SlideShare a Scribd company logo
1 of 41
Download to read offline
An Empirical Analysis of
Technical Lag in npm Package
Dependencies
Ahmed Zerouali, Eleni Constantinou, Tom Mens,
Gregorio Robles and Jesus M. Gonzalez-Barahona
The 17th International Conference on Software Reuse
May 21-23, 2018 - Madrid
/background
/aims
/method
/results
/limitations
/conclusion
Outline
/background
Packages Releases Dependencies (runtime)
+700K +4.5M +20M
+145K +825K +2M
+130K +840K +2.3M
Libraries.io by March 2018
RubyGems
/background
Open PRs Active Bugs
+2.3M -
+2M -
- +120K
by January 2018 - https://octoverse.github.com/
/background
Technical lag*: the increasing difference between
deployed software packages and the available
upstream packages
Measurement: version updates, bugs, vulnerabilities,
line of code, commits, etc.
(*) Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is."
IFIP International Conference on Open Source Systems. Springer, Cham, 2017.
Gold standard: stability, security, functionality, etc.
/background
Example: different kinds of “gold standards” for Debian
Gold standard Scenario Candidate
Stability Isolated system, stable
functionality
Debian Stable
Functionality Cloud application Latest upstream
Security Reused containers Stable upstream
/background
/aims
Decan A, Mens T, Grosjean P. An empirical comparison of dependency network evolution in seven software packaging ecosystems. EMSE2017.
/aims
Not update
Update
“How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript” -
https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/
/aims
Goal: Analyze technical lag in a wide ecosystem of
reused of packages.
/aims
/ research questions
RQ0: How do packages manage their dependencies?
RQ1: How often do packages release new versions?
RQ2: What is the technical lag induced by outdated
dependencies?
RQ3: How often do dependencies inducing technical lag release
new versions?
RQ4: What is the appropriate moment to update dependencies?
/method
/dataset
/method
/dataset
Open Data:
- Libraries.io gathers data from 36 package managers and 3 source code
repositories.
- They track over 2.7m unique open source packages, 33m repositories and
235m interdependencies between them.
/method
/dataset
- 610K packages
- 4.2M releases
- 44.9M dependencies
by Nov 2017
from
/method
/semantic versioning
Examples: 0.0.1, 1.0.0, 1.2.3, 1.2.3-beta
/method
/semantic versioning
Other: *, ==1.2.3, >1.2.3, <1.2.3, 1.2.x, 1.x.x
/method
/technical lag
- Measurement = version updates, time
- version lag : version updates difference
- time lag: time difference
- Gold standard = being up to date.
/method
/technical lag
1.0.1 1.1.0 2.0.01.2.1 2.1.0
Dependency: D
npm package
version
Technical lag
/method
/technical lag
- time lag = date(latest) - date(used)
- version lag = (∆Major, ∆Minor, ∆Patch)
/method
/technical lag
1.0.1 1.1.0 2.0.01.2.0 2.0.1
Dependency: D
npm package
version
Technical lag
- time lag= date(2.1.0) - date(1.1.0)
/method
/technical lag
1.0.1 1.1.0 2.0.01.2.0 2.0.1
Dependency: D
npm package
version
Technical lag
1 minor
- time lag= date(2.1.0) - date(1.1.0)
/method
/technical lag
1.0.1 1.1.0 2.0.01.2.0 2.0.1
Dependency: D
npm package
version
Technical lag
- time lag= date(2.1.0) - date(1.1.0)
1 minor
1 major
/method
/technical lag
1.0.1 1.1.0 2.0.01.2.0 2.0.1
Dependency: D
npm package
version
Technical lag
1 minor
1 major 1 patch
- time lag= date(2.1.0) - date(1.1.0)
- version lag= (1,1,1)
/method
/technical lag
1.0.1 1.2.0 2.0.1
3.6.0 4.1.04.0.0 5.0.0
2.0.0 2.1.0
npm package: P
dependency: D
^1.0.0
Technical lag
*
^1.0.0 ^2.0.0
^1.0.0 = [ 1.0.0, 2.0.0 [
allowed
/method
/technical lag
1.0.1 1.2.0 2.0.1
3.6.0 4.1.04.0.0 5.0.0
2.0.0 2.1.0
npm package: P
dependency: D
^1.0.0
Technical lag
*
^1.0.0 ^2.0.0
allowed
^1.0.0 = [ 1.0.0, 2.0.0 [
/method
/technical lag
1.0.1 1.2.0 2.0.1
3.6.0 4.1.04.0.0 5.0.0
2.0.0 2.1.0
npm package: P
dependency: D
^1.0.0
Technical lag = 0
*
^1.0.0 ^2.0.0
allowed
^1.0.0 = [ 1.0.0, 2.0.0 [
/results
/RQ0: How do packages manage their dependencies?
68.2%
15.7%
7.8%
4.1%
- Developers are concerned with backward compatibility
- There is a potential of too strict dependency constraints leading to
technical lag.
4.3%
/results
/RQ0: How do packages manage their dependencies?
- New dependencies are mainly added in major and minor releases.
- Dependencies are removed almost exclusively in major releases.
- Most packages do not appear to change their dependencies over time.
/results
/RQ0: How do packages manage their dependencies?
Number of updated dependencies between package releases,
classified by release type of the update.
/results
/RQ1: How often do packages release new versions?
- Patch: 80% - Minor: 16% - Major: 04%
- Dependent packages in npm mainly benefit from patch releases.
- Technical version lag is mainly occurring at the patch level.
/results
/RQ1: How often do packages release new versions?
Time needed to update a package to a patch, minor or major release
- The average time to release a patch, minor and major versions
corresponds to 13 days, 1 month and 2 months respectively.
/results
/RQ2: What is the technical lag induced by outdated dependencies?
- 27% of 44.1M dependencies are outdated.
- The outdated dependencies are used by 60% of all considered packages.
57%
28%
12%
3%
/results
/RQ2: What is the technical lag induced by outdated dependencies?
/results
/RQ2: What is the technical lag induced by outdated dependencies?
- Outdated dependencies induce a median of time lag of three months
and a half, and median version lag of one minor and two patch versions.
/results
/RQ3: How often do dependencies inducing technical lag release new versions?
- Packages that are required as dependencies and are outdated have
more frequent releases than other required packages.
/results
/RQ4: What is the appropriate moment to update dependencies?
- Developers should not start using newly available packages
immediately because they may still contain bugs that need new
patches.
/limitations
- If the libraries.io dataset is incomplete, then there is a risk of underestimating technical lag.
- We did not differentiate between package characteristics, such as age, size, type, etc.
- The results are related to the measurement used to quantify for technical lag.
- npm semver had some issues in the past.
/conclusion/
summary
Analyzed technical lag induced by outdated dependencies:
- A large number of packages suffer from technical lag.
- Outdated dependencies are several months behind the latest release.
- Technical lag caused by the specific use of dependency constraints,
- Maintainers should wait a few days before updating to the new patch dependency release.
/conclusion/
future work
- Consider other measurements of technical lag and other gold standards.
- Validate the results with bug fixes, vulnerabilities and issues.
- Consider other ecosystems.
- Carry out cross-ecosystem comparisons.
Questions

