Lessons from the long tail: Analysing unsafe dependency updates across software ecosystems

A risk in adopting third-party dependencies into an application is their potential to serve as a doorway for malicious code to be injected (most often unknowingly). While many initiatives from both industry and research communities focus on the most critical dependencies (i.e., those most depended u...

Full description

Saved in:
Bibliographic Details
Main Authors: WATTANAKRIENGKRAI, Supatsara, KULA, Raula, TREUDE, Christoph, MATSUMOTO, Kenichi
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2023
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/8903
https://ink.library.smu.edu.sg/context/sis_research/article/9906/viewcontent/tail.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-9906
record_format dspace
spelling sg-smu-ink.sis_research-99062024-06-27T08:11:50Z Lessons from the long tail: Analysing unsafe dependency updates across software ecosystems WATTANAKRIENGKRAI, Supatsara KULA, Raula TREUDE, Christoph MATSUMOTO, Kenichi A risk in adopting third-party dependencies into an application is their potential to serve as a doorway for malicious code to be injected (most often unknowingly). While many initiatives from both industry and research communities focus on the most critical dependencies (i.e., those most depended upon within the ecosystem), little is known about whether the rest of the ecosystem suffers the same fate. Our vision is to promote and establish safer practises throughout the ecosystem. To motivate our vision, in this paper, we present preliminary data based on three representative samples from a population of 88,416 pull requests (PRs) and identify unsafe dependency updates (i.e., any pull request that risks being unsafe during runtime), which clearly shows that unsafe dependency updates are not limited to highly impactful libraries. To draw attention to the long tail, we propose a research agenda comprising six key research questions that further explore how to safeguard against these unsafe activities. This includes developing best practises to address unsafe dependency updates not only in top-tier libraries but throughout the entire ecosystem. 2023-12-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/8903 info:doi/10.1145/3611643.3613086 https://ink.library.smu.edu.sg/context/sis_research/article/9906/viewcontent/tail.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Supply Chain Libraries Software Ecosystems Software Engineering
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Supply Chain
Libraries
Software Ecosystems
Software Engineering
spellingShingle Supply Chain
Libraries
Software Ecosystems
Software Engineering
WATTANAKRIENGKRAI, Supatsara
KULA, Raula
TREUDE, Christoph
MATSUMOTO, Kenichi
Lessons from the long tail: Analysing unsafe dependency updates across software ecosystems
description A risk in adopting third-party dependencies into an application is their potential to serve as a doorway for malicious code to be injected (most often unknowingly). While many initiatives from both industry and research communities focus on the most critical dependencies (i.e., those most depended upon within the ecosystem), little is known about whether the rest of the ecosystem suffers the same fate. Our vision is to promote and establish safer practises throughout the ecosystem. To motivate our vision, in this paper, we present preliminary data based on three representative samples from a population of 88,416 pull requests (PRs) and identify unsafe dependency updates (i.e., any pull request that risks being unsafe during runtime), which clearly shows that unsafe dependency updates are not limited to highly impactful libraries. To draw attention to the long tail, we propose a research agenda comprising six key research questions that further explore how to safeguard against these unsafe activities. This includes developing best practises to address unsafe dependency updates not only in top-tier libraries but throughout the entire ecosystem.
format text
author WATTANAKRIENGKRAI, Supatsara
KULA, Raula
TREUDE, Christoph
MATSUMOTO, Kenichi
author_facet WATTANAKRIENGKRAI, Supatsara
KULA, Raula
TREUDE, Christoph
MATSUMOTO, Kenichi
author_sort WATTANAKRIENGKRAI, Supatsara
title Lessons from the long tail: Analysing unsafe dependency updates across software ecosystems
title_short Lessons from the long tail: Analysing unsafe dependency updates across software ecosystems
title_full Lessons from the long tail: Analysing unsafe dependency updates across software ecosystems
title_fullStr Lessons from the long tail: Analysing unsafe dependency updates across software ecosystems
title_full_unstemmed Lessons from the long tail: Analysing unsafe dependency updates across software ecosystems
title_sort lessons from the long tail: analysing unsafe dependency updates across software ecosystems
publisher Institutional Knowledge at Singapore Management University
publishDate 2023
url https://ink.library.smu.edu.sg/sis_research/8903
https://ink.library.smu.edu.sg/context/sis_research/article/9906/viewcontent/tail.pdf
_version_ 1814047626808524800