In this thesis, to test our hypotheses, we perform the empirical study to investigate the factors that impact the speed and spread of vulnerability fixes. We choose 10 vulnerabilities that have references to GitHub pull request or issue page. We manually investigate how developers create the fix for the vulnerability and how they package them for the new release. We then analyze the targeted branch of vulnerability fixes from 188 fixed vulnerabilities. We finally analyze the factors that influence the spread of vulnerability fixes into the dependency network by using 188 fixed vulnerabilities with 88,222 releases of npm package.
We find that (1) vulnerability fixes repackage with the other updates (4.46\% of commits in the release are related to the fix), (2) vulnerability fixes do not target the supported branch because most of them target ever branch, and (3) the factors influence the spread of the fix. According to our results, we suggest that (1) developers should not repackage the fix with the other updates, (2) developers should update their dependencies despite choosing the supported branch, and (3) developers should aware and quickly apply their dependencies' fixes.
For the future work, we would like to study more about why the developers repackage the fix and more factors that influence the spread in the network of dependency to mitigate the risk to be attacked in the ecosystem.