Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
ICSME 2018
ONTHE EVOLUTION OFTECHNICAL LAG IN
THE NPM PACKAGE DEPENDENCY NETWORK
ALEXANDRE
DECAN
ELENI
CONSTANTINOU
TOM ME...
PACKAGE DEPENDENCY
NETWORKS
&
TECHNICAL LAG
Package dependency networks
Semantic versioning
major minor patch
3 9 2
Breaking
changes Bug fixes
Backwards
compatible
changes
4.0.0 3.10.0 3.9.3
Dependency constraints
More
Permissive
More
Restrictive
major minor patch
3 9 2
Technical Lag
[1] J. M. Gonzalez-Barahona et al.Technical lag in software compilations: Measuring how outdated a software ...
Δt(d3,t)
Δt(d2,t)
Δt(d1,t)
r
p1
p2
p3
Technical lag at time t
For a dependency d:
For a release r:
Technical lag example
1.0.0 1.0.0 Analysis date
Constraint Missed Technical Lag
~1.0.0 {1.1.0, 2.0.0}
^1.0.0 {2.0.0}
T10 –...
Should I keep my dependencies up-to-date?
COST
 Effort to integrate backwards
incompatible changes
 Monitor dependency e...
DATASET
NOVEMBER 2017
Libraries.io [2]
[2] http://doi.org/10.5281/zenodo.1068916
FINDINGS
How prominent is technical lag (TL)?
25% of dependencies/
40% of releases suffer from TL
Dependency management tools reduc...
How long is the technical lag?
>=2015: average TL is 7 to 9 months
Only 25% have a TL <52 days
TL information in dependenc...
How frequently are packages updated?
It takes an average of 12 to 22 days to update a
release
Frequent updates can contrib...
During the lifetime of a
package release, a new
release of its dependency
becomes available that
does not satisfy the
depe...
How does technical lag evolve?
Most packages do not change their
constraints to use newer releases of their
dependencies.
...
Could technical lag be reduced
by proper use of semantic versioning?
The proportion of releases suffering from TL could be...
SUMMARY
&
CONCLUSION
npm package releases/dependencies suffer from technical lag
7 - 9 months of technical lag
Proper use of semantic versionin...
Conclusion
Dependency management tools help package maintainers to reduce the
presence technical lag.
Dependency monitorin...
On the evolution of technical lag in the npm package dependency network
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

On the evolution of technical lag in the npm package dependency network

Download to read offline

Presentation slides of ICSME 2018 article, co-authored by Alexandre Decan, Tom Mens and Eleni Constantinou from University of Mons, Belgium. Research carried out as part of the SECOHealth and SECO-ASSIST research projects. Abstract: Software packages developed and distributed through package managers extensively depend on other packages. These dependencies are regularly updated, for example to add new features, resolve bugs or fix security issues. In order to take full advantage of the benefits of this type of reuse, developers should keep their dependencies up to date by relying on the latest releases. In practice, however, this is not always possible, and packages lag behind with respect to the latest version of their dependencies. This phenomenon is described as technical lag in the literature. In this paper, we perform an empirical study of technical lag in the npm dependency network by investigating its evolution for over 1.4M releases of 120K packages and 8M dependencies between these releases. We explore how technical lag increases over time, taking into account the release type and the use of package dependency constraints. We also discuss how technical lag can be reduced by relying on the semantic versioning policy.

