{"id":"https://openalex.org/W4417132518","doi":"https://doi.org/10.1109/saner-c66551.2025.00020","title":"Links Between Package Popularity, Criticality, and Security in Software Ecosystems","display_name":"Links Between Package Popularity, Criticality, and Security in Software Ecosystems","publication_year":2025,"publication_date":"2025-03-04","ids":{"openalex":"https://openalex.org/W4417132518","doi":"https://doi.org/10.1109/saner-c66551.2025.00020"},"language":null,"primary_location":{"id":"doi:10.1109/saner-c66551.2025.00020","is_oa":false,"landing_page_url":"https://doi.org/10.1109/saner-c66551.2025.00020","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE International Conference on Software Analysis, Evolution and Reengineering - Companion (SANER-C)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5041311639","display_name":"Alexis Butler","orcid":"https://orcid.org/0000-0002-4199-684X"},"institutions":[{"id":"https://openalex.org/I184558857","display_name":"Royal Holloway University of London","ror":"https://ror.org/04g2vpn86","country_code":"GB","type":"education","lineage":["https://openalex.org/I124357947","https://openalex.org/I184558857"]}],"countries":["GB"],"is_corresponding":true,"raw_author_name":"Alexis Butler","raw_affiliation_strings":["Information Security Group Royal Holloway University of London,London,United Kingdom"],"affiliations":[{"raw_affiliation_string":"Information Security Group Royal Holloway University of London,London,United Kingdom","institution_ids":["https://openalex.org/I184558857"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5026745638","display_name":"Dan O\u2019Keeffe","orcid":"https://orcid.org/0000-0003-3751-477X"},"institutions":[{"id":"https://openalex.org/I184558857","display_name":"Royal Holloway University of London","ror":"https://ror.org/04g2vpn86","country_code":"GB","type":"education","lineage":["https://openalex.org/I124357947","https://openalex.org/I184558857"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Dan O\u2019Keeffe","raw_affiliation_strings":["Royal Holloway University of London,Department of Computer Science,London,United Kingdom"],"affiliations":[{"raw_affiliation_string":"Royal Holloway University of London,Department of Computer Science,London,United Kingdom","institution_ids":["https://openalex.org/I184558857"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5004997665","display_name":"Santanu Kumar Dash","orcid":"https://orcid.org/0000-0002-5674-8531"},"institutions":[{"id":"https://openalex.org/I28290843","display_name":"University of Surrey","ror":"https://ror.org/00ks66431","country_code":"GB","type":"education","lineage":["https://openalex.org/I28290843"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Santanu Kumar Dash","raw_affiliation_strings":["University of Surrey,Department of Computer Science,Guildford,United Kingdom"],"affiliations":[{"raw_affiliation_string":"University of Surrey,Department of Computer Science,Guildford,United Kingdom","institution_ids":["https://openalex.org/I28290843"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5041311639"],"corresponding_institution_ids":["https://openalex.org/I184558857"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.53225665,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"89","last_page":"96"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.6008999943733215,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.6008999943733215,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.10040000081062317,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.08500000089406967,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/popularity","display_name":"Popularity","score":0.6855000257492065},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.5389999747276306},{"id":"https://openalex.org/keywords/dependency","display_name":"Dependency (UML)","score":0.5220000147819519},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.4593999981880188},{"id":"https://openalex.org/keywords/security-information-and-event-management","display_name":"Security information and event management","score":0.4068000018596649},{"id":"https://openalex.org/keywords/software-maintenance","display_name":"Software