This paper addresses the lack of large-scale empirical analysis on JavaScript dependency update practices in modern web applications. We propose Aletheia—the first package-agnostic, bundle-level third-party library version identification method. Aletheia integrates static analysis, string matching, hash-based fingerprinting, and code plagiarism detection to overcome traditional dependency identification’s reliance on global variables or manually curated package lists, enabling fine-grained and scalable version evolution tracking. An empirical study across the Tranco Top 100,000 websites reveals that 5%–20% of sites update bundled dependencies within a 16-week period. Bundled dependencies are updated significantly faster than CDN-hosted ones, and the prevalence of vulnerable versions is reduced by up to an order of magnitude. This work provides the first systematic characterization of real-world frontend dependency update patterns and associated security risk distributions.

Reusable software components, typically distributed as packages, are a central paradigm of modern software development. The JavaScript ecosystem serves as a prime example, offering millions of packages with their use being promoted as idiomatic. However, download statistics on npm raise security concerns as they indicate a high popularity of vulnerable package versions while their real prevalence on production websites remains unknown. Package version detection mechanisms fill this gap by extracting utilized packages and versions from observed artifacts on the web. Prior research focuses on mechanisms for either hand-selected popular packages in bundles or for single-file resources utilizing the global namespace. This does not allow for a thorough analysis of modern web applications' dependency update behavior at scale. In this work, we improve upon this by presenting Aletheia, a package-agnostic method which dissects JavaScript bundles to identify package versions through algorithms originating from the field of plagiarism detection. We show that this method clearly outperforms the existing approaches in practical settings. Furthermore, we crawl the Tranco top 100,000 domains to reveal that 5% - 20% of domains update their dependencies within 16 weeks. Surprisingly, from a longitudinal perspective, bundled packages are updated significantly faster than their CDN-included counterparts, with consequently up to 10 times fewer known vulnerable package versions included. Still, we observe indicators that few widespread vendors seem to be a major driving force behind timely updates, implying that quantitative measures are not painting a complete picture.