{"id":"https://openalex.org/W4407359232","doi":"https://doi.org/10.1145/3715728","title":"Pinning Is Futile: You Need More Than Local Dependency Versioning to Defend against Supply Chain Attacks","display_name":"Pinning Is Futile: You Need More Than Local Dependency Versioning to Defend against Supply Chain Attacks","publication_year":2025,"publication_date":"2025-06-19","ids":{"openalex":"https://openalex.org/W4407359232","doi":"https://doi.org/10.1145/3715728"},"language":"en","primary_location":{"id":"doi:10.1145/3715728","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3715728","pdf_url":null,"source":{"id":"https://openalex.org/S4404663975","display_name":"Proceedings of the ACM on software engineering.","issn_l":"2994-970X","issn":["2994-970X"],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Software Engineering","raw_type":"journal-article"},"type":"article","indexed_in":["arxiv","crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://doi.org/10.1145/3715728","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5021279939","display_name":"Hao He","orcid":null},"institutions":[{"id":"https://openalex.org/I74973139","display_name":"Carnegie Mellon University","ror":"https://ror.org/05x2bcf33","country_code":"US","type":"education","lineage":["https://openalex.org/I74973139"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Hao He","raw_affiliation_strings":["Carnegie Mellon University, Pittsburgh, USA"],"affiliations":[{"raw_affiliation_string":"Carnegie Mellon University, Pittsburgh, USA","institution_ids":["https://openalex.org/I74973139"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5050821883","display_name":"Bogdan Vasilescu","orcid":"https://orcid.org/0000-0003-4418-5783"},"institutions":[{"id":"https://openalex.org/I74973139","display_name":"Carnegie Mellon University","ror":"https://ror.org/05x2bcf33","country_code":"US","type":"education","lineage":["https://openalex.org/I74973139"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Bogdan Vasilescu","raw_affiliation_strings":["Carnegie Mellon University, Pittsburgh, USA"],"affiliations":[{"raw_affiliation_string":"Carnegie Mellon University, Pittsburgh, USA","institution_ids":["https://openalex.org/I74973139"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5067467896","display_name":"Christian K\u00e4stner","orcid":"https://orcid.org/0000-0002-4450-4572"},"institutions":[{"id":"https://openalex.org/I74973139","display_name":"Carnegie Mellon University","ror":"https://ror.org/05x2bcf33","country_code":"US","type":"education","lineage":["https://openalex.org/I74973139"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Christian K\u00e4stner","raw_affiliation_strings":["Carnegie Mellon University, Pittsburgh, USA"],"affiliations":[{"raw_affiliation_string":"Carnegie Mellon University, Pittsburgh, USA","institution_ids":["https://openalex.org/I74973139"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5021279939"],"corresponding_institution_ids":["https://openalex.org/I74973139"],"apc_list":null,"apc_paid":null,"fwci":9.4079,"has_fulltext":true,"cited_by_count":3,"citation_normalized_percentile":{"value":0.97045718,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":95,"max":99},"biblio":{"volume":"2","issue":"FSE","first_page":"266","last_page":"289"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9947999715805054,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11675","display_name":"Open Source Software Innovations","score":0.9930999875068665,"subfield":{"id":"https://openalex.org/subfields/1706","display_name":"Computer Science Applications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/dependency","display_name":"Dependency (UML)","score":0.784369707107544},{"id":"https://openalex.org/keywords/guard","display_name":"Guard (computer science)","score":0.7304834723472595},{"id":"https://openalex.org/keywords/supply-chain","display_name":"Supply chain","score":0.639746367931366},{"id":"https://openalex.org/keywords/counterfactual-thinking","display_name":"Counterfactual thinking","score":0.5866113901138306},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5560092926025391},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.5385512113571167},{"id":"https://openalex.org/keywords/risk-analysis","display_name":"Risk