Related papers: Which Is Better For Reducing Outdated and Vulnerable Dependencies: Pinning or Floating?

Which Is Better For Reducing Outdated and Vulnerable Dependencies: Pinning or Floating?

URL: http://arxiv.org/abs/2510.08609v2
Date: Thu, 23 Oct 2025 15:40:40 GMT
Title: Which Is Better For Reducing Outdated and Vulnerable Dependencies: Pinning or Floating?
Authors: Imranur Rahman, Jill Marley, William Enck, Laurie Williams,
Abstract summary: The goal of this study is to aid developers in making an informed dependency version constraint choice.<n>Security practitioners advocate emphpinning dependencies to prevent against software supply chain attacks.<n>The most commonly used version constraint type is emphfloating-minor, with emphpinning being the next most common.
Score: 3.0806232926621715
License: http://creativecommons.org/licenses/by-nc-nd/4.0/
Abstract: Developers consistently use version constraints to specify acceptable versions of the dependencies for their project. \emph{Pinning} dependencies can reduce the likelihood of breaking changes, but comes with a cost of manually managing the replacement of outdated and vulnerable dependencies. On the other hand, \emph{floating} can be used to automatically get bug fixes and security fixes, but comes with the risk of breaking changes. Security practitioners advocate \emph{pinning} dependencies to prevent against software supply chain attacks, e.g., malicious package updates. However, since \emph{pinning} is the tightest version constraint, \emph{pinning} is the most likely to result in outdated dependencies. Nevertheless, how the likelihood of becoming outdated or vulnerable dependencies changes across version constraint types is unknown. The goal of this study is to aid developers in making an informed dependency version constraint choice by empirically evaluating the likelihood of dependencies becoming outdated or vulnerable across version constraint types at scale. In this study, we first identify the trends in dependency version constraint usage and the patterns of version constraint type changes made by developers in the npm, PyPI, and Cargo ecosystems. We then modeled the dependency state transitions using survival analysis and estimated how the likelihood of becoming outdated or vulnerable changes when using \emph{pinning} as opposed to the rest of the version constraint types. We observe that among outdated and vulnerable dependencies, the most commonly used version constraint type is \emph{floating-minor}, with \emph{pinning} being the next most common. We also find that \emph{floating-major} is the least likely to result in outdated and \emph{floating-minor} is the least likely to result in vulnerable dependencies.

