On The Lag of Library Vulnerability Updates: An Investigation into the Repackage and Delivery of Security Fixes Within The npm JavaScript Ecosystem

Vulnerabilities in third-party libraries is a growing concern for the software developer, not only because it poses risks to the software client itself, but to the entire ecosystem. To mitigate these risks, developers are strongly recommended to update their dependencies. Recent studies show that affected developers are not likely to respond to the vulnerability threat. In this paper, we introduce the lags of updates as a cause of the slow response to the vulnerability threat within the ecosystem. To understand these lags, we use both qualitative and quantitative approaches to conduct an empirical study on how 188 fixes were repackaged and delivered across over eight hundred thousand releases of npm software packages hosted on GitHub. We report two types of lags. Lags in repackage occur as a vulnerability fix is more likely to be bundled with other non-related updates with about 83.33\% of commits are not related. Dependency freshness has an effect on \textit{lags in delivery}, with the lineage freshness, downstream dependencies and severity of the vulnerability all impacting lags. Moreover, lags exist in the adoption of the fix during the delivery phase. We find that clients are more likely to wait to adopt the minor fix release rather than the quicker patch fix. The identification of these two lags opens up different avenues on how to facilitate quicker fix repackage and delivery across its ecosystem.