To comply with high productivity demands, software developers reuse free open-source software (FOSS) code to avoid reinventing the wheel when incorporating software features. The reliance on FOSS reuse has been shown to improve productivity and the quality of delivered software; however, reusing FOSS comes at the risk of exposing software projects to public vulnerabilities. Massacci and Pashchenko have explored this trade-off in the Java ecosystem through the lens of technical leverage: the ratio of code borrowed from FOSS over the code developed by project maintainers. In this paper, we replicate the work of Massacci and Pashchenko and we expand the analysis to include level-1 transitive dependencies to study technical leverage in the fastest-growing NPM ecosystem. We investigated 14,042 NPM library releases and found that both opportunities and risks of technical leverage are magnified in the NPM ecosystem. Small-medium libraries leverage 2.5x more code from FOSS than their code, while large libraries leverage only 3\% of FOSS code in their projects. Our models indicate that technical leverage shortens the release cycle for small-medium libraries. However, the risk of vulnerability exposure is 4-7x higher for libraries with high technical leverage. We also expanded our replication study to include the first level of transitive dependencies, and show that the results still hold, albeit with significant changes in the magnitude of both opportunities and risks of technical leverage. Our results indicate the extremes of opportunities and risks in NPM, where high technical leverage enables fast releases but comes at the cost of security risks.
翻译:为满足高生产率需求,软件开发者在集成软件功能时通过复用自由开源软件(FOSS)代码以避免重复开发。研究表明,依赖FOSS复用能提升生产力和交付软件质量;然而,复用FOSS也存在使软件项目暴露于公共漏洞的风险。Massacci与Pashchenko曾通过技术杠杆(即项目从FOSS借用的代码量与维护者自主开发代码量之比)的视角在Java生态中探讨过这种权衡。本文复现了Massacci与Pashchenko的研究,并将分析范围扩展至一级传递依赖,以研究增长最快的NPM生态系统中的技术杠杆现象。通过对14,042个NPM库版本的分析,我们发现技术杠杆的机遇与风险在NPM生态中被显著放大:中小型库从FOSS借用的代码量是自主开发代码的2.5倍,而大型库仅在其项目中复用3%的FOSS代码。模型分析表明,技术杠杆能缩短中小型库的发布周期,但高杠杆库的漏洞暴露风险会增至4-7倍。在纳入一级传递依赖的扩展复现研究中,尽管技术杠杆的机遇与风险规模发生显著变化,但核心结论仍然成立。本研究揭示了NPM生态中技术杠杆的两极效应:高杠杆虽能加速版本发布,却需以安全风险为代价。