{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,30]],"date-time":"2026-01-30T05:13:31Z","timestamp":1769750011254,"version":"3.49.0"},"reference-count":98,"publisher":"Association for Computing Machinery (ACM)","issue":"FSE","funder":[{"name":"National Science Foundation","award":["2206859,2317168"],"award-info":[{"award-number":["2206859,2317168"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Proc. ACM Softw. Eng."],"published-print":{"date-parts":[[2025,6,19]]},"abstract":"<jats:p>\n            Recent high-profile incidents in open-source software have greatly raised practitioner attention on software supply chain attacks. To guard against potential malicious package updates, security practitioners advocate\n            <jats:italic toggle=\"yes\">pinning<\/jats:italic>\n            dependency to specific versions rather than\n            <jats:italic toggle=\"yes\">floating<\/jats:italic>\n            in version ranges. However, it remains controversial whether pinning carries a meaningful security benefit that outweighs the cost of maintaining outdated and possibly vulnerable dependencies. In this paper, we quantify, through counterfactual analysis and simulations, the security and maintenance impact of version constraints in the npm ecosystem. By simulating dependency resolutions over historical time points, we find that pinning direct dependencies not only (as expected) increases the cost of maintaining vulnerable and outdated dependencies, but also (surprisingly) even increases the risk of exposure to malicious package updates in larger dependency graphs due to the specifics of npm\u2019s dependency resolution mechanism. Finally, we explore collective pinning strategies to secure the ecosystem against supply chain attacks, suggesting specific changes to npm to enable such interventions. Our study provides guidance for practitioners and tool designers to manage their supply chains more securely.\n          <\/jats:p>","DOI":"10.1145\/3715728","type":"journal-article","created":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T15:16:02Z","timestamp":1750346162000},"page":"266-289","source":"Crossref","is-referenced-by-count":4,"title":["Pinning Is Futile: You Need More Than Local Dependency Versioning to Defend against Supply Chain Attacks"],"prefix":"10.1145","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-8311-6559","authenticated-orcid":false,"given":"Hao","family":"He","sequence":"first","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4418-5783","authenticated-orcid":false,"given":"Bogdan","family":"Vasilescu","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4450-4572","authenticated-orcid":false,"given":"Christian","family":"K\u00e4stner","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, USA"}]}],"member":"320","published-online":{"date-parts":[[2025,6,19]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"27th IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2020","author":"Abate Pietro","year":"2020","unstructured":"Pietro Abate, Roberto Di Cosmo, Georgios Gousios, and Stefano Zacchiroli. 2020. Dependency Solving Is Still Hard, but We Are Getting Better at It. In 27th IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2020, London, ON, Canada, February 18-21, 2020. IEEE, 547\u2013551. https:\/\/doi.org\/10.1109\/SANER48275.2020.9054837 10.1109\/SANER48275.2020.9054837"},{"key":"e_1_2_1_2_1","volume-title":"Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, ESEC\/FSE 2017","author":"Abdalkareem Rabe","year":"2017","unstructured":"Rabe Abdalkareem, Olivier Nourry, Sultan Wehaibi, Suhaib Mujahid, and Emad Shihab. 2017. Why do developers use trivial packages? An empirical case study on npm. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, ESEC\/FSE 2017, Paderborn, Germany, September 4-8, 2017. ACM, 385\u2013395. https:\/\/doi.org\/10.1145\/3106237.3106267 10.1145\/3106237.3106267"},{"key":"e_1_2_1_3_1","volume-title":"On the Use of Dependabot Security Pull Requests. In 18th IEEE\/ACM International Conference on Mining Software Repositories, MSR 2021","author":"Alfadel Mahmoud","year":"2021","unstructured":"Mahmoud Alfadel, Diego Elias Costa, Emad Shihab, and Mouafak Mkhallalati. 2021. On the Use of Dependabot Security Pull Requests. In 18th IEEE\/ACM International Conference on Mining Software Repositories, MSR 2021, Madrid, Spain, May 17-19, 2021. IEEE, 254\u2013265. https:\/\/doi.org\/10.1109\/MSR52588.2021.00037 10.1109\/MSR52588.2021.00037"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/3447245"},{"key":"e_1_2_1_5_1","unstructured":"Josh Bressers. 