This study investigates the propagation of vulnerabilities in the JavaScript ecosystem, where a small number of source-level flaws can spread widely through dependency chains, affecting numerous downstream packages. Leveraging deps.dev, the authors construct a dependency network encompassing over one million npm packages and conduct an empirical analysis of 1,515 real-world vulnerabilities using Google’s OSV database. They quantitatively demonstrate a high concentration of vulnerability propagation: just seven frequently occurring vulnerabilities account for 25% of all observed cases. The analysis reveals that 21.6% of npm packages contain vulnerable dependencies, with an average remediation lag approaching five years. Furthermore, the work systematically uncovers a strong correlation between patching delays and the scale of vulnerability propagation, offering actionable insights for developers and package managers to mitigate such risks effectively.

Understanding vulnerability propagation is essential for assessing how vulnerabilities spread across components of a software package. This supports more accurate impact analysis and enhances threat detection and mitigation. In this paper, we investigate how a small number of vulnerable JavaScript packages contribute to the creation of a disproportionately large number of vulnerable packages. This paper presents insights from 1,515 reported vulnerabilities gathered from a custom-built vulnerability database containing 1,077,946 JavaScript packages sourced from `npm-follower' and their associated dependency networks. Dependency networks were constructed using the deps.dev API, with vulnerabilities identified by parsing package names and version numbers through the Google Open Source Vulnerability API. Our findings reveal that 61.30% (660,748) of packages are reliant on one or more dependency packages, and 21.60% (232,836) of total packages have at least one known vulnerability throughout their dependency networks -- of which most (42%) are of High severity. We also found that it takes, on average, approximately 4 years and 11 months to fix a vulnerable package from when the first vulnerable version is published on npm -- although publication times of vulnerabilities occur approximately 19 days after a fix is available. Finally, we observe a high concentration of frequently present vulnerabilities throughout dependency networks, with the top-7 most frequent vulnerabilities accounting for 25% of vulnerability cases and the top-23 most frequent accounting for 50%. Based on these findings, we propose recommendations for developers and package managers to mitigate the threat and occurrence of vulnerabilities within the npm dependency network and the broader software repository community.