Replication Package for "Pinning is Futile: You Need More Than Local Dependency Versioning to Defend Against Supply Chain Attacks"

Published April 1, 2025 | Version 1.0.1

Computational notebook Open

This replication package contains the complete dataset and analysis scripts to replicate all quantitative results from our FSE 2025 paper

Hao He, Bogdan Vasilescu, and Christian Kästner. 2025. Pinning Is Futile: You Need More Than Local Dependency Versioning to Defend Against Supply Chain Attacks. Proc. ACM Softw. Eng. 2, FSE, Article FSE013 (July 2025), 24 pages. https://doi.org/10.1145/3715728

The package consists of:

Jupyter notebooks and R markdown files to replicate Figures and Tables
Curated datasets of npm packages and GitHub projects used to run panel regressions
Additional scripts used in the study, for reference purposes
Environment configuration files for reproducibility

Files

Name	Size	Download all
pinning-is-futile.zip md5:7c8cc659508a7f87a432fa6e86d33a47	548.6 MB	Preview Download

201

Views

Downloads

Show more details

DOI

Resource type

Computational notebook

Publisher

Zenodo

License: Apache License 2.0

A permissive license whose main conditions require preservation of copyright and license notices. Contributors provide an express grant of patent rights. Licensed works, modifications, and larger works may be distributed under different terms and without source code. Read more