2020 IEEE International Conference on Software Maintenance and Evolution (ICSME) 2020
DOI: 10.1109/icsme46990.2020.00071
|View full text |Cite
|
Sign up to set email alerts
|

Investigating The Reproducibility of NPM Packages

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
2
1

Citation Types

1
17
0

Year Published

2021
2021
2023
2023

Publication Types

Select...
4
2

Relationship

0
6

Authors

Journals

citations
Cited by 21 publications
(18 citation statements)
references
References 5 publications
1
17
0
Order By: Relevance
“…Several researchers have proposed checking for differences between packages hosted on registries and their purported source code as a way of detecting malware. Goswami et al [13] report that this is difficult for npm packages due to many irrelevant but nonmalicious differences, an experience that tallies with ours. Vu et al [28,30] study the same problem for PyPI, and similarly conclude that non-reproducibility by itself is a weak indicator of maliciousness and needs to be combined with other techniques to become effective, which is what we have done in this work.…”
Section: Related Worksupporting
confidence: 82%
See 4 more Smart Citations
“…Several researchers have proposed checking for differences between packages hosted on registries and their purported source code as a way of detecting malware. Goswami et al [13] report that this is difficult for npm packages due to many irrelevant but nonmalicious differences, an experience that tallies with ours. Vu et al [28,30] study the same problem for PyPI, and similarly conclude that non-reproducibility by itself is a weak indicator of maliciousness and needs to be combined with other techniques to become effective, which is what we have done in this work.…”
Section: Related Worksupporting
confidence: 82%
“…9 Consequently, being able to reproduce a package version from its source code is a good indicator that it is benign. As has been noted previously [13], even perfectly benign packages may fail to reproduce for a variety of reasons, but this is acceptable in our case since we are only using this criterion to filter out benign packages erroneously flagged as malicious, not to detect new ones.…”
Section: Introductionmentioning
confidence: 95%
See 3 more Smart Citations