maintenance","score":0.37959998846054077},{"id":"https://openalex.org/keywords/feature","display_name":"Feature (linguistics)","score":0.37220001220703125},{"id":"https://openalex.org/keywords/ecosystem","display_name":"Ecosystem","score":0.37040001153945923},{"id":"https://openalex.org/keywords/task","display_name":"Task (project management)","score":0.3589000105857849},{"id":"https://openalex.org/keywords/feature-selection","display_name":"Feature selection","score":0.35190001130104065}],"concepts":[{"id":"https://openalex.org/C2780586970","wikidata":"https://www.wikidata.org/wiki/Q1357284","display_name":"Popularity","level":2,"score":0.6855000257492065},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6643000245094299},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.5389999747276306},{"id":"https://openalex.org/C19768560","wikidata":"https://www.wikidata.org/wiki/Q320727","display_name":"Dependency (UML)","level":2,"score":0.5220000147819519},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.4593999981880188},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.45899999141693115},{"id":"https://openalex.org/C103377522","wikidata":"https://www.wikidata.org/wiki/Q3493999","display_name":"Security information and event management","level":4,"score":0.4068000018596649},{"id":"https://openalex.org/C101317890","wikidata":"https://www.wikidata.org/wiki/Q940053","display_name":"Software maintenance","level":4,"score":0.37959998846054077},{"id":"https://openalex.org/C2776401178","wikidata":"https://www.wikidata.org/wiki/Q12050496","display_name":"Feature (linguistics)","level":2,"score":0.37220001220703125},{"id":"https://openalex.org/C110872660","wikidata":"https://www.wikidata.org/wiki/Q37813","display_name":"Ecosystem","level":2,"score":0.37040001153945923},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.3589000105857849},{"id":"https://openalex.org/C148483581","wikidata":"https://www.wikidata.org/wiki/Q446488","display_name":"Feature selection","level":2,"score":0.35190001130104065},{"id":"https://openalex.org/C81917197","wikidata":"https://www.wikidata.org/wiki/Q628760","display_name":"Selection (genetic algorithm)","level":2,"score":0.3472999930381775},{"id":"https://openalex.org/C125611927","wikidata":"https://www.wikidata.org/wiki/Q17008131","display_name":"Criticality","level":2,"score":0.3400000035762787},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.33719998598098755},{"id":"https://openalex.org/C12725497","wikidata":"https://www.wikidata.org/wiki/Q810247","display_name":"Baseline (sea)","level":2,"score":0.31790000200271606},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.31040000915527344},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.3043000102043152},{"id":"https://openalex.org/C83163435","wikidata":"https://www.wikidata.org/wiki/Q3954104","display_name":"Security management","level":2,"score":0.289900004863739},{"id":"https://openalex.org/C114869243","wikidata":"https://www.wikidata.org/wiki/Q133735","display_name":"Security through obscurity","level":5,"score":0.28369998931884766},{"id":"https://openalex.org/C149091818","wikidata":"https://www.wikidata.org/wiki/Q2429814","display_name":"Software system","level":3,"score":0.28130000829696655},{"id":"https://openalex.org/C82214349","wikidata":"https://www.wikidata.org/wiki/Q657339","display_name":"Software metric","level":5,"score":0.2777000069618225},{"id":"https://openalex.org/C121822524","wikidata":"https://www.wikidata.org/wiki/Q5157582","display_name":"Computer security model","level":2,"score":0.2718999981880188},{"id":"https://openalex.org/C2778755073","wikidata":"https://www.wikidata.org/wiki/Q10858537","display_name":"Scale (ratio)","level":2,"score":0.2712000012397766},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.26989999413490295},{"id":"https://openalex.org/C107826830","wikidata":"https://www.wikidata.org/wiki/Q929380","display_name":"Environmental resource management","level":1,"score":0.2678000032901764},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.2651999890804291},{"id":"https://openalex.org/C131275738","wikidata":"https://www.wikidata.org/wiki/Q7445023","display_name":"Security