不安全的组件？探索Web上捆绑JavaScript包的依赖更新模式 (Insecure Ingredients? Exploring Dependency Update Patterns of Bundled JavaScript Packages on the Web)

from arxiv, Accepted on ICSE 2026. Replication Material openly available at https://doi.org/10.60507/FK2/F4VQRH (scripts), https://doi.org/10.60507/FK2/F4VQRH (dolospy), https://doi.org/10.60507/FK2/AHYGMN (dataset). Github Repository: https://github.com/BlobbyBob/AletheiaJSVersionDetection

Reusable software components, typically distributed as packages, are a central paradigm of modern software development. The JavaScript ecosystem serves as a prime example, offering millions of packages with their use being promoted as idiomatic. However, download statistics on npm raise security concerns as they indicate a high popularity of vulnerable package versions while their real prevalence on production websites remains unknown. Package version detection mechanisms fill this gap by extracting utilized packages and versions from observed artifacts on the web. Prior research focuses on mechanisms for either hand-selected popular packages in bundles or for single-file resources utilizing the global namespace. This does not allow for a thorough analysis of modern web applications' dependency update behavior at scale. In this work, we improve upon this by presenting Aletheia, a package-agnostic method which dissects JavaScript bundles to identify package versions through algorithms originating from the field of plagiarism detection. We show that this method clearly outperforms the existing approaches in practical settings. Furthermore, we crawl the Tranco top 100,000 domains to reveal that 5% - 20% of domains update their dependencies within 16 weeks. Surprisingly, from a longitudinal perspective, bundled packages are updated significantly faster than their CDN-included counterparts, with consequently up to 10 times fewer known vulnerable package versions included. Still, we observe indicators that few widespread vendors seem to be a major driving force behind timely updates, implying that quantitative measures are not painting a complete picture.

翻译：可复用软件组件（通常以包的形式分发）是现代软件开发的核心范式。JavaScript生态系统是这一范式的典型代表，它提供了数百万个包，其使用方式已被推崇为惯用做法。然而，npm的下载统计数据引发了安全担忧，因为它们表明易受攻击的包版本非常流行，而这些版本在生产网站上的实际流行程度仍然未知。包版本检测机制通过从观察到的Web工件中提取所使用的包和版本来填补这一空白。先前的研究要么侧重于捆绑包中手动选择的流行包的检测机制，要么侧重于利用全局命名空间的单文件资源检测。这无法对现代Web应用程序的依赖更新行为进行大规模深入分析。在本研究中，我们通过提出Aletheia改进了这一现状，这是一种包无关的方法，它通过源自抄袭检测领域的算法来剖析JavaScript捆绑包以识别包版本。我们证明，在实际场景中，该方法明显优于现有方法。此外，我们爬取了Tranco排名前100,000的域名，发现5%至20%的域名会在16周内更新其依赖项。令人惊讶的是，从纵向角度来看，捆绑包中的包更新速度明显快于通过CDN包含的包，因此包含的已知易受攻击包版本最多可减少10倍。尽管如此，我们观察到一些迹象表明，少数广泛使用的供应商似乎是推动及时更新的主要力量，这意味着定量指标并未描绘出完整的图景。