ASE ’22, October 10–14, 2022, Rochester, MI, USA Jasmine Latendresse, Suhaib Mujahid, Diego Elias Costa, and Emad Shihab
[3]
2019. Eight Key Findings Illustrating How to Make Open Source Work Even
Better for Developers. https://cdn2.hubspot.net/hubfs/4008838/Resources/The-
2019-Tidelift-managed-open-source-survey-results.pdf
[4] 2019. webpack. https://webpack.js.org/
[5]
2020. Do "dependencies" and "devDependencies" matter when using Web-
pack? https://jsramblings.com/do-dependencies-devdependencies-matter-
when-using-webpack/
[6] 2020. npm-deps-parser. https://github.com/nVisium/npm-deps-parser
[7]
2020. Securing the World’s Software. https://octoverse.github.com/static/github-
octoverse-2020-security-report.pdf
[8] 2021. Create react app. https://create-react-app.dev/
[9]
2021. Help, ‘npm audit‘ says I have a vulnerability in react-scripts!
·
Issue
#11174
·
facebook/create-react-app. https://github.com/facebook/create-react-
app/issues/11174
[10] 2021. rollup.js. https://rollupjs.org/guide/en/
[11]
2022. The Complete Guide to Software Composition Analysis - FOSSA. https:
//fossa.com/complete-guide-software-composition-analysis
[12] 2022. GitHub Advisory Database. https://github.com/advisories
[13] 2022. Snyk | Developer security | Develop fast. Stay secure. https://snyk.io/
[14]
Rabe Abdalkareem, Olivier Nourry, Sultan Wehaibi, Suhaib Mujahid, and Emad
Shihab. 2017. Why do developers use trivial packages? an empirical case study
on npm. Proceedings of the 2017 11th Joint Meeting on Foundations of Software
Engineering (08 2017). https://doi.org/10.1145/3106237.3106267
[15]
Rabe Abdalkareem, Vinicius Oda, Suhaib Mujahid, and Emad Shihab. 2020. On
the impact of using trivial packages: an empirical case study on npm and PyPI.
Empirical Software Engineering 25 (01 2020), 1168–1204. https://doi.org/10.1007/
s10664-019-09792-9
[16]
Mahmoud Alfadel, Diego Elias Costa, Emad Shihab, and Mouafak Mkhallalati.
2021. On the Use of Dependabot Security Pull Requests. In 2021 IEEE/ACM
18th International Conference on Mining Software Repositories (MSR). 254–265.
https://doi.org/10.1109/MSR52588.2021.00037
[17]
Md Atique, Reza Chowdhury, Rabe Abdalkareem, and Emad Shihab. 2019. On the
Untriviality of Trivial Packages: An Empirical Study of npm JavaScript Packages.
Journal of IEEE Transactions on Software Engineering 01 (2019). http://das.encs.
concordia.ca/uploads/atique_tse2021.pdf
[18]
Victor R. Basili, Lionel C. Briand, and Walcélio L. Melo. 1996. How reuse inuences
productivity in object-oriented systems. Commun. ACM 39 (10 1996), 104–116.
https://doi.org/10.1145/236156.236184
[19]
Chris Bogart, Christian Kästner, James Herbsleb, and Ferdian Thung. 2021. When
and How to Make Breaking Changes. ACM Transactions on Software Engineering
and Methodology 30 (07 2021), 1–56. https://doi.org/10.1145/3447245
[20]
Xiaowei Chen, Rabe Abdalkareem, Suhaib Mujahid, Emad Shihab, and Xin Xia.
2021. Helping or not Helping? Why and How Trivial Packages Impact the npm
Ecosystem. Empirical Software Engineering 26 (03 2021). https://doi.org/10.1007/
s10664-020-09904-w
[21]
Jailton Coelho, Marco Túlio Valente, Luciano Milen, and Luciana Lourdes Silva.
