SlideShare a Scribd company logo

On the evolution of technical lag in the npm package dependency network

Tom Mens
Tom Mens

Presentation at the International Conference on Software Maintenance and Evolution (ICSME2018), Madrid, Spain, 28 September 2018. Joint research by Alexandre Decan, Eleni Constantinou, Tom Mens at the Software Engineering Lab of the University of Mons. Research conducted in the context of the SECOHealth and SECO-ASSIST research projects (https://secohealth.github.io, https://secoassist.github.io) We empirically analyse the context of technical lag in the JavaScript npm package dependency network to assess to which extent npm software packages and their dependencies are outdated.

Software
1 of 22
Download to read offline
ICSME 2018 ON THE EVOLUTION OF TECHNICAL LAG IN THE NPM PACKAGE DEPENDENCY NETWORK ALEXANDRE DECAN ELENI CONSTANTINOU TOM MENS @AlexandreDecan @tom_mens @eleni_const
PACKAGE DEPENDENCY NETWORKS & TECHNICAL LAG
Package dependency networks
Semantic versioning major minor patch 3 9 2 Breaking changes Bug fixes Backwards compatible changes 4.0.0 3.10.0 3.9.3
Dependency constraints More Permissive More Restrictive major minor patch 3 9 2
Technical Lag [1] J. M. Gonzalez-Barahona et al. Technical lag in software compilations: Measuring how outdated a software deployment is. IFIP International Conf. on Open Source Systems, pp. 182—192, 2017. How outdated a software system is with respect to its upstream dependencies [1]
Δt(d3,t) Δt(d2,t) Δt(d1,t) r p1 p2 p3 Technical lag at time t For a dependency d: For a release r:
T1 p1 p2 1.0.0 1.0.1 1.0.21.1.0 r1 r2 T2 T3 T4 T5 T6 T7 T9T8 2.0.0 T10 Technical lag example 1.0.0 1.0.0Analysis date Constraint Missed Technical Lag ~1.0.0 {1.1.0, 2.0.0} ^1.0.0 {2.0.0} T10 – T5 T10 – T9 p2p1
Should I keep my dependencies up-to-date? COST § Effort to integrate backwards incompatible changes § Monitor dependency evolution RISK § Backwards incompatible changes BENEFIT § Bug fixes § Security vulnerability fixes § New features
DATASET
NOVEMBER 2017 Libraries.io [2] [2] http://doi.org/10.5281/zenodo.1068916
FINDINGS
How prominent is technical lag (TL)? 25% of dependencies/ 40% of releases suffer from TL Dependency management tools reduce TL presence
How long is the technical lag? >=2015: average TL is 7 to 9 months Only 25% have a TL <52 days TL information in dependency management tools
How frequently are packages updated? It takes an average of 12 to 22 days to update a release Frequent updates can contribute to TL of dependents
During the lifetime of a package release, a new release of its dependency becomes available that does not satisfy the dependency constraint Why does technical lag occur? A package release does not use the highest available release of its dependency 1 out of 3 releases missed a new release of a dependency because it is excluded by the constraint.
How does technical lag evolve? Most packages do not change their constraints to use newer releases of their dependencies. Better tool support for managing constraints
Could technical lag be reduced by proper use of semantic versioning? The proportion of releases suffering from TL could be reduced by 17.7% Package maintainers should adhere to semantic versioning
SUMMARY & CONCLUSION
npm package releases/dependencies suffer from technical lag 7 - 9 months of technical lag Proper use of semantic versioning Ø Decreases the effect of technical lag (~18%) Ø Allows to benefit from vulnerability fixes Summary
Conclusion Dependency management tools help package maintainers to reduce the presence technical lag. Dependency monitoring tools should incorporate technical lag information. Ecosystem-wide view of technical lag. Support dependent packages/backport important fixes. Transitive dependencies Direct dependencies Technical lag definition
On the evolution of technical lag in the npm package dependency network

Recommended

On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkeconst
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Tom Mens
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...Fasten Project
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
GE Oil &amp; Gas Threatscan
GE Oil &amp; Gas ThreatscanGE Oil &amp; Gas Threatscan
GE Oil &amp; Gas ThreatscanGhufran Ahmed
 
SecPod Saner
SecPod SanerSecPod Saner
SecPod SanerChandrashekhar B
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAhmed Zerouali
 

Recommended

On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkeconst
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Tom Mens
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...Fasten Project
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
GE Oil &amp; Gas Threatscan
GE Oil &amp; Gas ThreatscanGE Oil &amp; Gas Threatscan
GE Oil &amp; Gas ThreatscanGhufran Ahmed
 