2022. Fact vs. Feelings. https:\/\/opensourcesecurity.io\/2022\/03\/21\/facts-vs-feelings\/"},{"key":"e_1_2_1_6_1","first-page":"357","article-title":"Fixed-effects panel regression","volume":"327","author":"Br\u00fcderl Josef","year":"2015","unstructured":"Josef Br\u00fcderl and Volker Ludwig. 2015. Fixed-effects panel regression. The Sage Handbook of Regression Analysis and Causal Inference, 327 (2015), 357.","journal-title":"The Sage Handbook of Regression Analysis and Causal Inference"},{"key":"e_1_2_1_7_1","unstructured":"Checkmarx. 2023. NPM Account Takeover Results in Crypto Supply Chain Attack. https:\/\/checkmarx.com\/blog\/npm-account-takeover-results-in-crypto-supply-chain-attack\/"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1007\/S10664-021-09951-X"},{"key":"e_1_2_1_9_1","volume-title":"Measuring Dependency Freshness in Software Systems. In 37th IEEE\/ACM International Conference on Software Engineering, ICSE 2015","volume":"2","author":"Cox Joel","year":"2015","unstructured":"Joel Cox, Eric Bouwers, Marko C. J. D. van Eekelen, and Joost Visser. 2015. Measuring Dependency Freshness in Software Systems. In 37th IEEE\/ACM International Conference on Software Engineering, ICSE 2015, Florence, Italy, May 16-24, 2015, Volume 2. IEEE Computer Society, 109\u2013118. https:\/\/doi.org\/10.1109\/ICSE.2015.140 10.1109\/ICSE.2015.140"},{"key":"e_1_2_1_10_1","unstructured":"Yves Croissant Giovanni Millo Kevin Tappe Ott Toomet Christian Kleiber Achim Zeileis Arne Henningsen Liviu Andronic and Nina Schoenfelder. 2024. plm: Linear Models for Panel Data. https:\/\/cran.r-project.org\/web\/packages\/plm"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1001\/archinte.159.17.2070"},{"key":"e_1_2_1_12_1","unstructured":"Mark Curphey. 2022. Dependency Pinning Only Works If You Actually Review the Updates. https:\/\/crashoverride.com\/blog\/dependency-pinning-only-works-if-you-actually-review-the-updates"},{"key":"e_1_2_1_13_1","unstructured":"Erik DeBill. 2024. Modulecounts. http:\/\/www.modulecounts.com\/"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2918315"},{"key":"e_1_2_1_15_1","volume-title":"Proceedings of the 15th International Conference on Mining Software Repositories, MSR 2018","author":"Decan Alexandre","year":"2018","unstructured":"Alexandre Decan, Tom Mens, and Eleni Constantinou. 2018. On the impact of security vulnerabilities in the npm package dependency network. In Proceedings of the 15th International Conference on Mining Software Repositories, MSR 2018, Gothenburg, Sweden, May 28-29, 2018. ACM, 181\u2013191. https:\/\/doi.org\/10.1145\/3196398.3196401 10.1145\/3196398.3196401"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1007\/S10664-017-9589-Y"},{"key":"e_1_2_1_17_1","volume-title":"Proceedings of the 16th International Conference on Mining Software Repositories, MSR 2019","author":"Dietrich Jens","year":"2019","unstructured":"Jens Dietrich, David J. Pearce, Jacob Stringer, Amjed Tahir, and Kelly Blincoe. 2019. Dependency versioning in the wild. In Proceedings of the 16th International Conference on Mining Software Repositories, MSR 2019, 26-27 May 2019, Montreal, Canada. IEEE \/ ACM, 349\u2013359. https:\/\/doi.org\/10.1109\/MSR.2019.00061 10.1109\/MSR.2019.00061"},{"key":"e_1_2_1_18_1","unstructured":"Nadia Eghbal. 2016. Roads and Bridges. The Unseen Labor Behind our Digital Infrastructure."},{"key":"e_1_2_1_19_1","unstructured":"ENISA. 2023. Good Practices for Supply Chain Cybersecurity. https:\/\/www.enisa.europa.eu\/publications\/good-practices-for-supply-chain-cybersecurity"},{"key":"e_1_2_1_20_1","volume-title":"29th ACM SIGSOFT International Symposium on Software Testing and Analysis","author":"Fan Gang","year":"2020","unstructured":"Gang Fan, Chengpeng Wang, Rongxin Wu, Xiao Xiao, Qingkai Shi, and Charles Zhang. 2020. Escaping dependency hell: finding build dependency errors with the unified dependency graph. In ISSTA \u201920: 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, Virtual Event, USA, July 18-22, 2020. ACM, 463\u2013474. https:\/\/doi.org\/10.1145\/3395363.3397388 10.1145\/3395363.3397388"},{"key":"e_1_2_1_21_1","volume-title":"For Good Measure: Counting Broken Links: A Quant\u2019s View of Software Supply Chain Security. login Usenix Mag., 45, 4","author":"Geer Dan","year":"2020","unstructured":"Dan Geer, Bentz Tozer, and John Speed Meyers. 