You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Inactive Maintainers: We defined an inactive maintainer if the
maintainer had no active packages in the past two years. An at-
tacker can target packages with inactive maintainer(s) because any
attack will remain undetected due to the inactivity of maintainers.
Further notes on how this was achieved through the research:
Analysis of npm packages: We extracted and stored the “time”
property of the package.json file to measure the number of pack-
ages that have been inactive for the past two years. We identified
inactive maintainers by evaluating the last modified time proper-
ties for all packages corresponding to an individual maintainer. A
package where none of the maintainers are active elsewhere in
the entire package registry is determined as inactive maintainers
of unmaintained packages. We also considered deprecated pack-
ages as unmaintained since they are unmaintained officially by the
maintainer. We separated the deprecated package where the last
modification time passed our threshold value because the depreca-
tion was declared later
Note: we could also link to this the inactive packages with a threshold of > 2 years since last version published
The text was updated successfully, but these errors were encountered:
Source: https://arxiv.org/pdf/2112.10165.pdf
Further notes on how this was achieved through the research:
Note: we could also link to this the
inactive packageswith a threshold of > 2 years since last version publishedThe text was updated successfully, but these errors were encountered: