Opportunities and Security Risks of Technical Leverage: A Replication Study on the NPM Ecosystem
Guardado en:
| 發表在: | arXiv.org (Dec 9, 2024), p. n/a |
|---|---|
| 主要作者: | |
| 其他作者: | , , |
| 出版: |
Cornell University Library, arXiv.org
|
| 主題: | |
| 在線閱讀: | Citation/Abstract Full text outside of ProQuest |
| 標簽: |
沒有標簽, 成為第一個標記此記錄!
|
MARC
| LEADER | 00000nab a2200000uu 4500 | ||
|---|---|---|---|
| 001 | 3143055597 | ||
| 003 | UK-CbPIL | ||
| 022 | |a 2331-8422 | ||
| 035 | |a 3143055597 | ||
| 045 | 0 | |b d20241209 | |
| 100 | 1 | |a Samaana, Haya | |
| 245 | 1 | |a Opportunities and Security Risks of Technical Leverage: A Replication Study on the NPM Ecosystem | |
| 260 | |b Cornell University Library, arXiv.org |c Dec 9, 2024 | ||
| 513 | |a Working Paper | ||
| 520 | 3 | |a To comply with high productivity demands, software developers reuse free open-source software (FOSS) code to avoid reinventing the wheel when incorporating software features. The reliance on FOSS reuse has been shown to improve productivity and the quality of delivered software; however, reusing FOSS comes at the risk of exposing software projects to public vulnerabilities. Massacci and Pashchenko have explored this trade-off in the Java ecosystem through the lens of technical leverage: the ratio of code borrowed from FOSS over the code developed by project maintainers. In this paper, we replicate the work of Massacci and Pashchenko and we expand the analysis to include level-1 transitive dependencies to study technical leverage in the fastest-growing NPM ecosystem. We investigated 14,042 NPM library releases and found that both opportunities and risks of technical leverage are magnified in the NPM ecosystem. Small-medium libraries leverage 2.5x more code from FOSS than their code, while large libraries leverage only 3\% of FOSS code in their projects. Our models indicate that technical leverage shortens the release cycle for small-medium libraries. However, the risk of vulnerability exposure is 4-7x higher for libraries with high technical leverage. We also expanded our replication study to include the first level of transitive dependencies, and show that the results still hold, albeit with significant changes in the magnitude of both opportunities and risks of technical leverage. Our results indicate the extremes of opportunities and risks in NPM, where high technical leverage enables fast releases but comes at the cost of security risks. | |
| 653 | |a Productivity | ||
| 653 | |a Replication | ||
| 653 | |a Reuse | ||
| 653 | |a Source code | ||
| 653 | |a Software reuse | ||
| 653 | |a Security | ||
| 653 | |a Libraries | ||
| 653 | |a Open source software | ||
| 653 | |a Ecosystems | ||
| 653 | |a Software development | ||
| 700 | 1 | |a Diego Elias Costa | |
| 700 | 1 | |a Abdellatif, Ahmad | |
| 700 | 1 | |a Shihab, Emad | |
| 773 | 0 | |t arXiv.org |g (Dec 9, 2024), p. n/a | |
| 786 | 0 | |d ProQuest |t Engineering Database | |
| 856 | 4 | 1 | |3 Citation/Abstract |u https://www.proquest.com/docview/3143055597/abstract/embedded/ZKJTFFSVAI7CB62C?source=fedsrch |
| 856 | 4 | 0 | |3 Full text outside of ProQuest |u http://arxiv.org/abs/2412.06948 |