Uncover the Risks of Outdated Dependencies in Software Supply Chains: Insights from the npm Ecosystem
摘要
In the rapidly evolving domain of software development, the security and reliability of the open source software supply chain are of increasing concern. Outdated dependencies pose significant risks to the software ecosystem. This study aims to quantitatively reveal the prevalence of outdated dependencies in the open source supply chain, evaluate their impact on software security, and identify effective techniques for the timely detection of outdated dependencies to prevent security issues. We aggregated outdated dependencies from the npm ecosystem and the Open Source Vulnerabilities (OSV) dataset to construct the Outdated Dependencies Vulnerability Supply Chain. Our analysis suggested that outdated dependencies in a central position within the dependency chain significantly affect downstream components. Using clustering algorithms, we discovered that outdated packages are concentrated in the development tools area, which has a significant security risk from injection flaws (CWE-707) vulnerabilities. Utilizing model-based feature importance techniques, we predict the outdatedness of dependencies in the open source supply chain, with key indicators including the average duration of open issues and pull requests. The findings offer software developers and maintainers a foundation to identify current issues and security vulnerabilities within outdated dependencies, facilitating mitigation efforts through the open source software supply chain.