SecPod Saner
SecPod SanerSecPod Saner
SecPod SanerChandrashekhar B
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAhmed Zerouali
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemTom Mens
 
Unsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable AppsUnsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable AppsCAST
 
How to save on software maintenance costs
How to save on software maintenance costsHow to save on software maintenance costs
How to save on software maintenance costsFrancisJansen
 
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...Ahmed Zerouali
 
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...IRJET Journal
 
PacketsNeverLie
PacketsNeverLiePacketsNeverLie
PacketsNeverLieRick Kingsley
 
Whitepaper Omnext
Whitepaper OmnextWhitepaper Omnext
Whitepaper Omnextmeijerandre
 
PACE-IT: Applying Patches and Upgrades
PACE-IT: Applying Patches and UpgradesPACE-IT: Applying Patches and Upgrades
PACE-IT: Applying Patches and UpgradesPace IT at Edmonds Community College
 
Alft
AlftAlft
AlftVincenzo De Florio
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Tom Mens
 
Towards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTowards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTom Mens
 
Tune Up Your Network for the New Year
Tune Up Your Network for the New YearTune Up Your Network for the New Year
Tune Up Your Network for the New YearSavvius, Inc
 
Wait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debtWait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debtRungrojMaipradit1
 
Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CASTCAST
 
Crypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
Crypto Mark Scheme for Fast Pollution Detection and Resistance over NetworkingCrypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
Crypto Mark Scheme for Fast Pollution Detection and Resistance over NetworkingIRJET Journal
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
 
NETCDL : THE NETWORK CERTIFICATION DESCRIPTION LANGUAGE
NETCDL : THE NETWORK CERTIFICATION DESCRIPTION LANGUAGENETCDL : THE NETWORK CERTIFICATION DESCRIPTION LANGUAGE
NETCDL : THE NETWORK CERTIFICATION DESCRIPTION LANGUAGEijcsitcejournal
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Tom Mens
 
Rain technology seminar
Rain technology seminar Rain technology seminar
Rain technology seminar Mufeedh Muhammed
 
How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD studentTom Mens
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentTom Mens
 

More Related Content

Similar to On the evolution of technical lag in the npm package dependency network

Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemTom Mens
 
Unsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable AppsUnsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable AppsCAST
 
How to save on software maintenance costs
How to save on software maintenance costsHow to save on software maintenance costs
How to save on software maintenance costsFrancisJansen
 
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...Ahmed Zerouali
 
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...IRJET Journal
 
Whitepaper Omnext
Whitepaper OmnextWhitepaper Omnext
Whitepaper Omnextmeijerandre
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Tom Mens
 
Towards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTowards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTom Mens
 
Tune Up Your Network for the New Year
Tune Up Your Network for the New YearTune Up Your Network for the New Year
Tune Up Your Network for the New YearSavvius, Inc
 
Wait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debtWait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debtRungrojMaipradit1
 
Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CASTCAST
 
Crypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
Crypto Mark Scheme for Fast Pollution Detection and Resistance over NetworkingCrypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
Crypto Mark Scheme for Fast Pollution Detection and Resistance over NetworkingIRJET Journal
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
 
NETCDL : THE NETWORK CERTIFICATION DESCRIPTION LANGUAGE
NETCDL : THE NETWORK CERTIFICATION DESCRIPTION LANGUAGENETCDL : THE NETWORK CERTIFICATION DESCRIPTION LANGUAGE
NETCDL : THE NETWORK CERTIFICATION DESCRIPTION LANGUAGEijcsitcejournal
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Tom Mens
 

Similar to On the evolution of technical lag in the npm package dependency network (20)

Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystem
 
Unsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable AppsUnsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable Apps
 
How to save on software maintenance costs
How to save on software maintenance costsHow to save on software maintenance costs
How to save on software maintenance costs
 
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
 
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...
 
PacketsNeverLie
PacketsNeverLiePacketsNeverLie
PacketsNeverLie
 
Whitepaper Omnext
Whitepaper OmnextWhitepaper Omnext
Whitepaper Omnext
 
PACE-IT: Applying Patches and Upgrades
PACE-IT: Applying Patches and UpgradesPACE-IT: Applying Patches and Upgrades
PACE-IT: Applying Patches and Upgrades
 
Alft
AlftAlft
Alft
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
 
Towards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTowards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packages
 
Tune Up Your Network for the New Year
Tune Up Your Network for the New YearTune Up Your Network for the New Year
Tune Up Your Network for the New Year
 
Wait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debtWait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debt
 
Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CAST
 
Crypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
Crypto Mark Scheme for Fast Pollution Detection and Resistance over NetworkingCrypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
Crypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
 
NETCDL : THE NETWORK CERTIFICATION DESCRIPTION LANGUAGE
NETCDL : THE NETWORK CERTIFICATION DESCRIPTION LANGUAGENETCDL : THE NETWORK CERTIFICATION DESCRIPTION LANGUAGE
NETCDL : THE NETWORK CERTIFICATION DESCRIPTION LANGUAGE
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!
 
