A dataset on vulnerabilities affecting dependencies in software package managers

Márquez Trujillo, Antonio GermánVarela Vaca, Ángel JesúsGómez López, María Teresa2025-08-192025-08-192025-07Márquez Trujillo, A.G., Varela Vaca, Á.J. y Gómez López, M.T. (2025). A dataset on vulnerabilities affecting dependencies in software package managers. Data in Brief, 62, 111903.https://doi.org/10.1016/j.dib.2025.111903.2352-3409https://hdl.handle.net/11441/176222The increasing reliance on third-party dependencies in soft- ware development introduces significant security risk chal- lenges. This study presents a dataset that maps the vulnera- bilities that affect dependencies in three major package managers: Node Package Manager (NPM), Python Package Index (PyPI), Cargo Crates and RubyGems. The dataset comprises information on 4437,679 unique packages and 60,950,846 versions of packages, with vulnerability data sourced from Open Source Vulnerabilities (OSV). It includes 270,430 known vulnerabilities linked to package versions, allowing a detailed analysis of security risks in software supply chains. Our methodology involved extracting dependency and version data from official package manager sources, correlating them with vulnerability reports, and storing the results in structured formats, including CSV and database dumps. The resultant dataset enables automated monitoring of vulnerable dependencies, facilitating analysis and security assessments, and defining mitigation strategies. This work identifies that 0.42 % of PyPI, 7.5 % of RubyGems, 3.91 % of Cargo and 6.93 % NPM versions rely on at least one vulnerable dependency. Furthermore, PyPI has 329 latest versions affected, RubyGem 919, Cargo 53, and NPM 14,858. This dataset provides valuable information for researchers, devel opers, and security professionals looking to improve software supply chain security. It provides a foundation for developing tools aimed at security and data analytics, enabling early vulnerability detection and improving mitigation controls for dependency-related security risks, thus promoting more secure software ecosystems. The dataset can be extended by incorporating additional packages, introducing new features, and ensuring continuous updates.application/pdf11 p.engAttribution 4.0 Internationalhttp://creativecommons.org/licenses/by/4.0/SecurityVulnerabilityPyPIPackageRubyGemsCargoNPMA dataset on vulnerabilities affecting dependencies in software package managersinfo:eu-repo/semantics/articleinfo:eu-repo/semantics/openAccesshttps://doi.org/10.1016/j.dib.2025.111903