More Related Content

Similar to An Empirical Analysis of Technical Lag in npm Package Dependencies

Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
Tom Mens
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)
Tom Mens
 

Similar to An Empirical Analysis of Technical Lag in npm Package Dependencies (20)

Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy Management
 
Analyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAnalyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHub
 
Technical lag in npm and docker ecosystems
Technical lag in npm and docker ecosystemsTechnical lag in npm and docker ecosystems
Technical lag in npm and docker ecosystems
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystem
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency network
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!
 
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
 
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for  Analyzing Technical Lag in  ...PhD public defense: A Measurement Framework for  Analyzing Technical Lag in  ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
 
Software bill of materials: strumenti e analisi di progetti open source dell’...
Software bill of materials: strumenti e analisi di progetti open source dell’...Software bill of materials: strumenti e analisi di progetti open source dell’...
Software bill of materials: strumenti e analisi di progetti open source dell’...
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)
 
tip oopt pse-summit2017
tip oopt pse-summit2017tip oopt pse-summit2017
tip oopt pse-summit2017
 
Node.js security tour
Node.js security tourNode.js security tour
Node.js security tour
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnSupply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
 
OOP - Basing Software Development on Reusable
OOP - Basing Software Development on Reusable OOP - Basing Software Development on Reusable
OOP - Basing Software Development on Reusable
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 

More from Ahmed Zerouali

Evolution of Technical Lag in DockerHub images - Benevol20
Evolution of Technical Lag in DockerHub images - Benevol20Evolution of Technical Lag in DockerHub images - Benevol20
Evolution of Technical Lag in DockerHub images - Benevol20
Ahmed Zerouali
 

More from Ahmed Zerouali (11)

Prevalence and Evolution of License Violations in npm and RubyGems Dependency...
Prevalence and Evolution of License Violations in npm and RubyGems Dependency...Prevalence and Evolution of License Violations in npm and RubyGems Dependency...
Prevalence and Evolution of License Violations in npm and RubyGems Dependency...
 