2020. For Good Measure: Counting Broken Links: A Quant\u2019s View of Software Supply Chain Security. login Usenix Mag., 45, 4 (2020), https:\/\/www.usenix.org\/publications\/login\/winter2020\/geer"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1037\/a0017543"},{"key":"e_1_2_1_23_1","unstructured":"GitHub. 2024. GitHub Advisory Database. https:\/\/github.com\/advisories"},{"key":"e_1_2_1_24_1","unstructured":"Google. 2024. Assured Open Source Software. https:\/\/cloud.google.com\/security\/products\/assured-open-source-software"},{"key":"e_1_2_1_25_1","volume-title":"Package Management: The problem with using version ranges. https:\/\/news.ycombinator.com\/item?id=14759329","author":"News Hacker","year":"2017","unstructured":"Hacker News. 2017. Package Management: The problem with using version ranges. https:\/\/news.ycombinator.com\/item?id=14759329"},{"key":"e_1_2_1_26_1","unstructured":"Hacker News. 2018. I have misgivings about all these version pinning.... https:\/\/news.ycombinator.com\/item?id=16422916"},{"key":"e_1_2_1_27_1","unstructured":"Christoph Hanck Martin Arnold Alexander Gerber and Martin Schmelzer. 2021. Regression with Panel Data. In Introduction to Econometrics with R. Universit\u00e4t Duisburg-Essen. https:\/\/www.econometrics-with-r.org\/10-rwpd.html"},{"key":"e_1_2_1_28_1","volume-title":"29th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering","author":"He Hao","year":"2021","unstructured":"Hao He, Runzhi He, Haiqiao Gu, and Minghui Zhou. 2021. A large-scale empirical study on Java library migrations: prevalence, trends, and rationales. In ESEC\/FSE \u201921: 29th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Athens, Greece, August 23-28, 2021. ACM, 478\u2013490. https:\/\/doi.org\/10.1145\/3468264.3468571 10.1145\/3468264.3468571"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2023.3278129"},{"key":"e_1_2_1_30_1","unstructured":"IBM. 2021. What is the Log4j vulnerability? https:\/\/www.ibm.com\/topics\/log4j"},{"key":"e_1_2_1_31_1","volume-title":"Exploit Prediction Scoring System (EPSS). CoRR, abs\/1908.04856","author":"Jacobs Jay","year":"2019","unstructured":"Jay Jacobs, Sasha Romanosky, Benjamin Edwards, Michael Roytman, and Idris Adjerid. 2019. Exploit Prediction Scoring System (EPSS). CoRR, abs\/1908.04856 (2019), arXiv:1908.04856. arxiv:1908.04856"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2021.3106247"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3603110"},{"key":"e_1_2_1_34_1","volume-title":"Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2023","author":"Jayasuriya Dhanushka","year":"2023","unstructured":"Dhanushka Jayasuriya, Valerio Terragni, Jens Dietrich, Samuel Ou, and Kelly Blincoe. 2023. Understanding Breaking Changes in the Wild. In Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2023, Seattle, WA, USA, July 17-21, 2023. ACM, 1433\u20131444. https:\/\/doi.org\/10.1145\/3597926.3598147 10.1145\/3597926.3598147"},{"key":"e_1_2_1_35_1","unstructured":"Dezhen Kong Jiakun Liu Lingfeng Bao and David Lo. 2024. Towards Better Comprehension of Breaking Changes in the NPM Ecosystem. arXiv preprint arXiv:2408.14431 arxiv:2408.14431"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1007\/S10664-017-9521-5"},{"key":"e_1_2_1_37_1","volume-title":"SoK: Taxonomy of Attacks on Open-Source Software Supply Chains. In 44th IEEE Symposium on Security and Privacy, SP 2023","author":"Ladisa Piergiorgio","year":"2023","unstructured":"Piergiorgio Ladisa, Henrik Plate, Matias Martinez, and Olivier Barais. 2023. SoK: Taxonomy of Attacks on Open-Source Software Supply Chains. In 44th IEEE Symposium on Security and Privacy, SP 2023, San Francisco, CA, USA, May 21-25, 2023. IEEE, 1509\u20131526. https:\/\/doi.org\/10.1109\/SP46215.2023.10179304 10.1109\/SP46215.2023.10179304"},{"key":"e_1_2_1_38_1","volume-title":"37th IEEE\/ACM International Conference on Automated Software Engineering, ASE 2022","author":"Latendresse Jasmine","year":"2022","unstructured":"Jasmine Latendresse, Suhaib Mujahid, Diego Elias Costa, and Emad Shihab. 2022. Not All Dependencies are Equal: An Empirical Study on Production Dependencies in NPM. In 37th IEEE\/ACM International Conference on Automated Software Engineering, ASE 2022, Rochester, MI, USA, October 10-14, 2022. ACM, 73:1\u201373:12. https:\/\/doi.org\/10.1145\/3551349.3556896 10.1145\/3551349.3556896"},{"key":"e_1_2_1_39_1","unstructured":"Max Leiter. 