A risk in adopting third-party dependencies into an application is their potential to serve as a doorway for malicious code to be injected (most often unknowingly). While many initiatives from both industry and research communities focus on the most critical dependencies (i.e., those most depended upon within the ecosystem), little is known about whether the rest of the ecosystem suffers the same fate. Our vision is to promote and establish safer practises throughout the ecosystem. To motivate our vision, in this paper, we present preliminary data based on three representative samples from a population of 88,416 pull requests (PRs) and identify unsafe dependency updates (i.e., any pull request that risks being unsafe during runtime), which clearly shows that unsafe dependency updates are not limited to highly impactful libraries. To draw attention to the long tail, we propose a research agenda comprising six key research questions that further explore how to safeguard against these unsafe activities. This includes developing best practises to address unsafe dependency updates not only in top-tier libraries but throughout the entire ecosystem.

翻译：在应用程序中采用第三方依赖的一个风险是它们可能成为注入恶意代码的入口（多数情况下是无意识的）。尽管产业界和研究界的诸多举措聚焦于最关键的依赖（即生态系统中被依赖程度最高的依赖），但关于生态系统中其余部分是否面临相同命运的研究仍然有限。我们的愿景是在整个生态系统中推广并建立更安全的实践规范。为阐明这一愿景，本文基于88,416个拉取请求（PRs）总体中的三个代表性样本展示初步数据，识别出非安全依赖更新（即在运行时存在安全风险的任何PR），并明确指出非安全依赖更新并不仅限于高影响力库。为引起对长尾分布的关注，我们提出包含六项关键研究问题的研究议程，进一步探讨如何防范这些非安全行为，包括制定最佳实践以应对不仅限于顶级库、而是贯穿整个生态系统的非安全依赖更新问题。