Security vulnerability in third-party dependencies is a growing concern not only for developers of the affected software, but for the risks it poses to an entire software ecosystem, e.g., Heartbleed vulnerability. Recent studies show that developers are slow to respond to the threat of vulnerability, sometimes taking four to eleven months to act. To ensure quick adoption and propagation of a release that contains the fix (fixing release), we conduct an empirical investigation to identify lags that may occur between the vulnerable release and its fixing release (package-side fixing release). Through a preliminary study of 231 package-side fixing release of npm projects on GitHub, we observe that a fixing release is rarely released on its own, with up to 85.72% of the bundled commits being unrelated to a fix. We then compare the package-side fixing release with changes on a client-side (client-side fixing release). Through an empirical study of the adoption and propagation tendencies of 1,290 package-side fixing releases that impact throughout a network of 1,553,325 releases of npm packages, we find that stale clients require additional migration effort, even if the package-side fixing release was quick (i.e., package-side fixing releasetypeSpatch). Furthermore, we show the influence of factors such as the branch that the package-side fixing release lands on and the severity of vulnerability on its propagation. In addition to these lags we identify and characterize, this paper lays the groundwork for future research on how to mitigate propagation lags in an ecosystem.

第三方依赖关系中的安全漏洞不仅对于受影响软件的开发人员，而且对于它对整个软件生态系统造成的风险（例如Heartbleed漏洞），都日益引起关注。最近的研究表明，开发人员对脆弱性威胁的响应速度很慢，有时需要4到11个月才能采取行动。为了确保快速采用和传播包含修订的发行版（固定发行版），我们进行了一项实证研究，以找出易受攻击的发行版与其固定发行版（程序包侧固定发行版）之间可能存在的延迟。）。通过对GitHub上的npm项目的231个程序包侧修复程序发布的初步研究，我们发现修复程序发布很少自己发布，捆绑的提交中多达85.72％与修复程序无关。然后，我们将程序包方面的修订版本与客户端上的更改进行比较（客户端方面的修订版本）。通过对影响npm软件包1,553,325版本的整个网络的1,290个软件包侧固定版本的采用和传播趋势进行的实证研究，我们发现，即使软件包侧固定版本很快，陈旧的客户端也需要额外的迁移工作（即包侧固定releasetypeSpatch）。此外，我们显示了诸如包装侧固定释放件落在的分支上以及脆弱性对其传播的严重性等因素的影响。除了识别和表征这些滞后现象外，本文还为将来如何减轻生态系统中的传播滞后研究奠定了基础。