From Noise to Signal: Precisely Identify Affected Packages of Known Vulnerabilities in npm Ecosystem
Yingyuan Pu
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Malware & RE
The npm ecosystem contains over **3 million packages** with deeply nested dependency chains, and research shows approximately one quarter of all package versions depend on packages with known vulnerabilities. Yet **80% of enterprise dependencies remain unpatched for over a year** despite fixes being available for over 95% of vulnerabilities. The root cause is alert overload: existing Software Composition Analysis (SCA) tools like **npm audit** and **Dependabot** perform package-level analysis that cannot determine whether vulnerable code is actually called by an application, leading to massive false positive rates.
AI review
A well-executed engineering contribution that proves what most experienced practitioners already suspected: the vast majority of npm vulnerability alerts are noise. The ecosystem-scale data is genuinely valuable -- 68% false positive rate, 0.71 average real propagation hops, 131K packages declaring lodash without using it -- but the core technique is incremental improvement on call graph construction rather than novel security research.