Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

On the evolution of technical lag in the npm package dependency network


Published on

Presentation slides of ICSME 2018 article, co-authored by Alexandre Decan, Tom Mens and Eleni Constantinou from University of Mons, Belgium. Research carried out as part of the SECOHealth and SECO-ASSIST research projects. Abstract: Software packages developed and distributed through package managers extensively depend on other packages. These dependencies are regularly updated, for example to add new features, resolve bugs or fix security issues. In order to take full advantage of the benefits of this type of reuse, developers should keep their dependencies up to date by relying on the latest releases. In practice, however, this is not always possible, and packages lag behind with respect to the latest version of their dependencies. This phenomenon is described as technical lag in the literature. In this paper, we perform an empirical study of technical lag in the npm dependency network by investigating its evolution for over 1.4M releases of 120K packages and 8M dependencies between these releases. We explore how technical lag increases over time, taking into account the release type and the use of package dependency constraints. We also discuss how technical lag can be reduced by relying on the semantic versioning policy.

Published in: Science
  • Be the first to comment

  • Be the first to like this

On the evolution of technical lag in the npm package dependency network

  3. 3. Package dependency networks
  4. 4. Semantic versioning major minor patch 3 9 2 Breaking changes Bug fixes Backwards compatible changes 4.0.0 3.10.0 3.9.3
  5. 5. Dependency constraints More Permissive More Restrictive major minor patch 3 9 2
  6. 6. Technical Lag [1] J. M. Gonzalez-Barahona et al.Technical lag in software compilations: Measuring how outdated a software deployment is. IFIP InternationalConf. on Open Source Systems, pp. 182—192, 2017. How outdated a software system is with respect to its upstream dependencies [1]
  7. 7. Δt(d3,t) Δt(d2,t) Δt(d1,t) r p1 p2 p3 Technical lag at time t For a dependency d: For a release r:
  8. 8. Technical lag example 1.0.0 1.0.0 Analysis date Constraint Missed Technical Lag ~1.0.0 {1.1.0, 2.0.0} ^1.0.0 {2.0.0} T10 –T5 T10 –T9 p2p1
  9. 9. Should I keep my dependencies up-to-date? COST  Effort to integrate backwards incompatible changes  Monitor dependency evolution RISK  Backwards incompatible changes BENEFIT  Bug fixes  Security vulnerability fixes  New features
  10. 10. DATASET
  11. 11. NOVEMBER 2017 [2] [2]
  12. 12. FINDINGS
  13. 13. How prominent is technical lag (TL)? 25% of dependencies/ 40% of releases suffer from TL Dependency management tools reduce TL presence
  14. 14. How long is the technical lag? >=2015: average TL is 7 to 9 months Only 25% have a TL <52 days TL information in dependency management tools
  15. 15. How frequently are packages updated? It takes an average of 12 to 22 days to update a release Frequent updates can contribute to TL of dependents
  16. 16. During the lifetime of a package release, a new release of its dependency becomes available that does not satisfy the dependency constraint Why does technical lag occur? A package release does not use the highest available release of its dependency 1 out of 3 releases missed a new release of a dependency because it is excluded by the constraint.
  17. 17. How does technical lag evolve? Most packages do not change their constraints to use newer releases of their dependencies. Better tool support for managing constraints
  18. 18. Could technical lag be reduced by proper use of semantic versioning? The proportion of releases suffering from TL could be reduced by 17.7% Package maintainers should adhere to semantic versioning
  20. 20. npm package releases/dependencies suffer from technical lag 7 - 9 months of technical lag Proper use of semantic versioning  Decreases the effect of technical lag (~18%)  Allows to benefit from vulnerability fixes Summary
  21. 21. Conclusion Dependency management tools help package maintainers to reduce the presence technical lag. Dependency monitoring tools should incorporate technical lag information. Ecosystem-wide view of technical lag. Support dependent packages/backport important fixes. Transitive dependencies Direct dependencies Technical lag definition