Study Finds 5%–20% of Top Websites Update JavaScript Dependencies Within Four Months

Global: Analysis of JavaScript Dependency Updates Across Top 100,000 Domains

A recent study released on arXiv details a comprehensive examination of how frequently major websites refresh the JavaScript packages they employ. Researchers introduced a novel detection technique, applied it to the Tranco top‑100,000 domain list, and reported on the speed and breadth of dependency updates observed over a 16‑week period.

Aletheia: A Package‑Agnostic Detection Method

The authors present Aletheia, an approach that parses JavaScript bundles to pinpoint exact package versions. Drawing on algorithms originally designed for plagiarism detection, the method operates without prior knowledge of specific packages, enabling large‑scale analysis of web applications.

Performance Gains Over Existing Techniques

Benchmarking against previously published tools shows that Aletheia consistently identifies package versions with higher accuracy, especially in complex bundles where earlier methods struggled. The improvement is attributed to its ability to match code fragments across disparate sources.

Update Frequency Among Top Domains

Analysis of the sampled domains reveals that between 5% and 20% of sites refresh their JavaScript dependencies within a 16‑week window. This range reflects variability across different categories of sites and indicates that a notable minority maintain relatively current libraries.

Bundled vs. CDN‑Delivered Packages

When comparing bundled packages to those loaded via content‑delivery networks, the study finds that bundled versions are updated significantly faster. In many cases, bundled packages contain up to ten times fewer known vulnerable versions than their CDN‑served counterparts.

Vendor Influence on Update Practices

The data suggest that a small number of widely used vendors drive much of the observed timely updating behavior. Their rapid release cycles appear to encourage downstream sites to adopt newer, safer versions more quickly.

Limitations and Future Directions

While the quantitative findings highlight general trends, the authors caution that they do not capture the full complexity of security posture. Future work may integrate runtime monitoring and deeper vulnerability assessments to provide a more holistic view.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via arXiv.