Pinning Is Futile: You Need More Than Local Dependency Versioning to Defend against Supply Chain Attacks

• URL: http://arxiv.org/abs/2502.06662v1
• Date: Mon, 10 Feb 2025 16:50:48 GMT
• Title: Pinning Is Futile: You Need More Than Local Dependency Versioning to Defend against Supply Chain Attacks
• Authors: Hao He, Bogdan Vasilescu, Christian Kästner,
• Abstract summary: Recent high-profile incidents in open-source software have raised practitioner attention on software supply chain attacks. Security practitioners advocate pinning dependency to specific versions rather than floating in version ranges. We quantify, through counterfactual analysis and simulations, the security and maintenance impact of version constraints in the npm ecosystem.
• Score: 23.756533975349985
• License:
• Abstract: Recent high-profile incidents in open-source software have greatly raised practitioner attention on software supply chain attacks. To guard against potential malicious package updates, security practitioners advocate pinning dependency to specific versions rather than floating in version ranges. However, it remains controversial whether pinning carries a meaningful security benefit that outweighs the cost of maintaining outdated and possibly vulnerable dependencies. In this paper, we quantify, through counterfactual analysis and simulations, the security and maintenance impact of version constraints in the npm ecosystem. By simulating dependency resolutions over historical time points, we find that pinning direct dependencies not only (as expected) increases the cost of maintaining vulnerable and outdated dependencies, but also (surprisingly) even increases the risk of exposure to malicious package updates in larger dependency graphs due to the specifics of npm's dependency resolution mechanism. Finally, we explore collective pinning strategies to secure the ecosystem against supply chain attacks, suggesting specific changes to npm to enable such interventions. Our study provides guidance for practitioners and tool designers to manage their supply chains more securely.

Related papers

• Enhancing Supply Chain Visibility with Generative AI: An Exploratory Case Study on Relationship Prediction in Knowledge Graphs [52.79646338275159]
  Relationship prediction aims to increase the visibility of supply chains using data-driven techniques. Existing methods have been successful for predicting relationships but struggle to extract the context in which these relationships are embedded. Lack of context prevents practitioners from distinguishing transactional relations from established supply chain relations.
  arXiv  Detail & Related papers  (2024-12-04T15:19:01Z)
• Dirty-Waters: Detecting Software Supply Chain Smells [10.405775369526006]
  We define the novel concept of software supply chain smell and present Dirty-Waters, a novel tool for detecting software supply chain smells. We evaluate Dirty-Waters on three JavaScript projects across nine versions and demonstrate the prevalence of all proposed software supply chain smells.
  arXiv  Detail & Related papers  (2024-10-21T14:24:12Z)
• The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
  Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition. Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies. We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
  arXiv  Detail & Related papers  (2024-09-10T10:12:37Z)
• GoSurf: Identifying Software Supply Chain Attack Vectors in Go [9.91891839872381]
  We propose a novel taxonomy of 12 distinct attack vectors tailored for the Go language and its package lifecycle. Our work provides preliminary insights for securing the open-source software supply chain within the Go ecosystem.
  arXiv  Detail & Related papers  (2024-07-05T11:52:27Z)
• Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem [0.773844059806915]
  A comprehensive investigation was undertaken to examine the life cycle of vulnerability in Golang. It turned out that 66.10% of modules in the Golang ecosystem were affected by vulnerabilities. By analyzing reasons behind non-lagged and lagged vulnerabilities, timely releasing and indexing patch versions could significantly enhance ecosystem security.
  arXiv  Detail & Related papers  (2023-12-31T14:53:51Z)
• Dependency Practices for Vulnerability Mitigation [4.710141711181836]
  We analyze more than 450 vulnerabilities in the npm ecosystem to understand why dependent packages remain vulnerable. We identify over 200,000 npm packages that are infected through their dependencies. We use 9 features to build a prediction model that identifies packages that quickly adopt the vulnerability fix and prevent further propagation of vulnerabilities.
  arXiv  Detail & Related papers  (2023-10-11T19:48:46Z)
• Lessons from the Long Tail: Analysing Unsafe Dependency Updates across Software Ecosystems [11.461455369774765]
  We present preliminary data based on three representative samples from a population of 88,416 pull requests (PRs) We identify unsafe dependency updates (i.e., any pull request that risks being unsafe during runtime) This includes developing best practises to address unsafe dependency updates not only in top-tier libraries but throughout the ecosystem.
  arXiv  Detail & Related papers  (2023-09-08T08:17:09Z)
• Analyzing Maintenance Activities of Software Libraries [65.268245109828]
  Industrial applications heavily integrate open-source software libraries nowadays. I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
  arXiv  Detail & Related papers  (2023-06-09T16:51:25Z)
• Online Safety Property Collection and Refinement for Safe Deep Reinforcement Learning in Mapless Navigation [79.89605349842569]
  We introduce the Collection and Refinement of Online Properties (CROP) framework to design properties at training time. CROP employs a cost signal to identify unsafe interactions and use them to shape safety properties. We evaluate our approach in several robotic mapless navigation tasks and demonstrate that the violation metric computed with CROP allows higher returns and lower violations over previous Safe DRL approaches.
  arXiv  Detail & Related papers  (2023-02-13T21:19:36Z)
• Bilateral Dependency Optimization: Defending Against Model-inversion Attacks [61.78426165008083]
  We propose a bilateral dependency optimization (BiDO) strategy to defend against model-inversion attacks. BiDO achieves the state-of-the-art defense performance for a variety of datasets, classifiers, and MI attacks.
  arXiv  Detail & Related papers  (2022-06-11T10:07:03Z)
• A Self-supervised Approach for Adversarial Robustness [105.88250594033053]
  Adversarial examples can cause catastrophic mistakes in Deep Neural Network (DNNs) based vision systems. This paper proposes a self-supervised adversarial training mechanism in the input space. It provides significant robustness against the textbfunseen adversarial attacks.
  arXiv  Detail & Related papers  (2020-06-08T20:42:39Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.