Relying on dependency packages accelerates software development, but it also increases the exposure to security vulnerabilities that may be present in dependencies. While developers have full control over which dependency packages (and which version) they use, they have no control over the dependencies of their dependencies. Such transitive dependencies, which often amount to a greater number than direct dependencies, can become infected with vulnerabilities and put software projects at risk. To mitigate this risk, Practitioners need to select dependencies that respond quickly to vulnerabilities to prevent the propagation of vulnerable code to their project. To identify such dependencies, we analyze more than 450 vulnerabilities in the npm ecosystem to understand why dependent packages remain vulnerable. We identify over 200,000 npm packages that are infected through their dependencies and use 9 features to build a prediction model that identifies packages that quickly adopt the vulnerability fix and prevent further propagation of vulnerabilities. We also study the relationship between these features and the response speed of vulnerable packages. We complement our work with a practitioner survey to understand the applicability of our findings. Developers can incorporate our findings into their dependency management practices to mitigate the impact of vulnerabilities from their dependency supply chain.

翻译：依赖包的使用加速了软件开发进程，但也增加了依赖中可能存在的安全漏洞的暴露风险。虽然开发者可以完全控制使用哪些依赖包（以及哪个版本），但他们无法控制其依赖项的下游依赖。这类传递性依赖——其数量通常超过直接依赖——可能被感染漏洞，从而使软件项目面临风险。为缓解这一风险，从业者需要选择能快速响应漏洞的依赖项，以防止易受攻击的代码传播到自身项目。为识别此类依赖项，我们分析了npm生态系统中超过450个漏洞，以理解为何依赖包仍处于易受攻击状态。我们识别出超过20万个通过依赖链被感染的npm包，并利用9个特征构建预测模型，以识别那些能快速修复漏洞并阻止漏洞进一步传播的包。我们同时研究了这些特征与易受攻击包的响应速度之间的关系。为验证研究成果的适用性，我们补充开展了从业者调研。开发者可将我们的发现融入其依赖管理实践，以缓解依赖供应链中漏洞造成的影响。