Assessing timely remediation risk for open-source software dependencies is challenging when vulnerability data are unavailable. Method: This paper introduces MTTR_dep—Mean Time to Remediate for dependencies—and proposes MTTU_dep (Mean Time to Update) as a highly correlated proxy metric, defined as the average interval between successive version releases. MTTU_dep addresses key limitations of existing metrics: neglect of dependency hierarchy, insufficient historical aggregation, and insensitivity to floating-version semantics. Contribution/Results: Through large-scale empirical analysis of 163,000 packages across npm, PyPI, and Cargo ecosystems—combined with version evolution graph modeling and statistical validation—we demonstrate a strong correlation (Spearman ρ > 0.9) between MTTU_dep and MTTR_dep. This enables scalable, low-cost, data-light risk assessment in absence of vulnerability records, advancing quantifiable decision support for software supply chain security.

Timely remediation of vulnerabilities in software dependencies is critical for the security of the software supply chain. As such, researchers have proposed tools and metrics to help practitioners assess the security practices of each of their dependencies. Conceptually, a dependency-focused Mean-Time-To-Remediate (MTTR) metric can provide a historical perspective on how long it takes a given package to update vulnerable versions of its dependencies. However, existing MTTR metrics focus on a package fixing bugs in its own code, not its dependencies. Simultaneously, existing dependency update metrics do not aggregate values for the entire package and are not sensitive to aspects important for vulnerabilities (e.g., floating version constraints). The goal of this study is to aid industry practitioners, including developers, in assessing the risk of dependencies through a novel metric approximating mean-time-to-remediate vulnerabilities in their dependencies that is evaluated by an empirical study. We propose a novel algorithm for computing MTTR called $MTTR_{dep}$ and a companion metric called $Mean-Time-To-Update_{dep}$ ($MTTU_{dep}$), which considers all version updates, including vulnerability fix updates. We conduct a large-scale study using 163, 207 packages in npm, PyPI, and Cargo, of which only 22, 513 packages produce $MTTR_{dep}$ because of the lack of vulnerability data. We further study how package characteristics (e.g., contributors and version counts) influence $MTTU_{dep}$ and $MTTR_{dep}$ and explore how long packages retain outdated vulnerable dependencies in npm, PyPI, and Cargo. Our results indicate that industry practitioners can reliably use $MTTU_{dep}$ as a proxy for $MTTR_{dep}$ when available vulnerability data is insufficient.