SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
3.
/background
Not updateUpdate “If I go there will be trouble,
And if I stay it will be double,
So come on and let me know:
Should I Stay Or Should I Go? ”
The Clash
4.
/background
Technical lag*: the increasing difference between
deployed software packages and the ideal available
upstream packages
Measurement: version updates, bugs, vulnerabilities,
line of code, commits, etc.
(*) Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is."
IFIP International Conference on Open Source Systems. Springer, Cham, 2017.
Gold standard: stability, security, functionality, etc.
7.
/Aim & case studies
- npm packages : the whole registry
- Docker containers based on Debian: 7,380
Goal: Analyze technical lag of software ecosystems.
8.
/method
/technical lag
- Measurement = version updates, time
- version lag : version updates difference
- time lag: time difference
- Gold standard = being up to date.
9.
/method
/technical lag
1.0.1 1.1.0 2.0.01.2.0 2.0.1
Dependency: D
npm package
version
Technical lag
- time lag = date(latest) - date(used)
- version lag = (∆Major, ∆Minor, ∆Patch)
10.
/method
/technical lag
1.0.1 1.1.0 2.0.01.2.0 2.0.1
Dependency: D
npm package
version
Technical lag
- time lag (D)= date(2.1.0) - date(1.1.0)
11.
/method
/technical lag
1.0.1 1.1.0 2.0.01.2.0 2.0.1
Dependency: D
npm package
version
Technical lag
1 minor
- time lag (D)= date(2.1.0) - date(1.1.0)
12.
/method
/technical lag
1.0.1 1.1.0 2.0.01.2.0 2.0.1
Dependency: D
npm package
version
Technical lag
- time lag (D)= date(2.1.0) - date(1.1.0)
1 minor
1 major
13.
/method
/technical lag
1.0.1 1.1.0 2.0.01.2.0 2.0.1
Dependency: D
npm package
version
Technical lag
1 minor
1 major 1 patch
- time lag (D)= date(2.1.0) - date(1.1.0)
- version lag (D) = (1,1,1)
14.
/method
/technical lag
1.0.1 1.2.0 2.0.1
3.6.0 4.1.04.0.0 5.0.0
2.0.0 2.1.0
npm package: P
dependency: D
^1.0.0
*
^1.0.0 ^2.0.0
^1.0.0 = [ 1.0.0, 2.0.0 [
allowed
16.
/method
/technical lag
1.0.1 1.2.0 2.0.1
3.6.0 4.1.04.0.0 5.0.0
2.0.0 2.1.0
npm package: P
dependency: D
^1.0.0
*
^1.0.0 ^2.0.0
^1.0.0 = [ 1.0.0, 2.0.0 [
allowed
17.
/method
/technical lag
1.0.1 1.2.0 2.0.1
3.6.0 4.1.04.0.0 5.0.0
2.0.0 2.1.0
npm package: P
dependency: D
^1.0.0
Technical lag
*
^1.0.0 ^2.0.0
allowed
^1.0.0 = [ 1.0.0, 2.0.0 [
18.
/method
/technical lag
1.0.1 1.2.0 2.0.1
3.6.0 4.1.04.0.0 5.0.0
2.0.0 2.1.0
npm package: P
dependency: D
^1.0.0
Technical lag = 0
*
^1.0.0 ^2.0.0
allowed
^1.0.0 = [ 1.0.0, 2.0.0 [
19.
/results
/npm packages
For direct dependencies
npm package: P
Dependencies
Direct
20.
/results
/npm packages
- Time las is increasing over time.
- More than 500K packages with about 4M package releases and 46M
dependencies.
For direct dependencies
21.
/results
/npm packages
- Development dependencies have slightly more version lag than runtime dependencies
For direct dependencies
22.
/results
/npm packages
- Caret (^) usage is increasing over time.
- Caret introduction coincides with Major version lag increase.
For direct dependencies
23.
/results
/npm external applications
- Technical lag is higher in external applications.
- more than 600k repositories (6.2M dependencies)
For direct dependencies
24.
/results
/npm external applications
For direct dependencies
- The usage of strict constraint is much higher in external applications
25.
/results
/npm packages
npm package: P
Dependencies
For transitive dependencies
26.
/results
/npm packages
For transitive dependencies
Time Lag Version lag
28.
/method
/technical lag in Docker
1.0.1 1.1.0 2.0.01.2.1 2.1.0
Installed package: D
Technical lag
technical lag (D) =
∆Versions
∆Vulnerabilities
∆Bugs
Ideal Version
deployed
container
Included
Package
version
29.
/results
/Docker
The majority of packages in Debian containers is up-to-date.
30.
/results
/Docker
- Outdated Debian packages in Docker containers induce a median of version lag of 1
version.