Software Supply Chain Smells: Lightweight Analysis for Secure Dependency Management

Computer Science > Software Engineering [Submitted on 25 Mar 2026] Software Supply Chain Smells: Lightweight Analysis for Secure Dependency Management Larissa Schmid, Diogo Gaspar, Raphina Liu, Sofia Bobadilla, Benoit Baudry, Martin Monperrus Modern software systems heavily rely on third-party dependencies, making software supply chain security a critical concern. We introduce the concept of software supply chain smells as structural indicators that signal potential security risks. We design and evaluate Dirty-Waters, a novel tool for detecting such smells in the supply chains of software packages. Through interviews with practitioners, we show that our proposed smells align with real-world concerns and capture signals considered valuable. A quantitative study of popular packages in the Maven and NPM ecosystems reveals that while smells are prevalent in both, they differ significantly across ecosystems, with traceability and signing issues dominating in Maven and most smells being rare in NPM, due to strong registry-level guarantees. Software supply chain smells support developers and organizations in making informed decisions and improving their software supply chain security posture. Subjects: Software Engineering (cs.SE); Cryptography and Security (cs.CR) Cite as: arXiv:2603.24282 [cs.SE]   (or arXiv:2603.24282v1 [cs.SE] for this version)   https://doi.org/10.48550/arXiv.2603.24282 Focus to learn more Submission history From: Larissa Schmid [view email] [v1] Wed, 25 Mar 2026 13:15:50 UTC (1,117 KB) Access Paper: HTML (experimental) view license Current browse context: cs.SE < prev   |   next > new | recent | 2026-03 Change to browse by: cs cs.CR References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)