2023. Pin your npm\/yarn dependencies. https:\/\/maxleiter.com\/blog\/pin-dependencies"},{"key":"e_1_2_1_40_1","volume-title":"44th IEEE\/ACM 44th International Conference on Software Engineering, ICSE 2022","author":"Liu Chengwei","year":"2022","unstructured":"Chengwei Liu, Sen Chen, Lingling Fan, Bihuan Chen, Yang Liu, and Xin Peng. 2022. Demystifying the Vulnerability Propagation and Its Evolution via Dependency Trees in the NPM Ecosystem. In 44th IEEE\/ACM 44th International Conference on Software Engineering, ICSE 2022, Pittsburgh, PA, USA, May 25-27, 2022. ACM, 672\u2013684. https:\/\/doi.org\/10.1145\/3510003.3510142 10.1145\/3510003.3510142"},{"key":"e_1_2_1_41_1","volume-title":"Package Management: Stop Using Version Ranges. https:\/\/www.lucidchart.com\/techblog\/2017\/03\/15\/package-management-stop-using-version-ranges\/","year":"2017","unstructured":"Lucid. 2017. Package Management: Stop Using Version Ranges. https:\/\/www.lucidchart.com\/techblog\/2017\/03\/15\/package-management-stop-using-version-ranges\/"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1007\/S10664-020-09905-9"},{"key":"e_1_2_1_43_1","volume-title":"Managing the Complexity of Large Free and Open Source Package-Based Software Distributions. In 21st IEEE\/ACM International Conference on Automated Software Engineering (ASE 2006)","author":"Mancinelli Fabio","year":"2006","unstructured":"Fabio Mancinelli, Jaap Boender, Roberto Di Cosmo, Jerome Vouillon, Berke Durak, Xavier Leroy, and Ralf Treinen. 2006. Managing the Complexity of Large Free and Open Source Package-Based Software Distributions. In 21st IEEE\/ACM International Conference on Automated Software Engineering (ASE 2006), 18-22 September 2006, Tokyo, Japan. IEEE Computer Society, 199\u2013208. https:\/\/doi.org\/10.1109\/ASE.2006.49 10.1109\/ASE.2006.49"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.18280\/ijsse.110505"},{"key":"e_1_2_1_45_1","volume-title":"32nd European Conference on Object-Oriented Programming, ECOOP 2018","volume":"24","author":"Mezzetti Gianluca","year":"2018","unstructured":"Gianluca Mezzetti, Anders M\u00f8ller, and Martin Toldam Torp. 2018. Type Regression Testing to Detect Breaking Changes in Node.js Libraries. In 32nd European Conference on Object-Oriented Programming, ECOOP 2018, July 16-21, 2018, Amsterdam, The Netherlands (LIPIcs, Vol. 109). Schloss Dagstuhl - Leibniz-Zentrum f\u00fcr Informatik, 7:1\u20137:24. https:\/\/doi.org\/10.4230\/LIPICS.ECOOP.2018.7 10.4230\/LIPICS.ECOOP.2018.7"},{"key":"e_1_2_1_46_1","volume-title":"Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC\/FSE 2023","author":"Miller Courtney","year":"2023","unstructured":"Courtney Miller, Christian K\u00e4stner, and Bogdan Vasilescu. 2023. \"We Feel Like We\u2019re Winging It: \" A Study on Navigating Open-Source Dependency Abandonment. In Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC\/FSE 2023, San Francisco, CA, USA, December 3-9, 2023. ACM, 1281\u20131293. https:\/\/doi.org\/10.1145\/3611643.3616293 10.1145\/3611643.3616293"},{"key":"e_1_2_1_47_1","volume-title":"Proceedings of the 32nd IEEE\/ACM International Conference on Automated Software Engineering, ASE 2017","author":"Mirhosseini Samim","year":"2017","unstructured":"Samim Mirhosseini and Chris Parnin. 2017. Can automated pull requests encourage software developers to upgrade out-of-date dependencies? In Proceedings of the 32nd IEEE\/ACM International Conference on Automated Software Engineering, ASE 2017, Urbana, IL, USA, October 30 - November 03, 2017. IEEE Computer Society, 84\u201394. https:\/\/doi.org\/10.1109\/ASE.2017.8115621 10.1109\/ASE.2017.8115621"},{"key":"e_1_2_1_48_1","volume-title":"Counterfactuals and causal inference","author":"Morgan Stephen L","unstructured":"Stephen L Morgan and Christopher Winship. 2015. Counterfactuals and causal inference. Cambridge University Press."