Related papers: Exploring the SECURITY.md in the Dependency Chain: Preliminary Analysis of the PyPI Ecosystem

Exploring the SECURITY.md in the Dependency Chain: Preliminary Analysis of the PyPI Ecosystem

URL: http://arxiv.org/abs/2511.22186v1
Date: Thu, 27 Nov 2025 07:51:48 GMT
Title: Exploring the SECURITY.md in the Dependency Chain: Preliminary Analysis of the PyPI Ecosystem
Authors: Chayanid Termphaiboon, Raula Gaikovina Kula, Youmei Fan, Morakot Choetkiertikul, Chaiyong Ragkhitwetsagul, Thanwadee Sunetnanta, Kenichi Matsumoto,
Abstract summary: Security policies, such as SECURITY.md files, are now common in open-source projects.<n>This study explores the relationship between security policies and dependency management in PyPI projects.
Score: 3.202418533433693
License: http://creativecommons.org/licenses/by/4.0/
Abstract: Security policies, such as SECURITY.md files, are now common in open-source projects. They help guide responsible vulnerability reporting and build trust among users and contributors. Despite their growing use, it is still unclear how these policies influence the structure and evolution of software dependencies. Software dependencies are external packages or libraries that a project relies on, and their interconnected nature affects both functionality and security. This study explores the relationship between security policies and dependency management in PyPI projects. We analyzed projects with and without a SECURITY.md file by examining their dependency trees and tracking how dependencies change over time. The analysis shows that projects with a security policy tend to rely on a broader set of direct dependencies, while overall depth and transitive dependencies remain similar. Historically, projects created after the introduction of SECURITY.md, particularly later adopters, show more frequent dependency updates. These results suggest that security policies are linked to more modular and feature-rich projects, and highlight the role of SECURITY.md in promoting proactive dependency management and reducing risks in the software supply chain.

Related papers

Why Authors and Maintainers Link (or Don't Link) Their PyPI Libraries to Code Repositories and Donation Platforms [83.16077040470975]
Metadata of libraries on the Python Package Index (PyPI) plays a critical role in supporting the transparency, trust, and sustainability of open-source libraries.<n>This paper presents a large-scale empirical study combining two targeted surveys sent to 50,000 PyPI authors and maintainers.<n>We analyze more than 1,400 responses using large language model (LLM)-based topic modeling to uncover key motivations and barriers related to linking repositories and donation platforms.
arXiv Detail & Related papers (2026-01-21T16:13:57Z)
Analyzing the Availability of E-Mail Addresses for PyPI Libraries [89.21869606965578]
81.6% of libraries include at least one valid e-mail address, with PyPI serving as the primary source.<n>We identify over 698,000 invalid entries, primarily due to missing fields.
arXiv Detail & Related papers (2026-01-20T14:54:58Z)
A Comprehensive Study on the Impact of Vulnerable Dependencies on Open-Source Software [0.2772895608190934]
We conducted a study on over 1k open-source software projects with about 50k releases comprising several languages such as Java, Python, Rust, Go, Ruby, and JavaScript.<n>Our objective is to investigate the severity, persistence, and distribution of these vulnerabilities, as well as their correlation with project metrics such as team and contributors size, activity and release cycles.<n>Using our approach, we can provide information such as library versions, dependency depth, and known vulnerabilities, and how they evolved over the software development cycle.
arXiv Detail & Related papers (2025-12-03T15:20:10Z)
Out of Sight, Still at Risk: The Lifecycle of Transitive Vulnerabilities in Maven [0.3670008893193884]
Transitive vulnerabilities that arise from indirect dependencies expose projects to risks associated with Common Vulnerabilities and Exposures.<n>We employ survival analysis to measure the time projects remain exposed after a CVE is introduced.<n>Using a large dataset of Maven projects, we identify factors that influence the resolution of these vulnerabilities.
arXiv Detail & Related papers (2025-04-07T07:54:15Z)
Insights into Dependency Maintenance Trends in the Maven Ecosystem [0.14999444543328289]
We present a quantitative analysis of the Neo4j dataset using the Goblin framework.<n>Our analysis reveals that releases with fewer dependencies have a higher number of missed releases.<n>Our study shows that the dependencies in the latest releases have positive freshness scores, indicating better software management efficacy.
arXiv Detail & Related papers (2025-03-28T22:20:24Z)
Pinning Is Futile: You Need More Than Local Dependency Versioning to Defend against Supply Chain Attacks [23.756533975349985]
Recent high-profile incidents in open-source software have raised practitioner attention on software supply chain attacks.<n>Security practitioners advocate pinning dependency to specific versions rather than floating in version ranges.<n>We quantify, through counterfactual analysis and simulations, the security and maintenance impact of version constraints in the npm ecosystem.
arXiv Detail & Related papers (2025-02-10T16:50:48Z)
An Overview and Catalogue of Dependency Challenges in Open Source Software Package Registries [52.23798016734889]
This article provides a catalogue of dependency-related challenges that come with relying on OSS packages or libraries. The catalogue is based on the scientific literature on empirical research that has been conducted to understand, quantify and overcome these challenges.
arXiv Detail & Related papers (2024-09-27T16:20:20Z)
The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition. Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies. We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
arXiv Detail & Related papers (2024-09-10T10:12:37Z)
What's in a Package? Getting Visibility Into Dependencies Using Security-Sensitive API Calls [3.6525326603691504]
We present a novel methodology to construct a security-sensitive API list for an ecosystem.<n>We then compare the prevalence of security-sensitive APIs in functionally similar package groups.<n>More than half of the developers would use security-sensitive API information in the dependency selection process if available.
arXiv Detail & Related papers (2024-08-05T22:01:18Z)
Dependency Practices for Vulnerability Mitigation [4.710141711181836]
We analyze more than 450 vulnerabilities in the npm ecosystem to understand why dependent packages remain vulnerable. We identify over 200,000 npm packages that are infected through their dependencies. We use 9 features to build a prediction model that identifies packages that quickly adopt the vulnerability fix and prevent further propagation of vulnerabilities.
arXiv Detail & Related papers (2023-10-11T19:48:46Z)
Analyzing Maintenance Activities of Software Libraries [55.2480439325792]
Industrial applications heavily integrate open-source software libraries nowadays.<n>I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
arXiv Detail & Related papers (2023-06-09T16:51:25Z)
On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
We present a novel approach to detect vulnerable clones in the Maven repository. We retrieve over 53k potential vulnerable clones from Maven Central. We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
arXiv Detail & Related papers (2023-06-08T20:14:46Z)

This list is automatically generated from the titles and abstracts of the papers in this site.