2020. Is this GitHub Project Maintained? Measuring the Level of Maintenance
Activity of Open-Source Projects. CoRR abs/2003.04755 (2020). arXiv:2003.04755
https://arxiv.org/abs/2003.04755
[22]
Diego Elias Costa, Suhaib Mujahid, Rabe Abdalkareem, and Emad Shihab. 2021.
Breaking Type-Safety in Go: An Empirical Study on the Usage of the unsafe
Package. IEEE Transactions on Software Engineering (2021), 1–1. https://doi.org/
10.1109/TSE.2021.3057720
[23]
Diego Elias Costa, Suhaib Mujahid, Rabe Abdalkareem, and Emad Shihab. 2021.
Breaking Type-Safety in Go: An Empirical Study on the Usage of the unsafe
Package. IEEE Transactions on Software Engineering (2021), 1–1. https://doi.org/
10.1109/TSE.2021.3057720
[24]
Joel Cox, Eric Bouwers, Marko van Eekelen, and Joost Visser. 2015. Mea-
suring Dependency Freshness in Software Systems. In 2015 IEEE/ACM 37th
IEEE International Conference on Software Engineering, Vol. 2. 109–118. https:
//doi.org/10.1109/ICSE.2015.140
[25]
Alexandre Decan, Tom Mens, and Philippe Grosjean. 2019. An Empirical Compar-
ison of Dependency Network Evolution in Seven Software Packaging Ecosystems.
Empirical Software Engineering 24 (02 2019). https://doi.org/10.1007/s10664-017-
9589-y
[26]
Josh Fruhlinger. 2020. Equifax data breach FAQ: What happened, who was
aected, what was the impact? https://www.csoonline.com/article/3444488/
equifax-data-breach-faq-what-happened-who-was-aected-what-was-the-
impact.html
[27]
Emitza Guzman, David Azócar, and Yang Li. 2014. Sentiment Analysis of
Commit Comments in GitHub: An Empirical Study. In Proceedings of the 11th
Working Conference on Mining Software Repositories (Hyderabad, India) (MSR
2014). Association for Computing Machinery, New York, NY, USA, 352–355.
https://doi.org/10.1145/2597073.2597118
[28]
J. I. Hejderup. 2015. In Dependencies We Trust: How vulnerable
are dependencies in software modules? repository.tudelft.nl (2015).
https://repository.tudelft.nl/islandora/object/uuid:3a15293b-16f6-4e9d-b6a2-
f02cd52f1a9e?collection=education
[29]
Nasif Imtiaz, Seaver Thorn, and Laurie Williams. 2021. A comparative study of
vulnerability reporting by software composition analysis tools. Proceedings of
the 15th ACM / IEEE International Symposium on Empirical Software Engineering
and Measurement (ESEM) (10 2021). https://doi.org/10.1145/3475716.3475769
[30]
Abbas Javan Jafari, Diego Elias Costa, Rabe Abdalkareem, Emad Shihab, and Niko-
laos Tsantalis. 2021. Dependency Smells in JavaScript Projects. IEEE Transactions
on Software Engineering (2021), 1–1. https://doi.org/10.1109/tse.2021.3106247
[31]
Riivo Kikas, Georgios Gousios, Marlon Dumas, and Dietmar Pfahl. 2017. Structure
and Evolution of Package Dependency Networks. In Proceedings of the 14th Inter-
national Conference on Mining Software Repositories (Buenos Aires, Argentina)
(MSR ’17). IEEE Press, 102–112. https://doi.org/10.1109/MSR.2017.55
[32]
Raula Gaikovina Kula, Daniel M. German, Ali Ouni, Takashi Ishio, and Katsuro
Inoue. 2017. Do developers update their library dependencies? Empirical Software
Engineering 23, 1 (may 2017), 384–417. https://doi.org/10.1007/s10664-017-9521-5
[33]
Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo
Wilson, and Engin Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the
Use of Outdated JavaScript Libraries on the Web. In Proceedings 2017 Network
and Distributed System Security Symposium. Internet Society. https://doi.org/10.
