2026-04-23T00:42:20Zhttps://riubu.ubu.es/oai/request

oai:riubu.ubu.es:10259/82132023-12-16T01:05:13Zcom_10259_5377com_10259_5086com_10259_2604com_10259_3830col_10259_5378col_10259_3832

Setó Rey, Daniel 1d40583c-2fdf-4422-91f8-a4c9e3a57451 600 Santos Martín, José Ignacio 526 600 0000-0002-6653-043X López Nozal, Carlos 322 600 0000-0001-8462-212X 2023-12-15T12:51:49Z 2023-12-15T12:51:49Z 2023-11 2327-4697 http://hdl.handle.net/10259/8213 10.1109/TNSE.2023.3260880 2327-4697 2334-329X Software reuse by importing packages from centralised repositories is an efficient and increasingly widespread way to develop software. Given the transitivity of dependencies, defects introduced in the repository can have extensive effects on the software ecosystem. Drawing from complex network theory, we define a model of repository vulnerability based on the statistically expected damage that the repository sustains from the random introduction of software defects. We test the model in stylized networks derived from real repositories, PyPI, Maven and npm, and show that the existence of a giant strongly connected component (SCC) explains most of the vulnerability. Indeed, we found that theoretical protection (immunization) of this entire component would remove almost all vulnerability from the network. Since repositories and their communities have limited resources to mitigate issues, we further model the problem of how to best apply these resources, finding sets much smaller than the giant SCC whose protection is nearly as good. Furthermore, we prove that the optimal selection of sets of given size is NP-hard but can be approached with heuristics, yielding respectable results. Our model contributes to a better understanding of software package repositories and could also be applied to other systems with a similar structure. The authors acknowledge financial support from the Spanish Ministry of Science, Innovation and Universities (excellence network RED2018-102518-T), the Spanish State Research Agency (PID2020-119894GB-I00 and PID2020-118906GBI00/AEI/10.13039/501100011033) and the Junta de Castilla y León, Consejería de Educación through BDNS 425389. application/pdf eng Institute of Electrical and Electronics Engineers IEEE Transactions on Network Science and Engineering. 