Uncover the Risks of Outdated Dependencies in Software Supply Chains: Insights from the npm Ecosystem

Fenglin Bi; Cheng Liang; Yanbin Zhang; Yang Chen; Wei Wang

doi:10.1007/978-3-032-00828-2_22

Uncover the Risks of Outdated Dependencies in Software Supply Chains: Insights from the npm Ecosystem

Fenglin Bi, Cheng Liang, Yanbin Zhang, Yang Chen, Wei Wang^*

^*Corresponding author for this work

School of Data Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

In the rapidly evolving domain of software development, the security and reliability of the open source software supply chain are of increasing concern. Outdated dependencies pose significant risks to the software ecosystem. This study aims to quantitatively reveal the prevalence of outdated dependencies in the open source supply chain, evaluate their impact on software security, and identify effective techniques for the timely detection of outdated dependencies to prevent security issues. We aggregated outdated dependencies from the npm ecosystem and the Open Source Vulnerabilities (OSV) dataset to construct the Outdated Dependencies Vulnerability Supply Chain. Our analysis suggested that outdated dependencies in a central position within the dependency chain significantly affect downstream components. Using clustering algorithms, we discovered that outdated packages are concentrated in the development tools area, which has a significant security risk from injection flaws (CWE-707) vulnerabilities. Utilizing model-based feature importance techniques, we predict the outdatedness of dependencies in the open source supply chain, with key indicators including the average duration of open issues and pull requests. The findings offer software developers and maintainers a foundation to identify current issues and security vulnerabilities within outdated dependencies, facilitating mitigation efforts through the open source software supply chain.

Original language	English
Title of host publication	Engineering of Complex Computer Systems - 29th International Conference, ICECCS 2025, Proceedings
Editors	Yuan Zhou, Zuohua Ding, Sin G. Teo, Xiaofei Xie, Yang Liu
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	403-423
Number of pages	21
ISBN (Print)	9783032008275
DOIs	https://doi.org/10.1007/978-3-032-00828-2_22
State	Published - 2026
Event	29th International Conference on Engineering of Complex Computer Systems, ICECCS 2025 - Hangzhou, China Duration: 2 Jul 2025 → 4 Jul 2025

Publication series

Name	Lecture Notes in Computer Science
Volume	15746 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	29th International Conference on Engineering of Complex Computer Systems, ICECCS 2025
Country/Territory	China
City	Hangzhou
Period	2/07/25 → 4/07/25

Keywords

Open source software supply chain
Outdated third-party dependencies
Software ecosystem
Software security

Access to Document

10.1007/978-3-032-00828-2_22

Cite this

Bi, F., Liang, C., Zhang, Y., Chen, Y., & Wang, W. (2026). Uncover the Risks of Outdated Dependencies in Software Supply Chains: Insights from the npm Ecosystem. In Y. Zhou, Z. Ding, S. G. Teo, X. Xie, & Y. Liu (Eds.), Engineering of Complex Computer Systems - 29th International Conference, ICECCS 2025, Proceedings (pp. 403-423). (Lecture Notes in Computer Science; Vol. 15746 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-032-00828-2_22

Bi, Fenglin ; Liang, Cheng ; Zhang, Yanbin et al. / Uncover the Risks of Outdated Dependencies in Software Supply Chains : Insights from the npm Ecosystem. Engineering of Complex Computer Systems - 29th International Conference, ICECCS 2025, Proceedings. editor / Yuan Zhou ; Zuohua Ding ; Sin G. Teo ; Xiaofei Xie ; Yang Liu. Springer Science and Business Media Deutschland GmbH, 2026. pp. 403-423 (Lecture Notes in Computer Science).

@inproceedings{9e71d74f66f344d7b1d2086e406148df,

title = "Uncover the Risks of Outdated Dependencies in Software Supply Chains: Insights from the npm Ecosystem",

abstract = "In the rapidly evolving domain of software development, the security and reliability of the open source software supply chain are of increasing concern. Outdated dependencies pose significant risks to the software ecosystem. This study aims to quantitatively reveal the prevalence of outdated dependencies in the open source supply chain, evaluate their impact on software security, and identify effective techniques for the timely detection of outdated dependencies to prevent security issues. We aggregated outdated dependencies from the npm ecosystem and the Open Source Vulnerabilities (OSV) dataset to construct the Outdated Dependencies Vulnerability Supply Chain. Our analysis suggested that outdated dependencies in a central position within the dependency chain significantly affect downstream components. Using clustering algorithms, we discovered that outdated packages are concentrated in the development tools area, which has a significant security risk from injection flaws (CWE-707) vulnerabilities. Utilizing model-based feature importance techniques, we predict the outdatedness of dependencies in the open source supply chain, with key indicators including the average duration of open issues and pull requests. The findings offer software developers and maintainers a foundation to identify current issues and security vulnerabilities within outdated dependencies, facilitating mitigation efforts through the open source software supply chain.",

keywords = "Open source software supply chain, Outdated third-party dependencies, Software ecosystem, Software security",

author = "Fenglin Bi and Cheng Liang and Yanbin Zhang and Yang Chen and Wei Wang",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2026.; 29th International Conference on Engineering of Complex Computer Systems, ICECCS 2025 ; Conference date: 02-07-2025 Through 04-07-2025",

