RT info:eu-repo/semantics/article
T1 Vulnerability of Package Dependency Networks
A1 Setó Rey, Daniel
A1 Santos Martín, José Ignacio
A1 López Nozal, Carlos
K1 Complex network
K1 Network structure
K1 Network vulnerability
K1 Package dependency networks
K1 Software repositories
K1 Informática
K1 Computer science
K1 Ingeniería
K1 Engineering
AB Software reuse by importing packages from centralised repositories is an efficient and increasingly widespread way to develop software. Given the transitivity of dependencies, defects introduced in the repository can have extensive effects on the software ecosystem. Drawing from complex network theory, we define a model of repository vulnerability based on the statistically expected damage that the repository sustains from the random introduction of software defects. We test the model in stylized networks derived from real repositories, PyPI, Maven and npm, and show that the existence of a giant strongly connected component (SCC) explains most of the vulnerability. Indeed, we found that theoretical protection (immunization) of this entire component would remove almost all vulnerability from the network. Since repositories and their communities have limited resources to mitigate issues, we further model the problem of how to best apply these resources, finding sets much smaller than the giant SCC whose protection is nearly as good. Furthermore, we prove that the optimal selection of sets of given size is NP-hard but can be approached with heuristics, yielding respectable results. Our model contributes to a better understanding of software package repositories and could also be applied to other systems with a similar structure.
PB Institute of Electrical and Electronics Engineers
SN 2327-4697
YR 2023
FD 2023-11
LK http://hdl.handle.net/10259/8213
UL http://hdl.handle.net/10259/8213
LA eng
NO The authors acknowledge financial support from the Spanish Ministry of Science, Innovation and Universities (excellence network RED2018-102518-T), the Spanish State Research Agency (PID2020-119894GB-I00 and PID2020-118906GBI00/AEI/10.13039/501100011033) and the Junta de Castilla y León, Consejería de Educación through BDNS 425389.
DS Repositorio Institucional de la Universidad de Burgos
RD 09-may-2024