Khodayari Soheil","year":"2021","unstructured":"Soheil Khodayari and Giancarlo Pellegrino. 2021. JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals. In 30th USENIX Security Symposium (SEC \u201921). USENIX Association, USA, 2525\u20132542. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/khodayari"},{"key":"e_1_3_1_31_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-020-00537-0"},{"key":"e_1_3_1_32_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2015.28"},{"key":"e_1_3_1_33_2","doi-asserted-by":"publisher","DOI":"10.56553\/popets-2023-0046"},{"key":"e_1_3_1_34_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.procs.2018.08.227"},{"key":"e_1_3_1_35_2","doi-asserted-by":"publisher","DOI":"10.5555\/2831143.2831189"},{"key":"e_1_3_1_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468542"},{"key":"e_1_3_1_37_2","first-page":"143","volume-title":"Proceedings of the 31st USENIX Security Symposium (SEC \u201922)","author":"Li Song","year":"2022","unstructured":"Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao. 2022. Mining Node.js Vulnerabilities via Object Dependence Graph and Query. In Proceedings of the 31st USENIX Security Symposium (SEC \u201922). USENIX Association, USA, 143\u2013160. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/li-song"},{"key":"e_1_3_1_38_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.33"},{"key":"e_1_3_1_39_2","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS \u201909)","author":"Nadji Yacin","year":"2009","unstructured":"Yacin Nadji, Prateek Saxena, and Dawn Song. 2009. Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In Proceedings of the Network and Distributed System Security Symposium (NDSS \u201909). The Internet Society. https:\/\/www.ndss-symposium.org\/ndss2009\/document-structure-integrity-a-robust-basis-for-cross-site-scripting-defense\/"},{"key":"e_1_3_1_40_2","unstructured":"Neo4j. 2023. Cypher Query Language. https:\/\/neo4j.com\/developer\/cypher\/."},{"key":"e_1_3_1_41_2","unstructured":"Neo4j. 2023. Graph Database and Analytics. https:\/\/neo4j.com."},{"key":"e_1_3_1_42_2","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338933"},{"key":"e_1_3_1_43_2","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.ECOOP.2020.16"},{"key":"e_1_3_1_44_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2021.102752"},{"key":"e_1_3_1_45_2","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468556"},{"key":"e_1_3_1_46_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-C.2017.4"},{"key":"e_1_3_1_47_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133959"},{"key":"e_1_3_1_48_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.26"},{"key":"e_1_3_1_49_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24610"},{"key":"e_1_3_1_50_2","unstructured":"Snyk. 2023. https:\/\/snyk.io\/."},{"key":"e_1_3_1_51_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00058"},{"key":"e_1_3_1_52_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-31057-7_20"},{"key":"e_1_3_1_53_2","first-page":"361","volume-title":"27th USENIX Security Symposium (SEC \u201918)","author":"Staicu Cristian-Alexandru","year":"2018","unstructured":"Cristian-Alexandru Staicu and Michael Pradel. 2018. Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScriptbased Web Servers. In 27th USENIX Security Symposium (SEC \u201918). USENIX Association, Baltimore, MD, 361\u2013376. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/staicu"},{"key":"e_1_3_1_54_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23076"},{"key":"e_1_3_1_55_2","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380390"},{"key":"e_1_3_1_56_2","first-page":"655","volume-title":"Proceedings of the 23rd USENIX Security Symposium (SEC \u201814\u2019)","author":"Stock Ben","year":"2014","unstructured":"Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, and Martin Johns. 2014. Precise Client-side Protection against DOM-based Cross-Site Scripting. In Proceedings of the 23rd USENIX Security Symposium (SEC \u201814\u2019). USENIX Association, San Diego, CA, 655\u2013670. https:\/\/www.usenix.org\/conference\/usenixsecurity14\/technical-sessions\/presentation\/stock"},{"key":"e_1_3_1_57_2","unstructured":"The MITRE Corporation. 2023. CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u2019Prototype Pollution\u2019). https:\/\/cwe.mitre.org\/data\/definitions\/1321.html."},{"key":"e_1_3_1_58_2","unstructured":"The MITRE Corporation. 2023. CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u2019Path Traversal\u2019). https:\/\/cwe.mitre.org\/data\/definitions\/22.html."},{"key":"e_1_3_1_59_2","unstructured":"The MITRE Corporation. 2023. CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019). https:\/\/cwe.mitre.org\/data\/definitions\/78.html."},{"key":"e_1_3_1_60_2","unstructured":"The MITRE Corporation. 2023. CWE-94: Improper Control of Generation of Code (\u2018Code Injection\u2019). https:\/\/cwe.mitre. org\/data\/definitions\/94.html."},{"key":"e_1_3_1_61_2","volume-title":"20th USENIX Security Symposium (SEC \u201921)","author":"Xiao Feng","year":"2021","unstructured":"Feng Xiao, Jianwei Huang, Yichang Xiong, Guangliang Yang, Hong Hu, Guofei Gu, and Wenke Lee. 2021. Abusing hidden properties to attack the node. js ecosystem. In 20th USENIX Security Symposium (SEC \u201921). USENIX Association. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/xiao"},{"key":"e_1_3_1_62_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.44"},{"key":"e_1_3_1_63_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.54"},{"key":"e_1_3_1_64_2","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3616584"},{"key":"e_1_3_1_65_2","first-page":"995","volume-title":"28th USENIX Security Symposium (SEC \u201919)","author":"Zimmermann Markus","year":"2019","unstructured":"Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small World with High Risks: A Study of Security Threats in the npm Ecosystem. In 28th USENIX Security Symposium (SEC \u201919). USENIX Association, Santa Clara, CA, 995\u20131010. https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/zimmerman"}],"container-title":["Proceedings of the ACM on Programming Languages"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3656394","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3656394","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,4]],"date-time":"2025-07-04T20:39:50Z","timestamp":1751661590000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3656394"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,6,20]]},"references-count":64,"journal-issue":{"issue":"PLDI","published-print":{"date-parts":[[2024,6,20]]}},"alternative-id":["10.1145\/3656394"],"URL":"https:\/\/doi.org\/10.1145\/3656394","relation":{},"ISSN":["2475-1421"],"issn-type":[{"value":"2475-1421","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,6,20]]},"assertion":[{"value":"2024-06-20","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}