},{"key":"e_1_2_1_49_1","volume-title":"30th ACM SIGSOFT International Symposium on Software Testing and Analysis","author":"Mukherjee Suchita","year":"2021","unstructured":"Suchita Mukherjee, Abigail Almanza, and Cindy Rubio-Gonz\u00e1lez. 2021. Fixing dependency errors for Python build reproducibility. In ISSTA \u201921: 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, Virtual Event, Denmark, July 11-17, 2021, Cristian Cadar and Xiangyu Zhang (Eds.). ACM, 439\u2013451. https:\/\/doi.org\/10.1145\/3460319.3464797 10.1145\/3460319.3464797"},{"key":"e_1_2_1_50_1","unstructured":"npm. 2023. About semantic versioning | npm Docs. https:\/\/docs.npmjs.com\/about-semantic-versioning"},{"key":"e_1_2_1_51_1","unstructured":"npm. 2023. npm. https:\/\/docs.npmjs.com\/about-npm"},{"key":"e_1_2_1_52_1","unstructured":"npm. 2023. package-lock.json | npm Docs. https:\/\/docs.npmjs.com\/cli\/v10\/configuring-npm\/package-lock-json"},{"key":"e_1_2_1_53_1","unstructured":"npm. 2024. How npm3 Works. https:\/\/npm.github.io\/how-npm-works-docs\/npm3\/how-npm3-works.html"},{"key":"e_1_2_1_54_1","unstructured":"npm. 2024. npm-install | npm Docs. https:\/\/docs.npmjs.com\/cli\/v8\/commands\/npm-install"},{"key":"e_1_2_1_55_1","volume-title":"17th International Conference, DIMVA 2020, Lisbon, Portugal, June 24-26, 2020, Proceedings (Lecture Notes in Computer Science","volume":"43","author":"Ohm Marc","year":"2020","unstructured":"Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier. 2020. Backstabber\u2019s Knife Collection: A Review of Open Source Software Supply Chain Attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment - 17th International Conference, DIMVA 2020, Lisbon, Portugal, June 24-26, 2020, Proceedings (Lecture Notes in Computer Science, Vol. 12223). Springer, 23\u201343. https:\/\/doi.org\/10.1007\/978-3-030-52683-2_2 10.1007\/978-3-030-52683-2_2"},{"key":"e_1_2_1_56_1","unstructured":"OpenSSF. 2023. OpenSSF Scorecard. https:\/\/github.com\/ossf\/scorecard\/blob\/main\/docs\/checks.md##pinned-dependencies"},{"key":"e_1_2_1_57_1","volume-title":"Proceedings of the 12th ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM 2018","author":"Pashchenko Ivan","year":"2018","unstructured":"Ivan Pashchenko, Henrik Plate, Serena Elisa Ponta, Antonino Sabetta, and Fabio Massacci. 2018. Vulnerable open source dependencies: counting those that matter. In Proceedings of the 12th ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM 2018, Oulu, Finland, October 11-12, 2018. ACM, 42:1\u201342:10. https:\/\/doi.org\/10.1145\/3239235.3268920 10.1145\/3239235.3268920"},{"key":"e_1_2_1_58_1","volume-title":"2020 ACM SIGSAC Conference on Computer and Communications Security","author":"Pashchenko Ivan","year":"2020","unstructured":"Ivan Pashchenko, Duc Ly Vu, and Fabio Massacci. 2020. A Qualitative Study of Dependency Management and Its Security Implications. In CCS \u201920: 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, November 9-13, 2020. ACM, 1513\u20131531. https:\/\/doi.org\/10.1145\/3372297.3417232 10.1145\/3372297.3417232"},{"key":"e_1_2_1_59_1","volume-title":"20th IEEE\/ACM International Conference on Mining Software Repositories, MSR 2023","author":"Pinckney Donald","year":"2023","unstructured":"Donald Pinckney, Federico Cassano, Arjun Guha, and Jonathan Bell. 2023. A Large Scale Analysis of Semantic Versioning in NPM. In 20th IEEE\/ACM International Conference on Mining Software Repositories, MSR 2023, Melbourne, Australia, May 15-16, 2023. IEEE, 485\u2013497. https:\/\/doi.org\/10.1109\/MSR59073.2023.00073 10.1109\/MSR59073.2023.00073"},{"key":"e_1_2_1_60_1","volume-title":"Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC\/FSE 2023","author":"Pinckney Donald","year":"2023","unstructured":"Donald Pinckney, Federico Cassano, Arjun Guha, and Jonathan Bell. 2023. npm-follower: A Complete Dataset Tracking the NPM Ecosystem. In Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC\/FSE 2023, San Francisco, CA, USA, December 3-9, 2023. ACM, 2132\u20132136. https:\/\/doi.org\/10.1145\/3611643.3613094 10.1145\/3611643.3613094"},{"key":"e_1_2_1_61_1","volume-title":"45th IEEE\/ACM International Conference on Software Engineering, ICSE 2023","author":"Pinckney Donald","year":"2023","unstructured":"Donald Pinckney, Federico Cassano, Arjun Guha, Jonathan Bell, Massimiliano Culpo, and Todd Gamblin. 2023. Flexible and Optimal Dependency Management via Max-SMT. In 45th IEEE\/ACM International Conference on Software Engineering, ICSE 2023, Melbourne, Australia, May 14-20, 2023. IEEE, 1418\u20131429. https:\/\/doi.org\/10.1109\/ICSE48619.2023.00124 10.1109\/ICSE48619.2023.00124"},{"key":"e_1_2_1_62_1","unstructured":"Tom Preston-Werner. 2023. Semantic versioning 2.0.0. https:\/\/semver.org\/"},{"key":"e_1_2_1_63_1","unstructured":"Maciej Radzikowski. 2021. Pin exact dependency versions. https:\/\/betterdev.blog\/pin-exact-dependency-versions\/"},{"key":"e_1_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1016\/J.JSS.2016.04.008"},{"key":"e_1_2_1_65_1","unstructured":"Matt Raible. 