Research Contributions:
Identify weak links signals in the npm dependency graph.
Empirical evaluation of open-source software to identify actionable security practice metrics.
ML model to identify Which practices are most important to understand the relationship between security practices and vulnerability counts.
A Software Supply Chain Risk Assessment Framework (SSCRAF) to assess and evaluate the risk of software products.