{"id":"https://openalex.org/W4389161910","doi":"https://doi.org/10.1145/3611643.3613086","title":"Lessons from the Long Tail: Analysing Unsafe Dependency Updates across Software Ecosystems","display_name":"Lessons from the Long Tail: Analysing Unsafe Dependency Updates across Software Ecosystems","publication_year":2023,"publication_date":"2023-11-30","ids":{"openalex":"https://openalex.org/W4389161910","doi":"https://doi.org/10.1145/3611643.3613086"},"language":"en","primary_location":{"id":"doi:10.1145/3611643.3613086","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3611643.3613086","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3611643.3613086","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3611643.3613086","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5004205023","display_name":"Supatsara Wattanakriengkrai","orcid":"https://orcid.org/0000-0001-9978-9889"},"institutions":[{"id":"https://openalex.org/I75917431","display_name":"Nara Institute of Science and Technology","ror":"https://ror.org/05bhada84","country_code":"JP","type":"education","lineage":["https://openalex.org/I75917431"]}],"countries":["JP"],"is_corresponding":true,"raw_author_name":"Supatsara Wattanakriengkrai","raw_affiliation_strings":["NAIST, Nara, Japan"],"raw_orcid":"https://orcid.org/0000-0001-9978-9889","affiliations":[{"raw_affiliation_string":"NAIST, Nara, Japan","institution_ids":["https://openalex.org/I75917431"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5091820517","display_name":"Raula Gaikovina Kula","orcid":"https://orcid.org/0000-0003-2324-0608"},"institutions":[{"id":"https://openalex.org/I75917431","display_name":"Nara Institute of Science and Technology","ror":"https://ror.org/05bhada84","country_code":"JP","type":"education","lineage":["https://openalex.org/I75917431"]}],"countries":["JP"],"is_corresponding":false,"raw_author_name":"Raula Gaikovina Kula","raw_affiliation_strings":["NAIST, Nara, Japan"],"raw_orcid":"https://orcid.org/0000-0003-2324-0608","affiliations":[{"raw_affiliation_string":"NAIST, Nara, Japan","institution_ids":["https://openalex.org/I75917431"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5077658936","display_name":"Christoph Treude","orcid":"https://orcid.org/0000-0002-6919-2149"},"institutions":[{"id":"https://openalex.org/I165779595","display_name":"The University of Melbourne","ror":"https://ror.org/01ej9dk98","country_code":"AU","type":"education","lineage":["https://openalex.org/I165779595"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Christoph Treude","raw_affiliation_strings":["University of Melbourne, Melbourne, Australia"],"raw_orcid":"https://orcid.org/0000-0002-6919-2149","affiliations":[{"raw_affiliation_string":"University of Melbourne, Melbourne, Australia","institution_ids":["https://openalex.org/I165779595"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5011588138","display_name":"Kenichi Matsumoto","orcid":"https://orcid.org/0000-0002-7418-9323"},"institutions":[{"id":"https://openalex.org/I75917431","display_name":"Nara Institute of Science and Technology","ror":"https://ror.org/05bhada84","country_code":"JP","type":"education","lineage":["https://openalex.org/I75917431"]}],"countries":["JP"],"is_corresponding":false,"raw_author_name":"Kenichi Matsumoto","raw_affiliation_strings":["NAIST, Nara, Japan"],"raw_orcid":"https://orcid.org/0000-0002-7418-9323","affiliations":[{"raw_affiliation_string":"NAIST, Nara, Japan","institution_ids":["https://openalex.org/I75917431"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5004205023"],"corresponding_institution_ids":["https://openalex.org/I75917431"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.27687455,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"2077","last_page":"2081"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9993000030517578,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9993000030517578,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9987000226974487,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9939000010490417,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/dependency","display_name":"Dependency (UML)","score":0.7998124361038208},{"id":"https://openalex.org/keywords/safer","display_name":"SAFER","score":0.7485307455062866},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6148523092269897},{"id":"https://openalex.org/keywords/ecosystem","display_name":"Ecosystem","score":0.5581249594688416},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.49668461084365845},{"id":"https://openalex.org/keywords/safeguard","display_name":"Safeguard","score":0.4927842915058136},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.431659996509552},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.41827547550201416},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.3772350251674652},{"id":"https://openalex.org/keywords/risk-analysis","display_name":"Risk analysis (engineering)","score":0.3612551689147949},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.28751611709594727},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.1156339943408966},{"id":"https://openalex.org/keywords/ecology","display_name":"Ecology","score":0.09805282950401306}],"concepts":[{"id":"https://openalex.org/C19768560","wikidata":"https://www.wikidata.org/wiki/Q320727","display_name":"Dependency (UML)","level":2,"score":0.7998124361038208},{"id":"https://openalex.org/C2776654903","wikidata":"https://www.wikidata.org/wiki/Q2601463","display_name":"SAFER","level":2,"score":0.7485307455062866},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6148523092269897},{"id":"https://openalex.org/C110872660","wikidata":"https://www.wikidata.org/wiki/Q37813","display_name":"Ecosystem","level":2,"score":0.5581249594688416},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.49668461084365845},{"id":"https://openalex.org/C2780771206","wikidata":"https://www.wikidata.org/wiki/Q3271761","display_name":"Safeguard","level":2,"score":0.4927842915058136},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.431659996509552},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.41827547550201416},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.3772350251674652},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.3612551689147949},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.28751611709594727},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.1156339943408966},{"id":"https://openalex.org/C18903297","wikidata":"https://www.wikidata.org/wiki/Q7150","display_name":"Ecology","level":1,"score":0.09805282950401306},{"id":"https://openalex.org/C155202549","wikidata":"https://www.wikidata.org/wiki/Q178803","display_name":"International trade","level":1,"score":0.0},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.0},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3611643.3613086","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3611643.3613086","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3611643.3613086","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3611643.3613086","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3611643.3613086","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3611643.3613086","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G2546528781","display_name":null,"funder_award_id":"20K19774","funder_id":"https://openalex.org/F4320334764","funder_display_name":"Japan Society for the Promotion of Science"},{"id":"https://openalex.org/G4896636242","display_name":null,"funder_award_id":"20H05706","funder_id":"https://openalex.org/F4320334764","funder_display_name":"Japan Society for the Promotion of Science"},{"id":"https://openalex.org/G596368004","display_name":null,"funder_award_id":"JPMJSC2206","funder_id":"https://openalex.org/F4320338124","funder_display_name":"Strategic International Collaborative Research Program"}],"funders":[{"id":"https://openalex.org/F4320334764","display_name":"Japan Society for the Promotion of Science","ror":"https://ror.org/00hhkn466"},{"id":"https://openalex.org/F4320338124","display_name":"Strategic International Collaborative Research Program","ror":null}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4389161910.pdf","grobid_xml":"https://content.openalex.org/works/W4389161910.grobid-xml"},"referenced_works_count":15,"referenced_works":["https://openalex.org/W2123582298","https://openalex.org/W2752929869","https://openalex.org/W2953558274","https://openalex.org/W2968626168","https://openalex.org/W3000045849","https://openalex.org/W3108826526","https://openalex.org/W3110197653","https://openalex.org/W3161491624","https://openalex.org/W3172189288","https://openalex.org/W4226416841","https://openalex.org/W4285490369","https://openalex.org/W4312853677","https://openalex.org/W4377139845","https://openalex.org/W4383898619","https://openalex.org/W4385080312"],"related_works":["https://openalex.org/W3121667336","https://openalex.org/W2492640494","https://openalex.org/W2953205341","https://openalex.org/W235065745","https://openalex.org/W2029935773","https://openalex.org/W2787754950","https://openalex.org/W1572215850","https://openalex.org/W1985775355","https://openalex.org/W2352115286","https://openalex.org/W2084793300"],"abstract_inverted_index":{"A":[0],"risk":[1],"in":[2,79,167],"adopting":[3],"third-party":[4],"dependencies":[5,40],"into":[6],"an":[7],"application":[8],"is":[9,50,65],"their":[10],"potential":[11],"to":[12,20,66,124,131,149,160],"serve":[13],"as":[14],"a":[15,92,137],"doorway":[16],"for":[17],"malicious":[18],"code":[19],"be":[21],"injected":[22],"(most":[23],"often":[24],"unknowingly).":[25],"While":[26],"many":[27],"initiatives":[28],"from":[29,91],"both":[30],"industry":[31],"and":[32,68,99],"research":[33,138,143],"communities":[34],"focus":[35],"on":[36,87],"the":[37,47,54,57,60,73,132,172],"most":[38,43],"critical":[39],"(i.e.,":[41,104],"those":[42],"depended":[44],"upon":[45],"within":[46],"ecosystem),":[48],"little":[49],"known":[51],"about":[52],"whether":[53],"rest":[55],"of":[56,94],"ecosystem":[58],"suffers":[59],"same":[61],"fate.":[62],"Our":[63],"vision":[64],"promote":[67],"establish":[69],"safer":[70],"practises":[71,159],"throughout":[72,171],"ecosystem.":[74,174],"To":[75,128],"motivate":[76],"our":[77],"vision,":[78],"this":[80],"paper,":[81],"we":[82,135],"present":[83],"preliminary":[84],"data":[85],"based":[86],"three":[88],"representative":[89],"samples":[90],"population":[93],"88,416":[95],"pull":[96,106],"requests":[97],"(PRs)":[98],"identify":[100],"unsafe":[101,111,118,153,162],"dependency":[102,119,163],"updates":[103,120,164],"any":[105],"request":[107],"that":[108,117,145],"risks":[109],"being":[110],"during":[112],"runtime),":[113],"which":[114],"clearly":[115],"shows":[116],"are":[121],"not":[122,165],"limited":[123],"highly":[125],"impactful":[126],"libraries.":[127],"draw":[129],"attention":[130],"long":[133],"tail,":[134],"propose":[136],"agenda":[139],"comprising":[140],"six":[141],"key":[142],"questions":[144],"further":[146],"explore":[147],"how":[148],"safeguard":[150],"against":[151],"these":[152],"activities.":[154],"This":[155],"includes":[156],"developing":[157],"best":[158],"address":[161],"only":[166],"top-tier":[168],"libraries":[169],"but":[170],"entire":[173]},"counts_by_year":[],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}