Analysis And Observations Of The Evolution Of Testing Library Usage
Analysis And Observations Of The Evolution Of Testing Library UsageAnalysis And Observations Of The Evolution Of Testing Library Usage
Analysis And Observations Of The Evolution Of Testing Library Usage
 
On Popularity and Quality Metrics of npm Packages
On Popularity and Quality Metrics of npm PackagesOn Popularity and Quality Metrics of npm Packages
On Popularity and Quality Metrics of npm Packages
 
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
 
A multi-dimensional analysis of technical lag in Debian-based Docker images
A multi-dimensional analysis of technical lag in Debian-based Docker imagesA multi-dimensional analysis of technical lag in Debian-based Docker images
A multi-dimensional analysis of technical lag in Debian-based Docker images
 
Evolution of Technical Lag in DockerHub images - Benevol20
Evolution of Technical Lag in DockerHub images - Benevol20Evolution of Technical Lag in DockerHub images - Benevol20
Evolution of Technical Lag in DockerHub images - Benevol20
 
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...On the Diversity of Software Package Popularity Metrics: An Empirical Study o...
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...
 
ConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software ContainersConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software Containers
 
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Analyzing the Evolution of Testing Library Usage in Open Source Java ProjectsAnalyzing the Evolution of Testing Library Usage in Open Source Java Projects
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
 
An Empirical Comparison of the Development History of CloudStack and Eucalyptus
An Empirical Comparison of the Development History of CloudStack and EucalyptusAn Empirical Comparison of the Development History of CloudStack and Eucalyptus
An Empirical Comparison of the Development History of CloudStack and Eucalyptus
 
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Analyzing the Evolution of Testing Library Usage in Open Source Java ProjectsAnalyzing the Evolution of Testing Library Usage in Open Source Java Projects
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
 

Recently uploaded

Recently uploaded (20)

Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphGraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
 
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jGraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
 
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
 
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
[GRCPP] Introduction to concepts (C++20)
[GRCPP] Introduction to concepts (C++20)[GRCPP] Introduction to concepts (C++20)
[GRCPP] Introduction to concepts (C++20)
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...
Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...
Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
 
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
 
Rapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and InsightsRapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and Insights
 