2019. Semantic Versioning Sucks! Long Live Semantic Versioning. https:\/\/developer.okta.com\/blog\/2019\/12\/16\/semantic-versioning"},{"key":"e_1_2_1_66_1","unstructured":"Renovate Bot. 2018. Should you pin your JavaScript dependencies? https:\/\/docs.renovatebot.com\/dependency-pinning"},{"key":"e_1_2_1_67_1","volume-title":"Organizational culture and leadership. 2","author":"Schein Edgar H","unstructured":"Edgar H Schein. 2010. Organizational culture and leadership. 2, John Wiley & Sons."},{"key":"e_1_2_1_68_1","first-page":"263391372412319","article-title":"Modeling interconnected social and technical risks in open source software ecosystems","volume":"3","author":"Schueller William","year":"2024","unstructured":"William Schueller and Johannes Wachs. 2024. Modeling interconnected social and technical risks in open source software ecosystems. Collective Intelligence, 3, 1 (2024), 26339137241231912.","journal-title":"Collective Intelligence"},{"key":"e_1_2_1_69_1","volume-title":"44th IEEE\/ACM 44th International Conference on Software Engineering, ICSE 2022","author":"Sejfia Adriana","year":"2022","unstructured":"Adriana Sejfia and Max Sch\u00e4fer. 2022. Practical Automated Detection of Malicious npm Packages. In 44th IEEE\/ACM 44th International Conference on Software Engineering, ICSE 2022, Pittsburgh, PA, USA, May 25-27, 2022. ACM, 1681\u20131692. https:\/\/doi.org\/10.1145\/3510003.3510104 10.1145\/3510003.3510104"},{"key":"e_1_2_1_70_1","first-page":"111","article-title":"A practical guide to calculating Cohen\u2019s f^2, a measure of local effect size, from PROC MIXED","volume":"3","author":"Selya Arielle S","year":"2012","unstructured":"Arielle S Selya, Jennifer S Rose, Lisa C Dierker, Donald Hedeker, and Robin J Mermelstein. 2012. A practical guide to calculating Cohen\u2019s f^2, a measure of local effect size, from PROC MIXED. Frontiers in Psychology, 3 (2012), 111.","journal-title":"Frontiers in Psychology"},{"key":"e_1_2_1_71_1","volume-title":"36th International Conference on Software Engineering, ICSE \u201914","author":"Seo Hyunmin","year":"2014","unstructured":"Hyunmin Seo, Caitlin Sadowski, Sebastian G. Elbaum, Edward Aftandilian, and Robert W. Bowdidge. 2014. Programmers\u2019 build errors: A case study (at Google). In 36th International Conference on Software Engineering, ICSE \u201914, Hyderabad, India - May 31 - June 07, 2014. ACM, 724\u2013734. https:\/\/doi.org\/10.1145\/2568225.2568255 10.1145\/2568225.2568255"},{"key":"e_1_2_1_72_1","volume-title":"Perception of risk. Science, 236, 4799","author":"Slovic Paul","year":"1987","unstructured":"Paul Slovic. 1987. Perception of risk. Science, 236, 4799 (1987), 280\u2013285."},{"key":"e_1_2_1_73_1","unstructured":"Snyk. 2022. Alert: peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine. https:\/\/snyk.io\/blog\/peacenotwar-malicious-npm-node-ipc-package-vulnerability\/"},{"key":"e_1_2_1_74_1","unstructured":"Sonatype. 2021. Software supply chains: An introductory guide. https:\/\/www.sonatype.com\/blog\/software-supply-chain-a-definition-and-introductory-guide"},{"key":"e_1_2_1_75_1","volume-title":"10th Annual State of the Software Supply Chain. https:\/\/www.sonatype.com\/state-of-the-software-supply-chain\/2024","unstructured":"Sonatype. 2024. 10th Annual State of the Software Supply Chain. https:\/\/www.sonatype.com\/state-of-the-software-supply-chain\/2024"},{"key":"e_1_2_1_76_1","unstructured":"Sonatype. 2024. CVE-2024-3094 The targeted backdoor supply chain attack against XZ and liblzma. https:\/\/blog.sonatype.com\/cve-2024-3094-the-targeted-backdoor-supply-chain-attack-against-xz-and-liblzma"},{"key":"e_1_2_1_77_1","volume-title":"17th International Conference on Mining Software Repositories","author":"Spinellis Diomidis","year":"2020","unstructured":"Diomidis Spinellis, Zoe Kotti, and Audris Mockus. 2020. A Dataset for GitHub Repository Deduplication. In MSR \u201920: 17th International Conference on Mining Software Repositories, Seoul, Republic of Korea, 29-30 June, 2020. ACM, 523\u2013527. https:\/\/doi.org\/10.1145\/3379597.3387496 10.1145\/3379597.3387496"},{"key":"e_1_2_1_78_1","unstructured":"StackOverflow. 2017. Should I pin my Python dependencies versions? https:\/\/stackoverflow.com\/questions\/28509481\/should-i-pin-my-python-dependencies-versions"},{"key":"e_1_2_1_79_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.socec.2005.11.043"},{"key":"e_1_2_1_80_1","unstructured":"TechTarget. 