Modern software systems are often built by leveraging code written by others in the form of libraries and packages to accelerate their development. While there are many benefits to using third-party packages, software projects often become dependent on a large number of software packages. Consequently, developers are faced with the difficult challenge of maintaining their project dependencies by keeping them up-to-date and free of security vulnerabilities. However, how often are project dependencies used in production where they could pose a threat to their project's security? We conduct an empirical study on 100 JavaScript projects using the Node Package Manager (npm) to quantify how often project dependencies are released to production and analyze their characteristics and their impact on security. Our results indicate that less than 1% of the installed dependencies are released to production. Our analysis reveals that the functionality of a package is not enough to determine if it will be released to production or not. In fact, 59% of the installed dependencies configured as runtime dependencies are not used in production, and 28.2% of the dependencies configured as development dependencies are used in production, debunking two common assumptions of dependency management. Findings also indicate that most security alerts target dependencies not used in production, making them highly unlikely to be a risk for the security of the software. Our study unveils a more complex side of dependency management: not all dependencies are equal. Dependencies used in production are more sensitive to security exposure and should be prioritized. However, current tools lack the appropriate support in identifying production dependencies.
翻译:现代软件系统往往通过利用他人以图书馆和软件包形式编写的编码来建立现代软件系统,以加速其开发。虽然使用第三方软件包有许多好处,但软件项目往往依赖大量软件包。因此,开发者面临维持项目依赖性的困难,因为他们不断更新项目,没有安全漏洞。然而,在生产过程中使用项目依赖性,从而可能威胁项目安全?我们利用节点软件包管理员(npm)对100个敏感项目进行实证研究,以量化当前项目依赖性如何经常被释放到生产中,分析其特点及其对安全的影响。我们的结果显示,安装的软件依赖性只有不到1%,要保持项目依赖性,要不断更新并消除安全漏洞。事实上,59%按运行依赖性配置的固定依赖性在生产中不应使用,28.2%作为发展依赖性配置的相互依存性在生产中使用,在生产中使用的当前依赖性及其特点和对安全的影响方面,要更多地使用安全依赖性。我们的分析显示,在生产中使用的高度依赖性研究中,安全依赖性也是使用两种共同的假设。