analysis (engineering)","score":0.5064204931259155},{"id":"https://openalex.org/keywords/software-versioning","display_name":"Software versioning","score":0.4945964515209198},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.45361921191215515},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.3718402683734894},{"id":"https://openalex.org/keywords/marketing","display_name":"Marketing","score":0.11540743708610535},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.11233830451965332}],"concepts":[{"id":"https://openalex.org/C19768560","wikidata":"https://www.wikidata.org/wiki/Q320727","display_name":"Dependency (UML)","level":2,"score":0.784369707107544},{"id":"https://openalex.org/C141141315","wikidata":"https://www.wikidata.org/wiki/Q2379942","display_name":"Guard (computer science)","level":2,"score":0.7304834723472595},{"id":"https://openalex.org/C108713360","wikidata":"https://www.wikidata.org/wiki/Q1824206","display_name":"Supply chain","level":2,"score":0.639746367931366},{"id":"https://openalex.org/C108650721","wikidata":"https://www.wikidata.org/wiki/Q1783253","display_name":"Counterfactual thinking","level":2,"score":0.5866113901138306},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5560092926025391},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5385512113571167},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.5064204931259155},{"id":"https://openalex.org/C198140048","wikidata":"https://www.wikidata.org/wiki/Q10859422","display_name":"Software versioning","level":3,"score":0.4945964515209198},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.45361921191215515},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.3718402683734894},{"id":"https://openalex.org/C162853370","wikidata":"https://www.wikidata.org/wiki/Q39809","display_name":"Marketing","level":1,"score":0.11540743708610535},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.11233830451965332},{"id":"https://openalex.org/C111472728","wikidata":"https://www.wikidata.org/wiki/Q9471","display_name":"Epistemology","level":1,"score":0.0},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.0},{"id":"https://openalex.org/C138885662","wikidata":"https://www.wikidata.org/wiki/Q5891","display_name":"Philosophy","level":0,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3715728","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3715728","pdf_url":null,"source":{"id":"https://openalex.org/S4404663975","display_name":"Proceedings of the ACM on software engineering.","issn_l":"2994-970X","issn":["2994-970X"],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Software Engineering","raw_type":"journal-article"},{"id":"pmh:oai:arXiv.org:2502.06662","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2502.06662","pdf_url":"https://arxiv.org/pdf/2502.06662","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"}],"best_oa_location":{"id":"doi:10.1145/3715728","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3715728","pdf_url":null,"source":{"id":"https://openalex.org/S4404663975","display_name":"Proceedings of the ACM on software engineering.","issn_l":"2994-970X","issn":["2994-970X"],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Software Engineering","raw_type":"journal-article"},"sustainable_development_goals":[{"display_name":"Life in Land","id":"https://metadata.un.org/sdg/15","score":0.46000000834465027}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":66,"referenced_works":["https://openalex.org/W1965854491","https://openalex.org/W2006393891","https://openalex.org/W2068588283","https://openalex.org/W2152003168","https://openalex.org/W2161425670","https://openalex.org/W2165094929","https://openalex.org/W2297096600","https://openalex.org/W2337042987","https://openalex.org/W2506824326","https://openalex.org/W2740279154","https://openalex.org/W2767231363","https://openalex.org/W2789570312","https://openalex.org/W2886465534","https://openalex.org/W2889097348","https://openalex.org/W2899036005","https://openalex.org/W2899324080","https://openalex.org/W2945486631","https://openalex.org/W2953482240","https://openalex.org/W2956069715","https://openalex.org