2023, V. 10, n. 6, p. 3396-3408 https://doi.org/10.1109/TNSE.2023.3260880 info:eu-repo/grantAgreement/AEI/Plan Estatal de Investigación Científica y Técnica y de Innovación 2017-2020/RED2018-102518-T/ES/SISTEMAS COMPLEJOS SOCIOTECNOLOGICOS/ info:eu-repo/grantAgreement/AEI/Plan Estatal de Investigación Científica y Técnica y de Innovación 2017-2020/PID2020-119894GB-I00/ES/APRENDIZAJE AUTOMATICO CON DATOS ESCASAMENTE ETIQUETADOS PARA LA INDUSTRIA 4.0/ info:eu-repo/grantAgreement/AEI/Plan Estatal de Investigación Científica y Técnica y de Innovación 2017-2020/PID2020-118906GB-I00/ES/INTERACCIONES DINAMICAS DISTRIBUIDAS: PROTOCOLOS BEST EXPERIENCED PAYOFF Y SEPARACION ENDOGENA/ Complex network Network structure Network vulnerability Package dependency networks Software repositories Informática Ingeniería Computer science Engineering Vulnerability of Package Dependency Networks info:eu-repo/semantics/article info:eu-repo/semantics/acceptedVersion info:eu-repo/semantics/openAccess IEEE Transactions on Network Science and Engineering 1 13 THUMBNAIL Seto-IEEEtnse_2023.pdf.jpg Seto-IEEEtnse_2023.pdf.jpg IM Thumbnail image/jpeg 3596 https://riubu.ubu.es/bitstream/10259/8213/3/Seto-IEEEtnse_2023.pdf.jpg 008718ef62a2463590113a900de078e1 MD5 3 LICENSE license.txt license.txt text/plain; charset=utf-8 999 https://riubu.ubu.es/bitstream/10259/8213/2/license.txt b295bcbce42e2caabeb0c623d3860c06 MD5 2 ORIGINAL Seto-IEEEtnse_2023.pdf Seto-IEEEtnse_2023.pdf application/pdf 574093 https://riubu.ubu.es/bitstream/10259/8213/1/Seto-IEEEtnse_2023.pdf 9019a90735aec7a25332b2a133f3aa6b MD5 1 10259/8213 oai:riubu.ubu.es:10259/8213 2023-12-16 02:05:13.804 Repositorio Institucional de la Universidad de Burgos bubrep@ubu.es RWwgYXV0b3IgY29tbyDDum5pY28gdGl0dWxhciBkZSBsb3MgZGVyZWNob3MgZGUgcHJvcGllZGFkIGludGVsZWN0dWFsIGRlIGxhIG9icmEsIG8gZGlzcG9uaWVuZG8gZGUgbG9zIGRlYmlkb3MgcGVybWlzb3MgZGUgbG9zIG90cm9zIHRpdHVsYXJlcywgc2kgbG9zIGh1YmllcmEsIHkgZW4gdmlydHVkIGRlIGxvcyBkZXJlY2hvcyBxdWUgbGUgY29uZmllcmUgbGEgbGVnaXNsYWNpw7NuIHZpZ2VudGUgc29icmUgcHJvcGllZGFkIGludGVsZWN0dWFsIHkgZGVyZWNob3MgZGUgYXV0b3IsIA0KQVVUT1JJWkEgYSBsYSBVbml2ZXJzaWRhZCBkZSBCdXJnb3MgYSBkaWZ1bmRpciwgZGUgbWFuZXJhIGdyYXR1aXRhLCBlbCBjb250ZW5pZG8gZGUgbG9zIGFyY2hpdm9zIGRpZ2l0YWxlcyBxdWUgY29ycmVzcG9uZGVuIGFsIGRvY3VtZW50byBkZXNjcml0byBhbnRlcmlvcm1lbnRlLCBjb24gY2Fyw6FjdGVyIG5vIGV4Y2x1c2l2byB5IGRlIG1hbmVyYSBww7pibGljYSBlbiBhY2Nlc28gYWJpZXJ0byBhIHRyYXbDqXMgZGUgSW50ZXJuZXQsIHBhcmEgbG8gcXVlIGxhIEJpYmxpb3RlY2EgcHJvY2VkZXLDoSBhIGFyY2hpdmFybG9zIGVuIGVsIFJlcG9zaXRvcmlvIEluc3RpdHVjaW9uYWwuIEFzaW1pc21vIGF1dG9yaXphIGEgbGEgVW5pdmVyc2lkYWQgZGUgQnVyZ29zIGEgcmVhbGl6YXIgbGFzIHRyYW5zZm9ybWFjaW9uZXMgbmVjZXNhcmlhcyBkZSBmb3JtYXRvLCBubyBkZSBjb250ZW5pZG8sIHBhcmEgZ2FyYW50aXphciBsYSBwcmVzZXJ2YWNpw7NuIHkgZWwgYWNjZXNvIGVuIGVsIGZ1dHVyby4NCg0KRWwgYXV0b3IgZGlzcG9uZSwgZW4gdG9kbyBjYXNvLCBkZWwgZGVyZWNobyBhIHJldm9jYXIgZXN0YSBhdXRvcml6YWNpw7NuLg0KDQpMYSBjZXNpw7NuIGRlIGRlcmVjaG9zIGRlIGVzdGEgb2JyYSBzZSBlbmN1ZW50cmEgc3VqZXRhIGEgbGEgbGVnaXNsYWNpw7NuIHZpZ2VudGUgc29icmUgcHJvcGllZGFkIGludGVsZWN0dWFsIHkgZGVyZWNob3MgZGUgYXV0b3Iu