Related papers

Minimizing Breaking Changes and Redundancy in Mitigating Technical Lag for Java Projects [28.25852271546999]
DepUpdater balances version upgrades, reduces technical lag, ensures compatibility, and avoids redundant dependencies.<n>The comparison with existing dependency management tools demonstrates that DepUpdater more effectively reduces technical lag while ensuring compatibility and pruning redundant dependencies.
arXiv Detail & Related papers (2025-11-10T06:43:46Z)
On the Freshness of Pinned Dependencies in Maven [6.5131796406898745]
We show that over 60% of consumers of popular Maven libraries contain stale pins to their dependencies.<n>We prototype an approach called Pin-Freshener that can encourage developers to freshen their pins by leveraging crowdsourced tests of peer projects.<n>Our evaluation on real-world pins to the top 500 popular libraries in Maven shows that Pin-Freshener can provide an additional signal of at least 5 passing crowdsourced test suites.
arXiv Detail & Related papers (2025-10-26T20:02:49Z)
Faster Releases, Fewer Risks: A Study on Maven Artifact Vulnerabilities and Lifecycle Management [0.14999444543328289]
We analyze the release histories of 10,000 Maven artifacts, covering over 203,000 releases and 1.7 million dependencies.<n>Our results show an inverse relationship between release speed and dependency outdatedness.<n>These findings emphasize the importance of accelerated release strategies in reducing security risks.
arXiv Detail & Related papers (2025-03-31T17:32:45Z)
Pinning Is Futile: You Need More Than Local Dependency Versioning to Defend against Supply Chain Attacks [23.756533975349985]
Recent high-profile incidents in open-source software have raised practitioner attention on software supply chain attacks.<n>Security practitioners advocate pinning dependency to specific versions rather than floating in version ranges.<n>We quantify, through counterfactual analysis and simulations, the security and maintenance impact of version constraints in the npm ecosystem.
arXiv Detail & Related papers (2025-02-10T16:50:48Z)
Train Till You Drop: Towards Stable and Robust Source-free Unsupervised 3D Domain Adaptation [62.889835139583965]
We tackle the problem of source-free unsupervised domain adaptation (SFUDA) for 3D semantic segmentation. It amounts to performing domain adaptation on an unlabeled target domain without any access to source data. A common issue with existing SFUDA approaches is that performance degrades after some training time.
arXiv Detail & Related papers (2024-09-06T17:13:14Z)
Steering Without Side Effects: Improving Post-Deployment Control of Language Models [61.99293520621248]
Language models (LMs) have been shown to behave unexpectedly post-deployment. We present KL-then-steer (KTS), a technique that decreases the side effects of steering while retaining its benefits. Our best method prevents 44% of jailbreak attacks compared to the original Llama-2-chat-7B model.
arXiv Detail & Related papers (2024-06-21T01:37:39Z)
No Vulnerability Data, No Problem: Towards Predicting Mean Time To Remediate In Open Source Software Dependencies [7.304461924231725]
Mean-Time-To-Remediate (MTTR) metric can provide a historical perspective on how long it takes a given package to update vulnerable versions of its dependencies.<n>We propose a novel algorithm for computing MTTR called $MTTR_dep$ and a companion metric called $Mean-Time-To-Update_dep$ ($MTTU_dep$)<n>We conduct a large-scale study using 163, 207 packages in npm, PyPI, and Cargo, of which only 22, 513 packages produce $MTTR_dep$ because of the lack of vulnerability
arXiv Detail & Related papers (2024-03-26T05:01:53Z)
Dependency Practices for Vulnerability Mitigation [4.710141711181836]
We analyze more than 450 vulnerabilities in the npm ecosystem to understand why dependent packages remain vulnerable. We identify over 200,000 npm packages that are infected through their dependencies. We use 9 features to build a prediction model that identifies packages that quickly adopt the vulnerability fix and prevent further propagation of vulnerabilities.
arXiv Detail & Related papers (2023-10-11T19:48:46Z)
Visual Dependency Transformers: Dependency Tree Emerges from Reversed Attention [106.67741967871969]
We propose Visual Dependency Transformers (DependencyViT) that can induce visual dependencies without any labels. We formulate it as a dependency graph where a child token in reversed attention is trained to attend to its parent tokens and send information. DependencyViT works well on both self- and weakly-supervised pretraining paradigms on ImageNet.
arXiv Detail & Related papers (2023-04-06T17:59:26Z)
Bilateral Dependency Optimization: Defending Against Model-inversion Attacks [61.78426165008083]
We propose a bilateral dependency optimization (BiDO) strategy to defend against model-inversion attacks. BiDO achieves the state-of-the-art defense performance for a variety of datasets, classifiers, and MI attacks.
arXiv Detail & Related papers (2022-06-11T10:07:03Z)
Online Selective Classification with Limited Feedback [82.68009460301585]
We study selective classification in the online learning model, wherein a predictor may abstain from classifying an instance. Two salient aspects of the setting we consider are that the data may be non-realisable, due to which abstention may be a valid long-term action. We construct simple versioning-based schemes for any $mu in (0,1],$ that make most $Tmu$ mistakes while incurring smash$tildeO(T1-mu)$ excess abstention against adaptive adversaries.
arXiv Detail & Related papers (2021-10-27T08:00:53Z)
Please Mind the Root: Decoding Arborescences for Dependency Parsing [67.71280539312536]
We analyze the output of state-of-the-arts on many languages from the Universal Dependency Treebank. The worst constraint-violation rate we observe is 24%.
arXiv Detail & Related papers (2020-10-06T08:31:14Z)

This list is automatically generated from the titles and abstracts of the papers in this site.