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
 

An Empirical Analysis of Technical Lag in npm Package Dependencies

  • 1. An Empirical Analysis of Technical Lag in npm Package Dependencies Ahmed Zerouali, Eleni Constantinou, Tom Mens, Gregorio Robles and Jesus M. Gonzalez-Barahona The 17th International Conference on Software Reuse May 21-23, 2018 - Madrid
  • 3. /background Packages Releases Dependencies (runtime) +700K +4.5M +20M +145K +825K +2M +130K +840K +2.3M Libraries.io by March 2018 RubyGems
  • 4. /background Open PRs Active Bugs +2.3M - +2M - - +120K by January 2018 - https://octoverse.github.com/
  • 5. /background Technical lag*: the increasing difference between deployed software packages and the available upstream packages Measurement: version updates, bugs, vulnerabilities, line of code, commits, etc. (*) Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is." IFIP International Conference on Open Source Systems. Springer, Cham, 2017. Gold standard: stability, security, functionality, etc.
  • 6. /background Example: different kinds of “gold standards” for Debian Gold standard Scenario Candidate Stability Isolated system, stable functionality Debian Stable Functionality Cloud application Latest upstream Security Reused containers Stable upstream
  • 8. /aims Decan A, Mens T, Grosjean P. An empirical comparison of dependency network evolution in seven software packaging ecosystems. EMSE2017.
  • 9. /aims Not update Update “How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript” - https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/
  • 10. /aims Goal: Analyze technical lag in a wide ecosystem of reused of packages.
  • 11. /aims / research questions RQ0: How do packages manage their dependencies? RQ1: How often do packages release new versions? RQ2: What is the technical lag induced by outdated dependencies? RQ3: How often do dependencies inducing technical lag release new versions? RQ4: What is the appropriate moment to update dependencies?
  • 13. /method /dataset Open Data: - Libraries.io gathers data from 36 package managers and 3 source code repositories. - They track over 2.7m unique open source packages, 33m repositories and 235m interdependencies between them.
  • 14. /method /dataset - 610K packages - 4.2M releases - 44.9M dependencies by Nov 2017 from
  • 16. /method /semantic versioning Other: *, ==1.2.3, >1.2.3, <1.2.3, 1.2.x, 1.x.x
  • 17. /method /technical lag - Measurement = version updates, time - version lag : version updates difference - time lag: time difference - Gold standard = being up to date.
  • 18. /method /technical lag 1.0.1 1.1.0 2.0.01.2.1 2.1.0 Dependency: D npm package version Technical lag
  • 19. /method /technical lag - time lag = date(latest) - date(used) - version lag = (∆Major, ∆Minor, ∆Patch)
  • 20. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag - time lag= date(2.1.0) - date(1.1.0)
  • 21. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag 1 minor - time lag= date(2.1.0) - date(1.1.0)
  • 22. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag - time lag= date(2.1.0) - date(1.1.0) 1 minor 1 major
  • 23. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag 1 minor 1 major 1 patch - time lag= date(2.1.0) - date(1.1.0) - version lag= (1,1,1)
  • 24. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag * ^1.0.0 ^2.0.0 ^1.0.0 = [ 1.0.0, 2.0.0 [ allowed
  • 25. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [
  • 26. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag = 0 * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [
  • 27. /results /RQ0: How do packages manage their dependencies? 68.2% 15.7% 7.8% 4.1% - Developers are concerned with backward compatibility - There is a potential of too strict dependency constraints leading to technical lag. 4.3%
  • 28. /results /RQ0: How do packages manage their dependencies? - New dependencies are mainly added in major and minor releases. - Dependencies are removed almost exclusively in major releases. - Most packages do not appear to change their dependencies over time.
  • 29. /results /RQ0: How do packages manage their dependencies? Number of updated dependencies between package releases, classified by release type of the update.
  • 30. /results /RQ1: How often do packages release new versions? - Patch: 80% - Minor: 16% - Major: 04% - Dependent packages in npm mainly benefit from patch releases. - Technical version lag is mainly occurring at the patch level.
  • 31. /results /RQ1: How often do packages release new versions? Time needed to update a package to a patch, minor or major release - The average time to release a patch, minor and major versions corresponds to 13 days, 1 month and 2 months respectively.
  • 32. /results /RQ2: What is the technical lag induced by outdated dependencies? - 27% of 44.1M dependencies are outdated. - The outdated dependencies are used by 60% of all considered packages. 57% 28% 12% 3%
  • 33. /results /RQ2: What is the technical lag induced by outdated dependencies?
  • 34. /results /RQ2: What is the technical lag induced by outdated dependencies? - Outdated dependencies induce a median of time lag of three months and a half, and median version lag of one minor and two patch versions.
  • 35. /results /RQ3: How often do dependencies inducing technical lag release new versions? - Packages that are required as dependencies and are outdated have more frequent releases than other required packages.
  • 36. /results /RQ4: What is the appropriate moment to update dependencies? - Developers should not start using newly available packages immediately because they may still contain bugs that need new patches.
  • 37. /limitations - If the libraries.io dataset is incomplete, then there is a risk of underestimating technical lag. - We did not differentiate between package characteristics, such as age, size, type, etc. - The results are related to the measurement used to quantify for technical lag. - npm semver had some issues in the past.
  • 38. /conclusion/ summary Analyzed technical lag induced by outdated dependencies: - A large number of packages suffer from technical lag. - Outdated dependencies are several months behind the latest release. - Technical lag caused by the specific use of dependency constraints, - Maintainers should wait a few days before updating to the new patch dependency release.
  • 39. /conclusion/ future work - Consider other measurements of technical lag and other gold standards. - Validate the results with bug fixes, vulnerabilities and issues. - Consider other ecosystems. - Carry out cross-ecosystem comparisons.
  • 40.