ABSTRACT:
Software packages can be susceptible to attack whenever they utilize dependencies containing security vulnerabilities (vulnerable dependencies). We theorize that the likelihood of relying on vulnerable dependencies is heightened by two structural dimensions of dependency networks: complexity (dependency count) and tight coupling (interdependence). Analyzing 40,049 packages, we find that complexity is positively associated with this likelihood and that vertical complexity (depth) plays a more prominent role than horizontal complexity (breadth). However, tight coupling is negatively associated with the likelihood of vulnerable dependencies. Further analyses reveal that this relationship turns positive with greater complexity but becomes more strongly negative as the number of package developers and the average number of developers per dependency increase. Our findings identify key boundary conditions under which tight coupling may be beneficial and offer a nuanced understanding of how dependency network structure influences the security of dependencies and, more broadly, the security of software supply chains.
Key words and phrases: Dependency network, security vulnerability, vulnerable dependency, software complexity, software coupling, software supply chain, cybersecurity