This study investigates factors influencing vulnerability remediation time in the Maven ecosystem, focusing on CVE severity, library popularity (number of dependents), and release frequency. Leveraging the largest empirical dependency graph to date—comprising 658,000 libraries and 14 million versions—and integrating the Goblin dependency database, statistical modeling, and survival analysis, we conduct causal inference. Contrary to the common intuition that critical vulnerabilities are repaired substantially faster, we find that critical CVEs are only marginally quicker to remediate than non-critical ones. A tenfold increase in dependent count reduces median remediation time by 19%; libraries releasing ≥2 versions per month remediate vulnerabilities 41% faster. This work is the first to empirically demonstrate significant positive acceleration effects of both popularity and high release frequency on vulnerability response, providing data-driven foundations for vulnerability prioritization policies and ecosystem-wide governance.

This study investigates the software vulnerability resolution time in the Maven ecosystem, focusing on the influence of CVE severity, library popularity as measured by the number of dependents, and version release frequency. The results suggest that critical vulnerabilities are addressed slightly faster compared to lower-severity ones. Library popularity shows a positive impact on resolution times, while frequent version updates are associated with faster vulnerability fixes. These statistically significant findings are based on a thorough evaluation of over 14 million versions from 658,078 libraries using the dependency graph database of Goblin framework. These results emphasize the need for proactive maintenance strategies to improve vulnerability management in open-source ecosystems.