2023. SolarWinds hack explained: Everything you need to know. https:\/\/www.techtarget.com\/whatis\/feature\/SolarWinds-hack-explained-Everything-you-need-to-know"},{"key":"e_1_2_1_81_1","unstructured":"The White House. 2021. Executive Order on Improving the Nation\u2019s Cybersecurity. https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/"},{"key":"e_1_2_1_82_1","volume-title":"Proceedings of the 41st International Conference on Software Engineering, ICSE 2019, Montreal, QC","author":"Tomassi David A.","year":"2019","unstructured":"David A. Tomassi, Naji Dmeiri, Yichen Wang, Antara Bhowmick, Yen-Chuan Liu, Premkumar T. Devanbu, Bogdan Vasilescu, and Cindy Rubio-Gonz\u00e1lez. 2019. BugSwarm: Mining and continuously growing a dataset of reproducible failures and fixes. In Proceedings of the 41st International Conference on Software Engineering, ICSE 2019, Montreal, QC, Canada, May 25-31, 2019. IEEE \/ ACM, 339\u2013349. https:\/\/doi.org\/10.1109\/ICSE.2019.00048 10.1109\/ICSE.2019.00048"},{"key":"e_1_2_1_83_1","volume-title":"Proceedings of the 2018 ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC\/SIGSOFT FSE 2018, Lake Buena Vista, FL, USA","author":"Valiev Marat","year":"2018","unstructured":"Marat Valiev, Bogdan Vasilescu, and James D. Herbsleb. 2018. Ecosystem-level determinants of sustained activity in open-source projects: A case study of the PyPI ecosystem. In Proceedings of the 2018 ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC\/SIGSOFT FSE 2018, Lake Buena Vista, FL, USA, November 04-09, 2018. ACM, 644\u2013655. https:\/\/doi.org\/10.1145\/3236024.3236062 10.1145\/3236024.3236062"},{"key":"e_1_2_1_84_1","volume-title":"28th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering","author":"Vargas Enrique Larios","year":"2020","unstructured":"Enrique Larios Vargas, Maur\u00edcio Finavaro Aniche, Christoph Treude, Magiel Bruntink, and Georgios Gousios. 2020. Selecting third-party libraries: the practitioners\u2019 perspective. In ESEC\/FSE \u201920: 28th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Virtual Event, USA, November 8-13, 2020. ACM, 245\u2013256. https:\/\/doi.org\/10.1145\/3368089.3409711 10.1145\/3368089.3409711"},{"key":"e_1_2_1_85_1","volume-title":"Typosquatting and Combosquatting Attacks on the Python Ecosystem. In IEEE European Symposium on Security and Privacy Workshops, EuroS&P Workshops 2020","author":"Vu Duc-Ly","year":"2020","unstructured":"Duc-Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, and Antonino Sabetta. 2020. Typosquatting and Combosquatting Attacks on the Python Ecosystem. In IEEE European Symposium on Security and Privacy Workshops, EuroS&P Workshops 2020, Genoa, Italy, September 7-11, 2020. IEEE, 509\u2013514. https:\/\/doi.org\/10.1109\/EUROSPW51379.2020.00074 10.1109\/EUROSPW51379.2020.00074"},{"key":"e_1_2_1_86_1","volume-title":"17th International Conference on Mining Software Repositories","author":"Walden James","year":"2020","unstructured":"James Walden. 2020. The Impact of a Major Security Event on an Open Source Project: The Case of OpenSSL. In MSR \u201920: 17th International Conference on Mining Software Repositories, Seoul, Republic of Korea, 29-30 June, 2020. ACM, 409\u2013419. https:\/\/doi.org\/10.1145\/3379597.3387465 10.1145\/3379597.3387465"},{"key":"e_1_2_1_87_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2023.3243262"},{"key":"e_1_2_1_88_1","volume-title":"42nd International Conference on Software Engineering","author":"Wang Ying","year":"2020","unstructured":"Ying Wang, Ming Wen, Yepang Liu, Yibo Wang, Zhenming Li, Chao Wang, Hai Yu, Shing-Chi Cheung, Chang Xu, and Zhiliang Zhu. 2020. Watchman: monitoring dependency conflicts for Python library ecosystem. In ICSE \u201920: 42nd International Conference on Software Engineering, Seoul, South Korea, 27 June - 19 July, 2020. ACM, 125\u2013135. https:\/\/doi.org\/10.1145\/3377811.3380426 10.1145\/3377811.3380426"},{"key":"e_1_2_1_89_1","volume-title":"Proceedings of the 2018 ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC\/SIGSOFT FSE 2018, Lake Buena Vista, FL, USA","author":"Wang Ying","year":"2018","unstructured":"Ying Wang, Ming Wen, Zhenwei Liu, Rongxin Wu, Rui Wang, Bo Yang, Hai Yu, Zhiliang Zhu, and Shing-Chi Cheung. 2018. Do the dependency conflicts in my project matter? In Proceedings of the 2018 ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC\/SIGSOFT FSE 2018, Lake Buena Vista, FL, USA, November 04-09, 2018. ACM, 319\u2013330. https:\/\/doi.org\/10.1145\/3236024.3236056 10.1145\/3236024.3236056"},{"key":"e_1_2_1_90_1","unstructured":"Hyrum Wright. 