/W2963748706","https://openalex.org/W3029879311","https://openalex.org/W3031471692","https://openalex.org/W3036270494","https://openalex.org/W3043516402","https://openalex.org/W3046453918","https://openalex.org/W3090081101","https://openalex.org/W3091065534","https://openalex.org/W3094525800","https://openalex.org/W3100852074","https://openalex.org/W3106855263","https://openalex.org/W3121596715","https://openalex.org/W3121912189","https://openalex.org/W3133667557","https://openalex.org/W3150814957","https://openalex.org/W3177321543","https://openalex.org/W3182281291","https://openalex.org/W3184420437","https://openalex.org/W3195348753","https://openalex.org/W3196126762","https://openalex.org/W3212800749","https://openalex.org/W4205596332","https://openalex.org/W4221145571","https://openalex.org/W4226416841","https://openalex.org/W4233869839","https://openalex.org/W4236606190","https://openalex.org/W4241395538","https://openalex.org/W4249440929","https://openalex.org/W4256420017","https://openalex.org/W4280554841","https://openalex.org/W4313563521","https://openalex.org/W4313563522","https://openalex.org/W4319459165","https://openalex.org/W4377235553","https://openalex.org/W4379014622","https://openalex.org/W4380982237","https://openalex.org/W4383898619","https://openalex.org/W4384026650","https://openalex.org/W4384155578","https://openalex.org/W4384345722","https://openalex.org/W4385208592","https://openalex.org/W4385283530","https://openalex.org/W4388483277","https://openalex.org/W4389158448","https://openalex.org/W4389159064","https://openalex.org/W4391855073","https://openalex.org/W4393055583"],"related_works":["https://openalex.org/W2899084033","https://openalex.org/W3201448254","https://openalex.org/W4286970243","https://openalex.org/W2066431708","https://openalex.org/W4384133558","https://openalex.org/W3025615835","https://openalex.org/W173210993","https://openalex.org/W2390660599","https://openalex.org/W3028847759","https://openalex.org/W2393688264"],"abstract_inverted_index":{"Recent":[0],"high-profile":[1],"incidents":[2],"in":[3,34,77,121],"open-source":[4],"software":[5,12],"have":[6],"greatly":[7],"raised":[8],"practitioner":[9],"attention":[10],"on":[11],"supply":[13,145,169],"chain":[14,146],"attacks.":[15],"To":[16],"guard":[17],"against":[18,144],"potential":[19],"malicious":[20,118],"package":[21,119],"updates,":[22],"security":[23,46,70],"practitioners":[24,162],"advocate":[25],"pinning":[26,42,92,138],"dependency":[27,83,123,131],"to":[28,117,126,140,151,153,166],"specific":[29,149],"versions":[30],"rather":[31],"than":[32],"floating":[33],"version":[35,75],"ranges.":[36],"However,":[37],"it":[38],"remains":[39],"controversial":[40],"whether":[41],"carries":[43],"a":[44],"meaningful":[45],"benefit":[47],"that":[48,91],"outweighs":[49],"the":[50,69,78,100,113,127,142],"cost":[51,101],"of":[52,74,102,115,129],"maintaining":[53,103],"outdated":[54,106],"and":[55,67,71,105,163],"possibly":[56],"vulnerable":[57,104],"dependencies.":[58],"In":[59],"this":[60],"paper,":[61],"we":[62,89,135],"quantify,":[63],"through":[64],"counterfactual":[65],"analysis":[66],"simulations,":[68],"maintenance":[72],"impact":[73],"constraints":[76],"npm":[79,152],"ecosystem.":[80],"By":[81],"simulating":[82],"resolutions":[84],"over":[85],"historical":[86],"time":[87],"points,":[88],"find":[90],"direct":[93],"dependencies":[94],"not":[95],"only":[96],"(as":[97],"expected)":[98],"increases":[99,112],"dependencies,":[107],"but":[108],"also":[109],"(surprisingly)":[110],"even":[111],"risk":[114],"exposure":[116],"updates":[120],"larger":[122],"graphs":[124],"due":[125],"specifics":[128],"npm\u2019s":[130],"resolution":[132],"mechanism.":[133],"Finally,":[134],"explore":[136],"collective":[137],"strategies":[139],"secure":[141],"ecosystem":[143],"attacks,":[147],"suggesting":[148],"changes":[150],"enable":[154],"such":[155],"interventions.":[156],"Our":[157],"study":[158],"provides":[159],"guidance":[160],"for":[161],"tool":[164],"designers":[165],"manage":[167],"their":[168],"chains":[170],"more":[171],"securely.":[172]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":2}],"updated_date":"2026-04-06T07:47:59.780226","created_date":"2025-10-10T00:00:00"}