14722/ndss.2017.23414
[34]
Suhaib Mujahid, Diego Elias Costa, Rabe Abdalkareem, Emad Shihab, Mo-
hamed Aymen Saied, and Bram Adams. 2021. Toward Using Package Centrality
Trend to Identify Packages in Decline. IEEE Transactions on Engineering Manage-
ment (2021), 1–15. https://doi.org/10.1109/tem.2021.3122012
[35]
Emerson Murphy-Hill, Ciera Jaspan, Caitlin Sadowski, David Shepherd, Michael
Phillips, Collin Winter, Andrea Knight, Edward Smith, and Matt Jorde. 2019.
What Predicts Software Developers’ Productivity? IEEE Transactions on Software
Engineering (2019), 1–1. https://doi.org/10.1109/tse.2019.2900308
[36]
Stack Overow. [n. d.]. Stack Overow Developer Survey 2021. https://insights.
stackoverow.com/survey/2021
[37]
Ivan Pashchenko, Henrik Plate, Serena Ponta, Antonino Sabetta, and Fabio Mas-
sacci. 2018. Vulnerable open source dependencies: counting those that matter.
1–10. https://doi.org/10.1145/3239235.3268920
[38]
Ivan Pashchenko, Henrik Plate, Serena Ponta, Antonino Sabetta, and Fabio
Massacci. 2020. Vuln4Real: A Methodology for Counting Actually Vulnera-
ble Dependencies. IEEE Transactions on Software Engineering PP (09 2020), 1–1.
https://doi.org/10.1109/TSE.2020.3025443
[39]
Ivan Pashchenko, Duc-Ly Vu, and Fabio Massacci. 2020. A Qualitative Study of
Dependency Management and Its Security Implications. Association for Computing
Machinery, New York, NY, USA, 1513–1531. https://doi.org/10.1145/3372297.
3417232
[40]
Henrik Plate, Serena Ponta, and Antonino Sabetta. 2015. Impact assessment for
vulnerabilities in open-source software libraries. 411–420. https://doi.org/10.
1109/ICSM.2015.7332492
[41]
Baishakhi Ray, Daryl Posnett, Vladimir Filkov, and Premkumar Devanbu. 2014. A
Large Scale Study of Programming Languages and Code Quality in Github. In Pro-
ceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Soft-
ware Engineering (Hong Kong, China) (FSE 2014). Association for Computing Ma-
chinery, New York, NY, USA, 155–165. https://doi.org/10.1145/2635868.2635922
[42]
Adriana Seja and Max Schäfer. 2022. Practical Automated Detection of Malicious
npm Packages. arXiv preprint arXiv:2202.13953 (2022).
[43] unisil. 2021. Source Map Parser. https://github.com/unisil/source-map-parser
[44]
Haroen Viaene. 2021. feat(dependencies): update algoliasearch-helper. https:
//github.com/algolia/instantsearch.js/pull/4936. (Accessed on 05/04/2022).
[45]
Stefan Wagner and Emerson Murphy-Hill. 2019. Factors That Inuence Productiv-
ity: A Checklist. 69–84. https://doi.org/10.1007/978-1-4842-4221-6_8
[46]
Je Williams and Arshan Dabirsiaghi. 2012. The unfortunate reality of insecure
libraries. Asp. Secur. Inc (2012), 1–26.
[47]
Stan Zajdel, Diego Elias Costa, and Hafedh Mili. 2022. Open Source Software: An
Approach to Controlling Usage and Risk in Application Ecosystems. In Proceed-
ings of the 26TH ACM International Systems and Software Product Line Conference.
arXiv. https://doi.org/10.48550/ARXIV.2206.10358
[48]
Rodrigo Zapata, Raula Kula, Bodin Chinthanet, Takashi Ishio, Kenichi Matsumoto,
and Akinori Ihara. 2018. Towards Smoother Library Migrations: A Look at Vul-
nerable Dependency Migrations at Function Level for npm JavaScript Packages.
559–563. https://doi.org/10.1109/ICSME.2018.00067