Rain technology seminar
Rain technology seminar Rain technology seminar
Rain technology seminar
 

More from Tom Mens

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD studentTom Mens
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentTom Mens
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubTom Mens
 
The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHubTom Mens
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureTom Mens
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Tom Mens
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubTom Mens
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networksTom Mens
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsTom Mens
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero SpaceTom Mens
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesTom Mens
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Tom Mens
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...Tom Mens
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsTom Mens
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarTom Mens
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersTom Mens
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmTom Mens
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?Tom Mens
 
"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talkTom Mens
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkTom Mens
 

More from Tom Mens (20)

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD student
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software development
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHub
 
The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the Future
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHub
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networks
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero Space
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messages
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research Achievements
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminar
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker Containers
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npm
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?
 
"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency network
 

Recently uploaded

Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Intelisync
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 

Recently uploaded (20)

Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 

On the evolution of technical lag in the npm package dependency network

  • 1. ICSME 2018 ON THE EVOLUTION OF TECHNICAL LAG IN THE NPM PACKAGE DEPENDENCY NETWORK ALEXANDRE DECAN ELENI CONSTANTINOU TOM MENS @AlexandreDecan @tom_mens @eleni_const
  • 4. Semantic versioning major minor patch 3 9 2 Breaking changes Bug fixes Backwards compatible changes 4.0.0 3.10.0 3.9.3
  • 6. Technical Lag [1] J. M. Gonzalez-Barahona et al. Technical lag in software compilations: Measuring how outdated a software deployment is. IFIP International Conf. on Open Source Systems, pp. 182—192, 2017. How outdated a software system is with respect to its upstream dependencies [1]
  • 7. Δt(d3,t) Δt(d2,t) Δt(d1,t) r p1 p2 p3 Technical lag at time t For a dependency d: For a release r:
  • 8. T1 p1 p2 1.0.0 1.0.1 1.0.21.1.0 r1 r2 T2 T3 T4 T5 T6 T7 T9T8 2.0.0 T10 Technical lag example 1.0.0 1.0.0Analysis date Constraint Missed Technical Lag ~1.0.0 {1.1.0, 2.0.0} ^1.0.0 {2.0.0} T10 – T5 T10 – T9 p2p1
  • 9. Should I keep my dependencies up-to-date? COST § Effort to integrate backwards incompatible changes § Monitor dependency evolution RISK § Backwards incompatible changes BENEFIT § Bug fixes § Security vulnerability fixes § New features
  • 11. NOVEMBER 2017 Libraries.io [2] [2] http://doi.org/10.5281/zenodo.1068916
  • 13. How prominent is technical lag (TL)? 25% of dependencies/ 40% of releases suffer from TL Dependency management tools reduce TL presence
  • 14. How long is the technical lag? >=2015: average TL is 7 to 9 months Only 25% have a TL <52 days TL information in dependency management tools
  • 15. How frequently are packages updated? It takes an average of 12 to 22 days to update a release Frequent updates can contribute to TL of dependents
  • 16. During the lifetime of a package release, a new release of its dependency becomes available that does not satisfy the dependency constraint Why does technical lag occur? A package release does not use the highest available release of its dependency 1 out of 3 releases missed a new release of a dependency because it is excluded by the constraint.
  • 17. How does technical lag evolve? Most packages do not change their constraints to use newer releases of their dependencies. Better tool support for managing constraints
  • 18. Could technical lag be reduced by proper use of semantic versioning? The proportion of releases suffering from TL could be reduced by 17.7% Package maintainers should adhere to semantic versioning
  • 20. npm package releases/dependencies suffer from technical lag 7 - 9 months of technical lag Proper use of semantic versioning Ø Decreases the effect of technical lag (~18%) Ø Allows to benefit from vulnerability fixes Summary
  • 21. Conclusion Dependency management tools help package maintainers to reduce the presence technical lag. Dependency monitoring tools should incorporate technical lag information. Ecosystem-wide view of technical lag. Support dependent packages/backport important fixes. Transitive dependencies Direct dependencies Technical lag definition