bug","level":5,"score":0.26350000500679016},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.2630000114440918},{"id":"https://openalex.org/C125370674","wikidata":"https://www.wikidata.org/wiki/Q1527480","display_name":"Stressor","level":2,"score":0.25999999046325684},{"id":"https://openalex.org/C204323151","wikidata":"https://www.wikidata.org/wiki/Q905424","display_name":"Range (aeronautics)","level":2,"score":0.25999999046325684},{"id":"https://openalex.org/C77019957","wikidata":"https://www.wikidata.org/wiki/Q2689057","display_name":"Dependability","level":2,"score":0.257099986076355},{"id":"https://openalex.org/C140779682","wikidata":"https://www.wikidata.org/wiki/Q210868","display_name":"Sampling (signal processing)","level":3,"score":0.2565999925136566}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/saner-c66551.2025.00020","is_oa":false,"landing_page_url":"https://doi.org/10.1109/saner-c66551.2025.00020","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE International Conference on Software Analysis, Evolution and Reengineering - Companion (SANER-C)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":20,"referenced_works":["https://openalex.org/W205447702","https://openalex.org/W2008620264","https://openalex.org/W2035435951","https://openalex.org/W2100476241","https://openalex.org/W2104085672","https://openalex.org/W2113693268","https://openalex.org/W2132022337","https://openalex.org/W2279278398","https://openalex.org/W2765874585","https://openalex.org/W2884830210","https://openalex.org/W2899923712","https://openalex.org/W2944423749","https://openalex.org/W2963748706","https://openalex.org/W2963923573","https://openalex.org/W3167406762","https://openalex.org/W3174507373","https://openalex.org/W4229563153","https://openalex.org/W4312804187","https://openalex.org/W4322746299","https://openalex.org/W4398788550"],"related_works":[],"abstract_inverted_index":{"With":[0],"the":[1,29,38,58,77,88,118,125,155],"continued":[2,13],"growth":[3],"of":[4,31,120],"Open":[5],"Source":[6],"Software":[7],"(OSS),":[8],"maintenance":[9,48],"workloads":[10],"have":[11,69],"also":[12],"to":[14,42,68,87,102,123,165],"expand,":[15],"this":[16],"along":[17,150],"with":[18,37,57,151],"additional":[19],"stressors":[20],"results":[21,153,161],"in":[22,82,167],"maintainer":[23],"burnout":[24],"and":[25,40,98,105,130,143,159,178],"churn.":[26],"Given":[27],"that":[28,84],"pool":[30],"those":[32],"within":[33],"a":[34,44,64,135,180],"software":[35],"ecosystem":[36,67],"expertise":[39],"willingness":[41],"maintain":[43],"project":[45],"is":[46],"limited,":[47],"efforts":[49],"should":[50],"be":[51,163],"focussed":[52],"on":[53],"minimizing":[54],"security":[55,71,81,142,158,187],"risks":[56],"greatest":[59],"potential":[60],"impact.One":[61],"would":[62],"expect":[63],"well":[65],"maintained":[66],"strong":[70,80],"across":[72,117],"all":[73],"packages,":[74],"or":[75],"at":[76,114],"very":[78],"least,":[79],"packages":[83],"are":[85],"core":[86],"ecosystem.":[89],"As":[90],"such,":[91],"dependency":[92,175],"graphs":[93],"for":[94,108,145,154,171,182,185],"two":[95],"ecosystems":[96,147],"(Python,":[97],"JavaScript/Typescript)":[99],"were":[100],"captured":[101],"obtain":[103],"criticality":[104,129],"popularity":[106,144],"scores":[107],"each":[109],"package.":[110],"Security":[111],"was":[112,148],"measured":[113],"multiple":[115],"points":[116],"range":[119],"these":[121],"metrics":[122],"establish":[124],"relationships":[126],"between":[127,141,157],"popularity,":[128],"security.":[131],"In":[132],"doing":[133],"so,":[134],"statistically":[136],"significant":[137],"moderate":[138],"positive":[139],"correlation":[140,156],"both":[146],"found,":[149],"mixed":[152],"criticality.These":[160],"can":[162],"used":[164],"assist":[166],"both,":[168],"feature":[169],"selection":[170],"machine":[172],"learning":[173],"based":[174],"risk":[176],"measurement,":[177],"as":[179],"guide":[181],"dataset":[183],"sampling":[184],"future":[186],"tooling":[188],"evaluation.":[189]},"counts_by_year":[],"updated_date":"2026-03-07T16:01:11.037858","created_date":"2025-12-08T00:00:00"}