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

On the evolution of technical lag in the npm package dependency network

  1. 1. ICSME 2018 ONTHE EVOLUTION OFTECHNICAL LAG IN THE NPM PACKAGE DEPENDENCY NETWORK ALEXANDRE DECAN ELENI CONSTANTINOU TOM MENS @AlexandreDecan @tom_mens @eleni_const
  2. 2. PACKAGE DEPENDENCY NETWORKS & TECHNICAL LAG
  3. 3. Package dependency networks
  4. 4. Semantic versioning major minor patch 3 9 2 Breaking changes Bug fixes Backwards compatible changes 4.0.0 3.10.0 3.9.3
  5. 5. Dependency constraints More Permissive More Restrictive major minor patch 3 9 2
  6. 6. Technical Lag [1] J. M. Gonzalez-Barahona et al.Technical lag in software compilations: Measuring how outdated a software deployment is. IFIP InternationalConf. on Open Source Systems, pp. 182—192, 2017. How outdated a software system is with respect to its upstream dependencies [1]
  7. 7. Δt(d3,t) Δt(d2,t) Δt(d1,t) r p1 p2 p3 Technical lag at time t For a dependency d: For a release r:
  8. 8. Technical lag example 1.0.0 1.0.0 Analysis date Constraint Missed Technical Lag ~1.0.0 {1.1.0, 2.0.0} ^1.0.0 {2.0.0} T10 –T5 T10 –T9 p2p1
  9. 9. Should I keep my dependencies up-to-date? COST  Effort to integrate backwards incompatible changes  Monitor dependency evolution RISK  Backwards incompatible changes BENEFIT  Bug fixes  Security vulnerability fixes  New features
  10. 10. DATASET
  11. 11. NOVEMBER 2017 Libraries.io [2] [2] http://doi.org/10.5281/zenodo.1068916
  12. 12. FINDINGS
  13. 13. How prominent is technical lag (TL)? 25% of dependencies/ 40% of releases suffer from TL Dependency management tools reduce TL presence
  14. 14. How long is the technical lag? >=2015: average TL is 7 to 9 months Only 25% have a TL <52 days TL information in dependency management tools
  15. 15. How frequently are packages updated? It takes an average of 12 to 22 days to update a release Frequent updates can contribute to TL of dependents
  16. 16. During the lifetime of a package release, a new release of its dependency becomes available that does not satisfy the dependency constraint Why does technical lag occur? A package release does not use the highest available release of its dependency 1 out of 3 releases missed a new release of a dependency because it is excluded by the constraint.
  17. 17. How does technical lag evolve? Most packages do not change their constraints to use newer releases of their dependencies. Better tool support for managing constraints
  18. 18. Could technical lag be reduced by proper use of semantic versioning? The proportion of releases suffering from TL could be reduced by 17.7% Package maintainers should adhere to semantic versioning
  19. 19. SUMMARY & CONCLUSION
  20. 20. npm package releases/dependencies suffer from technical lag 7 - 9 months of technical lag Proper use of semantic versioning  Decreases the effect of technical lag (~18%)  Allows to benefit from vulnerability fixes Summary
  21. 21. Conclusion Dependency management tools help package maintainers to reduce the presence technical lag. Dependency monitoring tools should incorporate technical lag information. Ecosystem-wide view of technical lag. Support dependent packages/backport important fixes. Transitive dependencies Direct dependencies Technical lag definition

Presentation slides of ICSME 2018 article, co-authored by Alexandre Decan, Tom Mens and Eleni Constantinou from University of Mons, Belgium. Research carried out as part of the SECOHealth and SECO-ASSIST research projects. Abstract: Software packages developed and distributed through package managers extensively depend on other packages. These dependencies are regularly updated, for example to add new features, resolve bugs or fix security issues. In order to take full advantage of the benefits of this type of reuse, developers should keep their dependencies up to date by relying on the latest releases. In practice, however, this is not always possible, and packages lag behind with respect to the latest version of their dependencies. This phenomenon is described as technical lag in the literature. In this paper, we perform an empirical study of technical lag in the npm dependency network by investigating its evolution for over 1.4M releases of 120K packages and 8M dependencies between these releases. We explore how technical lag increases over time, taking into account the release type and the use of package dependency constraints. We also discuss how technical lag can be reduced by relying on the semantic versioning policy.

Views

Total views

274

On Slideshare

0

From embeds

0

Number of embeds

4

Actions

Downloads

1

Shares

0

Comments

0

Likes

0

×