{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2019:32BLMVDOEAH5DEG5AT3TRBP525","short_pith_number":"pith:32BLMVDO","schema_version":"1.0","canonical_sha256":"de82b6546e200fd190dd04f73885fdd76ed95e29889ddff2f942404f64ce7126","source":{"kind":"arxiv","id":"1902.09217","version":2},"attestation_state":"computed","paper":{"title":"Small World with High Risks: A Study of Security Threats in the npm Ecosystem","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Cam Tenny, Cristian-Alexandru Staicu, Markus Zimmermann, Michael Pradel","submitted_at":"2019-02-25T12:07:25Z","abstract_excerpt":"The popularity of JavaScript has lead to a large ecosystem of third-party packages available via the npm software package registry. The open nature of npm has boosted its growth, providing over 800,000 free and reusable software packages. Unfortunately, this open nature also causes security risks, as evidenced by recent incidents of single packages that broke or attacked software running on millions of computers. This paper studies security risks for users of npm by systematically analyzing dependencies between packages, the maintainers responsible for these packages, and publicly reported sec"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":false,"formal_links_present":false},"canonical_record":{"source":{"id":"1902.09217","kind":"arxiv","version":2},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2019-02-25T12:07:25Z","cross_cats_sorted":[],"title_canon_sha256":"51dd3ec595bb4141ed03dcbf93c64afd2e54f7d5903cc83d218fca5f22c4911f","abstract_canon_sha256":"24d0e7dbe4818c7aa56918dd45e08a491c7ab95077a41dcb2b4cc700deb981aa"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:43:56.262918Z","signature_b64":"zecrP5Zr5HoqISsXyfpb0DenqK3rehmNFCehXsegHHjXN3oqlp84M1TGvOuoXzl5SCBFpSy1bhRbdekyZYfDBg==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"de82b6546e200fd190dd04f73885fdd76ed95e29889ddff2f942404f64ce7126","last_reissued_at":"2026-05-17T23:43:56.262359Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:43:56.262359Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"Small World with High Risks: A Study of Security Threats in the npm Ecosystem","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Cam Tenny, Cristian-Alexandru Staicu, Markus Zimmermann, Michael Pradel","submitted_at":"2019-02-25T12:07:25Z","abstract_excerpt":"The popularity of JavaScript has lead to a large ecosystem of third-party packages available via the npm software package registry. The open nature of npm has boosted its growth, providing over 800,000 free and reusable software packages. Unfortunately, this open nature also causes security risks, as evidenced by recent incidents of single packages that broke or attacked software running on millions of computers. This paper studies security risks for users of npm by systematically analyzing dependencies between packages, the maintainers responsible for these packages, and publicly reported sec"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1902.09217","kind":"arxiv","version":2},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"1902.09217","created_at":"2026-05-17T23:43:56.262463+00:00"},{"alias_kind":"arxiv_version","alias_value":"1902.09217v2","created_at":"2026-05-17T23:43:56.262463+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1902.09217","created_at":"2026-05-17T23:43:56.262463+00:00"},{"alias_kind":"pith_short_12","alias_value":"32BLMVDOEAH5","created_at":"2026-05-18T12:33:07.085635+00:00"},{"alias_kind":"pith_short_16","alias_value":"32BLMVDOEAH5DEG5","created_at":"2026-05-18T12:33:07.085635+00:00"},{"alias_kind":"pith_short_8","alias_value":"32BLMVDO","created_at":"2026-05-18T12:33:07.085635+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":0,"internal_anchor_count":0,"sample":[]},"formal_canon":{"evidence_count":0,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/32BLMVDOEAH5DEG5AT3TRBP525","json":"https://pith.science/pith/32BLMVDOEAH5DEG5AT3TRBP525.json","graph_json":"https://pith.science/api/pith-number/32BLMVDOEAH5DEG5AT3TRBP525/graph.json","events_json":"https://pith.science/api/pith-number/32BLMVDOEAH5DEG5AT3TRBP525/events.json","paper":"https://pith.science/paper/32BLMVDO"},"agent_actions":{"view_html":"https://pith.science/pith/32BLMVDOEAH5DEG5AT3TRBP525","download_json":"https://pith.science/pith/32BLMVDOEAH5DEG5AT3TRBP525.json","view_paper":"https://pith.science/paper/32BLMVDO","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=1902.09217&json=true","fetch_graph":"https://pith.science/api/pith-number/32BLMVDOEAH5DEG5AT3TRBP525/graph.json","fetch_events":"https://pith.science/api/pith-number/32BLMVDOEAH5DEG5AT3TRBP525/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/32BLMVDOEAH5DEG5AT3TRBP525/action/timestamp_anchor","attest_storage":"https://pith.science/pith/32BLMVDOEAH5DEG5AT3TRBP525/action/storage_attestation","attest_author":"https://pith.science/pith/32BLMVDOEAH5DEG5AT3TRBP525/action/author_attestation","sign_citation":"https://pith.science/pith/32BLMVDOEAH5DEG5AT3TRBP525/action/citation_signature","submit_replication":"https://pith.science/pith/32BLMVDOEAH5DEG5AT3TRBP525/action/replication_record"}},"created_at":"2026-05-17T23:43:56.262463+00:00","updated_at":"2026-05-17T23:43:56.262463+00:00"}