2024. Hyrum\u2019s Law. https:\/\/www.hyrumslaw.com\/"},{"key":"e_1_2_1_91_1","volume-title":"39th IEEE International Conference on Data Engineering, ICDE 2023","author":"Xie Jiadong","year":"2023","unstructured":"Jiadong Xie, Fan Zhang, Kai Wang, Xuemin Lin, and Wenjie Zhang. 2023. Minimizing the Influence of Misinformation via Vertex Blocking. In 39th IEEE International Conference on Data Engineering, ICDE 2023, Anaheim, CA, USA, April 3-7, 2023. IEEE, 789\u2013801. https:\/\/doi.org\/10.1109\/ICDE55515.2023.00066 10.1109\/ICDE55515.2023.00066"},{"key":"e_1_2_1_92_1","volume-title":"Understanding and Remediating Open-Source License Incompatibilities in the PyPI Ecosystem. In 38th IEEE\/ACM International Conference on Automated Software Engineering, ASE 2023","author":"Xu Weiwei","year":"2023","unstructured":"Weiwei Xu, Hao He, Kai Gao, and Minghui Zhou. 2023. Understanding and Remediating Open-Source License Incompatibilities in the PyPI Ecosystem. In 38th IEEE\/ACM International Conference on Automated Software Engineering, ASE 2023, Luxembourg, September 11-15, 2023. IEEE, 178\u2013190. https:\/\/doi.org\/10.1109\/ASE56229.2023.00175 10.1109\/ASE56229.2023.00175"},{"key":"e_1_2_1_93_1","volume-title":"Proceedings of the Sixth ACM on Conference on Data and Application Security and Privacy, CODASPY 2016","author":"Younis Awad A.","year":"2016","unstructured":"Awad A. Younis, Yashwant K. Malaiya, Charles Anderson, and Indrajit Ray. 2016. To Fear or Not to Fear That is the Question: Code Characteristics of a Vulnerable Functionwith an Existing Exploit. In Proceedings of the Sixth ACM on Conference on Data and Application Security and Privacy, CODASPY 2016, New Orleans, LA, USA, March 9-11, 2016. ACM, 97\u2013104. https:\/\/doi.org\/10.1145\/2857705.2857750 10.1145\/2857705.2857750"},{"key":"e_1_2_1_94_1","doi-asserted-by":"publisher","DOI":"10.48550\/ARXIV.2403.12196"},{"key":"e_1_2_1_95_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2023.3279773"},{"key":"e_1_2_1_96_1","volume-title":"45th IEEE\/ACM International Conference on Software Engineering: Software Engineering in Practice, SEIP@ICSE 2023","author":"Zahan Nusrat","year":"2023","unstructured":"Nusrat Zahan, Shohanuzzaman Shohan, Dan Harris, and Laurie A. Williams. 2023. Do Software Security Practices Yield Fewer Vulnerabilities? In 45th IEEE\/ACM International Conference on Software Engineering: Software Engineering in Practice, SEIP@ICSE 2023, Melbourne, Australia, May 14-20, 2023. IEEE, 292\u2013303. https:\/\/doi.org\/10.1109\/ICSE-SEIP58684.2023.00032 10.1109\/ICSE-SEIP58684.2023.00032"},{"key":"e_1_2_1_97_1","volume-title":"Static Detection Based on Semantic Differencing. In 37th IEEE\/ACM International Conference on Automated Software Engineering, ASE 2022","author":"Zhang Lyuye","year":"2022","unstructured":"Lyuye Zhang, Chengwei Liu, Zhengzi Xu, Sen Chen, Lingling Fan, Bihuan Chen, and Yang Liu. 2022. Has My Release Disobeyed Semantic Versioning? Static Detection Based on Semantic Differencing. In 37th IEEE\/ACM International Conference on Automated Software Engineering, ASE 2022, Rochester, MI, USA, October 10-14, 2022. ACM, 51:1\u201351:12. https:\/\/doi.org\/10.1145\/3551349.3556956 10.1145\/3551349.3556956"},{"key":"e_1_2_1_98_1","volume-title":"28th USENIX Security Symposium, USENIX Security 2019","author":"Zimmermann Markus","year":"2019","unstructured":"Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small World with High Risks: A Study of Security Threats in the npm Ecosystem. In 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019. USENIX Association, 995\u20131010. https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/zimmerman"}],"container-title":["Proceedings of the ACM on Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3715728","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T15:21:55Z","timestamp":1750346515000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3715728"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,19]]},"references-count":98,"journal-issue":{"issue":"FSE","published-print":{"date-parts":[[2025,6,19]]}},"alternative-id":["10.1145\/3715728"],"URL":"https:\/\/doi.org\/10.1145\/3715728","relation":{},"ISSN":["2994-970X"],"issn-type":[{"value":"2994-970X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,6,19]]}}}