year = "2026",

doi = "10.1007/978-3-032-00828-2\_22",

language = "英语",

isbn = "9783032008275",

series = "Lecture Notes in Computer Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "403--423",

editor = "Yuan Zhou and Zuohua Ding and Teo, \{Sin G.\} and Xiaofei Xie and Yang Liu",

booktitle = "Engineering of Complex Computer Systems - 29th International Conference, ICECCS 2025, Proceedings",

address = "德国",

}

Bi, F, Liang, C, Zhang, Y, Chen, Y & Wang, W 2026, Uncover the Risks of Outdated Dependencies in Software Supply Chains: Insights from the npm Ecosystem. in Y Zhou, Z Ding, SG Teo, X Xie & Y Liu (eds), Engineering of Complex Computer Systems - 29th International Conference, ICECCS 2025, Proceedings. Lecture Notes in Computer Science, vol. 15746 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 403-423, 29th International Conference on Engineering of Complex Computer Systems, ICECCS 2025, Hangzhou, China, 2/07/25. https://doi.org/10.1007/978-3-032-00828-2_22

Uncover the Risks of Outdated Dependencies in Software Supply Chains: Insights from the npm Ecosystem. / Bi, Fenglin; Liang, Cheng; Zhang, Yanbin et al.
Engineering of Complex Computer Systems - 29th International Conference, ICECCS 2025, Proceedings. ed. / Yuan Zhou; Zuohua Ding; Sin G. Teo; Xiaofei Xie; Yang Liu. Springer Science and Business Media Deutschland GmbH, 2026. p. 403-423 (Lecture Notes in Computer Science; Vol. 15746 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Uncover the Risks of Outdated Dependencies in Software Supply Chains

T2 - 29th International Conference on Engineering of Complex Computer Systems, ICECCS 2025

AU - Bi, Fenglin

AU - Liang, Cheng

AU - Zhang, Yanbin

AU - Chen, Yang

AU - Wang, Wei

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2026.

PY - 2026

Y1 - 2026

N2 - In the rapidly evolving domain of software development, the security and reliability of the open source software supply chain are of increasing concern. Outdated dependencies pose significant risks to the software ecosystem. This study aims to quantitatively reveal the prevalence of outdated dependencies in the open source supply chain, evaluate their impact on software security, and identify effective techniques for the timely detection of outdated dependencies to prevent security issues. We aggregated outdated dependencies from the npm ecosystem and the Open Source Vulnerabilities (OSV) dataset to construct the Outdated Dependencies Vulnerability Supply Chain. Our analysis suggested that outdated dependencies in a central position within the dependency chain significantly affect downstream components. Using clustering algorithms, we discovered that outdated packages are concentrated in the development tools area, which has a significant security risk from injection flaws (CWE-707) vulnerabilities. Utilizing model-based feature importance techniques, we predict the outdatedness of dependencies in the open source supply chain, with key indicators including the average duration of open issues and pull requests. The findings offer software developers and maintainers a foundation to identify current issues and security vulnerabilities within outdated dependencies, facilitating mitigation efforts through the open source software supply chain.

AB - In the rapidly evolving domain of software development, the security and reliability of the open source software supply chain are of increasing concern. Outdated dependencies pose significant risks to the software ecosystem. This study aims to quantitatively reveal the prevalence of outdated dependencies in the open source supply chain, evaluate their impact on software security, and identify effective techniques for the timely detection of outdated dependencies to prevent security issues. We aggregated outdated dependencies from the npm ecosystem and the Open Source Vulnerabilities (OSV) dataset to construct the Outdated Dependencies Vulnerability Supply Chain. Our analysis suggested that outdated dependencies in a central position within the dependency chain significantly affect downstream components. Using clustering algorithms, we discovered that outdated packages are concentrated in the development tools area, which has a significant security risk from injection flaws (CWE-707) vulnerabilities. Utilizing model-based feature importance techniques, we predict the outdatedness of dependencies in the open source supply chain, with key indicators including the average duration of open issues and pull requests. The findings offer software developers and maintainers a foundation to identify current issues and security vulnerabilities within outdated dependencies, facilitating mitigation efforts through the open source software supply chain.

KW - Open source software supply chain

KW - Outdated third-party dependencies

KW - Software ecosystem

KW - Software security

UR - https://www.scopus.com/pages/publications/105020674967

U2 - 10.1007/978-3-032-00828-2_22

DO - 10.1007/978-3-032-00828-2_22

M3 - 会议稿件

AN - SCOPUS:105020674967

SN - 9783032008275

T3 - Lecture Notes in Computer Science

SP - 403

EP - 423

BT - Engineering of Complex Computer Systems - 29th International Conference, ICECCS 2025, Proceedings

A2 - Zhou, Yuan

A2 - Ding, Zuohua

A2 - Teo, Sin G.

A2 - Xie, Xiaofei

A2 - Liu, Yang

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 2 July 2025 through 4 July 2025

ER -

Bi F, Liang C, Zhang Y, Chen Y, Wang W. Uncover the Risks of Outdated Dependencies in Software Supply Chains: Insights from the npm Ecosystem. In Zhou Y, Ding Z, Teo SG, Xie X, Liu Y, editors, Engineering of Complex Computer Systems - 29th International Conference, ICECCS 2025, Proceedings. Springer Science and Business Media Deutschland GmbH. 2026. p. 403-423. (Lecture Notes in Computer Science). doi: 10.1007/978-3-032-00828-2_22