File-Level Copying Is an Implicit Dependency in Open Source

📅 2026-07-02
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This study addresses the pervasive yet poorly governed practice of file-level code copying in open-source ecosystems, which obscures dependencies and undermines provenance tracking, maintainability, security, and license compliance. Leveraging the World of Code large-scale code graph, the authors systematically identify thirteen distinct forms of code copying through a methodology combining commit sampling, clone detection, manual annotation, and validation against CVE and license databases. Their analysis of 690,000 copying instances reveals that only 4.3% retain traceable origins. Critically, they uncover 17,314 high-risk CVE-associated copies and 41,777 license-violating instances—most of which evade detection by conventional dependency scanning tools—exposing significant blind spots in current governance mechanisms.
📝 Abstract
File-level copying is a widespread but ungoverned form of software reuse. Copying files across repositories reduces supply-chain visibility: it removes the four observable signals a package manager provides for a declared dependency (provenance, maintenance, security, and compliance) with no mechanism to restore them. To characterize the scale and consequences of this unmanaged reuse, we present a mixed-method study of copying across the entire open-source ecosystem using World of Code (WoC). From a 0.1% commit sample, we extract 690,500 copy events and retain 3,912 rationale-bearing copy commits for intent labeling. We show that the 13 axial copy forms, spanning vendored dependencies, hardware/driver synchronization, scaffolding, UI assets, and direct source-code reuse, are unreliable proxies for developer intent: among rationale-bearing commits, hardware/driver copies are predominantly fork-maintenance work (78%), while dependency-vendoring copies more often signal upstream bypass (70%) than offline availability. These visibility gaps are form-specific: security and license risk concentrate in complementary copy forms. Copied sources are frequently stale (median 155 days; 38.5% over one year old) and seldom record a recoverable origin (4.3% documented), let alone a checkable version (2.0% versioned); even vendored copies record where they came from only 10% of the time. Security risk concentrates in vendored dependencies: 17,314 CVE-risk copy commits in the full-WoC graph, 88% in the dependency-vendoring form; 80% score CVSS >= 7.0 and upstream-fix adoption is only 47%-84%. License risk concentrates in direct source-code reuse: 41,777 pre-validation candidates, 66% in the source-code form, with 39 verified high-star violations (kappa = 0.752). Both risks reach packaged software and are invisible to dependency scanners operating on declared metadata alone.
Problem

Research questions and friction points this paper is trying to address.

file-level copying
software supply chain
dependency visibility
security risk
license compliance
Innovation

Methods, ideas, or system contributions that make the work stand out.

file-level copying
implicit dependency
software supply chain
vendored dependencies
open-source ecosystem
🔎 Similar Papers
No similar papers found.