Thou Shalt Not Depend on Me

Most websites use JavaScript libraries, and many of them are known to be vulnerable. Understanding the scope of the problem, and the many unexpected ways that libraries are included, are only the first steps toward improving the situation. The goal here is that the information included in this article will help inform better tooling, development practices, and educational efforts for the community.

Communications of the ACM, June 2018, Vol. 61 No. 6, Pages 41-47
Practice: “Thou Shalt Not Depend on Me
By Tobias Lauinger, Abdelberi Chaabane, Christo B. Wilson

Many websites use third-party components such as JavaScript libraries, which bundle useful functionality so that developers can avoid reinventing the wheel. jQuery ( is arguably the most popular open source JavaScript library at the moment; it is found on 84% of the most popular websites as determined by Amazon's Alexa ( But what happens when libraries have security issues? Chances are that websites using such libraries inherit these issues and become vulnerable to attacks.

Given the risk of using a library with known vulnerabilities, it is important to know how often this happens in practice and, more importantly, who is to blame for the inclusion of vulnerable libraries—the developer of the website, or maybe a third-party advertisement, or tracker code loaded on the website?

We set out to answer these questions and found that with 37% of websites using at least one known vulnerable library, and libraries often being included in quite unexpected ways, there clearly is room for improvement in library handling on the Web. To that end, this article makes a few recommendations about what can be done to improve the situation.

Read the article »

Figure 1. Popular libraries with known vulnerabilities.

Figure 1. Popular libraries with known vulnerabilities.