software

[Paper] Insecure Ingredients? Exploring Dependency Update Patterns of Bundled JavaScript Packages on the Web

Published: (December 17, 2025 at 08:43 AM EST)
4 min read
Source: arXiv

Source: arXiv - 2512.15447v1

Overview

The paper “Insecure Ingredients? Exploring Dependency Update Patterns of Bundled JavaScript Packages on the Web” investigates how often web sites actually upgrade the third‑party JavaScript libraries they ship in bundled code. By introducing a new, package‑agnostic detection technique, the authors show that bundled dependencies tend to be refreshed more quickly than CDN‑served ones—cutting the exposure to known vulnerable versions by up to tenfold.

Key Contributions

  • Aletheia detection engine – a novel, plagiarism‑inspired algorithm that can pinpoint exact package versions inside arbitrary JavaScript bundles without prior knowledge of the package list.
  • Comprehensive empirical study – analysis of the top 100 k domains (Tranco list) over a 16‑week window, measuring real‑world update frequencies for both bundled and CDN‑delivered packages.
  • Performance benchmark – Aletheia outperforms existing version‑identification tools (both hand‑picked and global‑namespace approaches) in precision and recall on large‑scale web data.
  • Insightful longitudinal findings – bundled packages are updated 5 %–20 % of the time within 16 weeks, and they contain up to ten times fewer known vulnerable versions than CDN‑served equivalents.
  • Vendor‑level analysis – identification of a small set of dominant vendors that drive the majority of timely updates, suggesting a skewed ecosystem influence.

Methodology

  1. Data Collection – The authors crawled the Tranco top‑100 k websites, downloading every JavaScript resource (both bundled files and external CDN scripts) across multiple snapshots spaced over 16 weeks.
  2. Aletheia Engine
    • Treats each bundle as a “document” and each known package version as a “reference text”.
    • Applies winnowing (a plagiarism‑detection technique) to generate robust fingerprints of code fragments, tolerating minification, reordering, and small edits.
    • Matches fingerprints against a pre‑computed index of all npm package versions, yielding the most likely version(s) present in the bundle.
  3. Baseline Comparison – The study re‑implemented two prior detection strategies: (a) a hand‑selected popular‑package list lookup, and (b) a global‑namespace variable scanner. Both were run on the same dataset.
  4. Vulnerability Mapping – Detected versions were cross‑referenced with the npm security advisory database to flag known vulnerable releases.
  5. Statistical Analysis – Update frequencies, lag times, and vulnerability prevalence were computed per domain, per package, and per delivery method (bundle vs. CDN).

Results & Findings

MetricBundled PackagesCDN‑Delivered Packages
Update rate (16 weeks)5 %–20 % of domains refreshed at least one dependency~2 % of domains refreshed
Vulnerable version prevalenceUp to 10× fewer vulnerable versions than CDN equivalentsHigher exposure, especially for older libraries
Detection accuracyPrecision ≈ 92 %, Recall ≈ 88 % (Aletheia)Prior methods: Precision 70‑80 %, Recall 55‑65 %
Dominant vendors3‑4 large vendors (e.g., Google, Microsoft) account for >60 % of timely updatesNo clear vendor effect

Interpretation: Bundling—often done via build tools like Webpack or Rollup—appears to encourage developers to lock in a specific version and then update it more regularly, perhaps because the bundle is part of the source‑controlled codebase. CDN scripts, by contrast, are frequently referenced via static URLs that developers forget to bump, leaving stale, vulnerable code in production.

Practical Implications

  • For Front‑End Engineers: Treat your bundle as a “single point of truth” for dependencies. Automate version bumps (e.g., via Renovate or Dependabot) and integrate them into CI pipelines to keep the bundle fresh.
  • For Security Teams: Prioritize scanning of CDN‑referenced scripts, as they are more likely to host outdated, vulnerable libraries. Tools that only inspect bundled code may miss a large attack surface.
  • For Package Maintainers: Publishing clear migration guides and semantic‑versioning tags helps downstream bundlers adopt updates faster.
  • For Tool Vendors: Aletheia’s fingerprinting approach can be packaged as a SaaS offering or an open‑source CLI to enrich existing SCA (Software Composition Analysis) platforms, especially for detecting versions in minified/obfuscated bundles.
  • For CDN Providers: Implement “auto‑refresh” headers or version‑aware URLs (e.g., library@2.3.4.min.js) to nudge consumers toward newer releases.

Limitations & Future Work

  • Scope of Packages: The study focused on npm packages that appear in JavaScript bundles; native browser APIs or non‑npm libraries were not examined.
  • Temporal Granularity: Snapshots were taken at roughly 2‑week intervals; rapid updates occurring between crawls could be missed.
  • Fingerprint Collisions: Highly similar minified code across versions can occasionally cause false positives, though the authors report this is rare.
  • Vendor Bias: The dominance of a few vendors suggests that the observed “fast update” pattern may not generalize to niche or community‑driven packages.

Future research directions include extending Aletheia to other ecosystems (e.g., Python wheels, Rust crates), integrating real‑time monitoring of CDN URLs, and exploring the impact of automated update bots on reducing vulnerable dependency exposure.

Authors

  • Ben Swierzy
  • Marc Ohm
  • Michael Meier

Paper Information

  • arXiv ID: 2512.15447v1
  • Categories: cs.SE, cs.CR
  • Published: December 17, 2025
  • PDF: Download PDF
Back to Blog

Related posts

Read more »