Security News > 2020 > December > GitHub Says Vulnerabilities in Some Ecosystems Take Years to Fix
Developers often need years to address some of the vulnerabilities introduced in their software, a new GitHub report reveals.
The report, which is based on the analysis of more than 45,000 active repositories, shows that it typically takes 7 years to address vulnerabilities in Ruby, while those in npm are usually patched in five years.
"Security vulnerabilities often go undetected for more than four years before being disclosed. Once they are identified, the package maintainer and security community typically create and release a fix in just over four weeks," GitHub notes.
The software hosting platform also notes that most of the vulnerabilities identified in software are the result of coding mistakes, and do not represent malicious attacks.
"Security vulnerabilities can impact software directly or through its dependencies-any code referenced and bundled to make a software package work. That is, code may be vulnerable either because it contains vulnerabilities, or because it relies on dependencies that contain vulnerabilities," the report reads.