This study systematically investigates the severity, persistence, and distribution patterns of dependency vulnerabilities in open-source projects, and their correlations with project-scale and activity metrics. Method: Leveraging our custom-built Software Composition Analysis (SCA) tool, VODA, we constructed a high-quality, multi-language dataset encompassing 1,000+ open-source projects and over 50,000 version releases. Contribution/Results: We quantitatively reveal—first time at scale—that critical vulnerabilities predominantly originate from transitive dependencies and exhibit median remediation latency exceeding 12 months; team size correlates significantly with faster vulnerability resolution; and vulnerability persistence and propagation patterns exhibit cross-language commonalities. Based on these findings, we propose the “high-risk-dependency-first governance” principle. The study provides empirical evidence and methodological support for optimizing dependency update mechanisms and strengthening software supply chain security governance.

Open-source libraries are widely used by software developers to speed up the development of products, however, they can introduce security vulnerabilities, leading to incidents like Log4Shell. With the expanding usage of open-source libraries, it becomes even more imperative to comprehend and address these dependency vulnerabilities. The use of Software Composition Analysis (SCA) tools does greatly help here as they provide a deep insight on what dependencies are used in a project, enhancing the security and integrity in the software supply chain. In order to learn how wide spread vulnerabilities are and how quickly they are being fixed, we conducted a study on over 1k open-source software projects with about 50k releases comprising several languages such as Java, Python, Rust, Go, Ruby, PHP, and JavaScript. Our objective is to investigate the severity, persistence, and distribution of these vulnerabilities, as well as their correlation with project metrics such as team and contributors size, activity and release cycles. In order to perform such analysis, we crawled over 1k projects from github including their version history ranging from 2013 to 2023 using VODA, our SCA tool. Using our approach, we can provide information such as library versions, dependency depth, and known vulnerabilities, and how they evolved over the software development cycle. Being larger and more diverse than datasets used in earlier works and studies, ours provides better insights and generalizability of the gained results. The data collected answers several research questions about the dependency depth and the average time a vulnerability persists. Among other findings, we observed that for most programming languages, vulnerable dependencies are transitive, and a critical vulnerability persists in average for over a year before being fixed. The results furthermore emphasize the importance of managing dependencies, performing timely updates, and suggests types of vulnerabilities that can be fixed faster.