article

An empirical comparison of dependency network evolution in seven software packaging ecosystems

Authors:

Alexandre Decan,

Tom Mens,

Philippe GrosjeanAuthors Info & Claims

Empirical Software Engineering, Volume 24, Issue 1

Pages 381 - 416

https://doi.org/10.1007/s10664-017-9589-y

Published: 01 February 2019 Publication History

Abstract

Nearly every popular programming language comes with one or more package managers. The software packages distributed by such package managers form large software ecosystems. These packaging ecosystems contain a large number of package releases that are updated regularly and that have many dependencies to other package releases. While packaging ecosystems are extremely useful for their respective communities of developers, they face challenges related to their scale, complexity, and rate of evolution. Typical problems are backward incompatible package updates, and the risk of (transitively) depending on packages that have become obsolete or inactive. This manuscript uses the libraries.io dataset to carry out a quantitative empirical analysis of the similarities and differences between the evolution of package dependency networks for seven packaging ecosystems of varying sizes and ages: Cargo for Rust, CPAN for Perl, CRAN for R, npm for JavaScript, NuGet for the .NET platform, Packagist for PHP, and RubyGems for Ruby. We propose novel metrics to capture the growth, changeability, reusability and fragility of these dependency networks, and use these metrics to analyze and compare their evolution. We observe that the dependency networks tend to grow over time, both in size and in number of package updates, while a minority of packages are responsible for most of the package updates. The majority of packages depend on other packages, but only a small proportion of packages accounts for most of the reverse dependencies. We observe a high proportion of "fragile" packages due to a high and increasing number of transitive dependencies. These findings are instrumental for assessing the quality of a package dependency network, and improving it through dependency management tools and imposed policies.

References

[1]

Aalen O, Borgan O, Gjessing H (2008) Survival and event history analysis: a process point of view springer.

Google Scholar

[2]

Abdalkareem R, Nourry O, Wehaibi S, Mujahid S, Shihab E (2017) Why do developers use trivial packages? an empirical case study on npm. In: Joint Meeting on Foundations of Software Engineering (ESEC/FSE), pp 385-395.

Digital Library

Google Scholar

[3]

Artho C, Suzaki K, Di Cosmo K, Treinen R, Zacchiroli RS (2012) Why do software packages conflict? In: Int'l conference mining software repositories, pp 141-150.

Digital Library

Google Scholar

[4]

Barabási AL (2016) Network science. Cambridge University Press, Cambridge.

Digital Library

Google Scholar

[5]

Bavota G, Canfora G, Di Penta M, Oliveto R, Panichella S (2015) How the apache community upgrades dependencies: an evolutionary study. Empir Softw Eng 20(5):1275-1317.

Crossref

Google Scholar

[6]

Bird C, Nagappan N, Gall H, Murphy B, Devanbu P (2009) Putting it all together: using socio-technical networks to predict failures. In: Int'l symposium software reliability engineering. IEEE Computer Society, pp 109-119.

Digital Library

Google Scholar

Cited By

View all

Schueller WWachs J(2024)Modeling interconnected social and technical risks in open source software ecosystemsCollective Intelligence10.1177/263391372412319123:1Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1177/26339137241231912
Butler AFilkov VRay BZhou M(2024)Software Supply Chain Risk: Characterization, Measurement & AttenuationProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695608(2506-2509)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695608
Jaime DPoizat PEl Haddad JDegueule TFilkov VRay BZhou M(2024)Balancing the Quality and Cost of Updating DependenciesProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695595(1834-1845)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695595
Show More Cited By

Recommendations

On the impact of security vulnerabilities in the npm package dependency network
MSR '18: Proceedings of the 15th International Conference on Mining Software Repositories

Security vulnerabilities are among the most pressing problems in open source software package libraries. It may take a long time to discover and fix vulnerabilities in packages. In addition, vulnerabilities may propagate to dependent packages, making ...
Präzi: from package-based to call-based dependency networks
Abstract
Modern programming languages such as Java, JavaScript, and Rust encourage software reuse by hosting diverse and fast-growing repositories of highly interdependent packages (i.e., reusable libraries) for their users. The standard way to study the ...
Analysing socio-technical congruence in the package dependency network of Cargo
ESEC/FSE 2019: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Software package distributions form large dependency networks maintained by large communities of contributors. My PhD research will consist of analysing the evolution of the socio-technical congruence of these package dependency networks, and studying ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Empirical Software Engineering

Empirical Software Engineering Volume 24, Issue 1

February 2019

535 pages

ISSN:1382-3256

Issue’s Table of Contents

Publisher

Kluwer Academic Publishers

United States

Publication History

Published: 01 February 2019

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

79
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Schueller WWachs J(2024)Modeling interconnected social and technical risks in open source software ecosystemsCollective Intelligence10.1177/263391372412319123:1Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1177/26339137241231912
Butler AFilkov VRay BZhou M(2024)Software Supply Chain Risk: Characterization, Measurement & AttenuationProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695608(2506-2509)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695608
Jaime DPoizat PEl Haddad JDegueule TFilkov VRay BZhou M(2024)Balancing the Quality and Cost of Updating DependenciesProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695595(1834-1845)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695595
Jones JJiang WSynovic NThiruvathukal GDavis J(2024)What do we know about Hugging Face? A systematic literature review and quantitative validation of qualitative claimsProceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3674805.3686665(13-24)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3674805.3686665
Ma KWang ZZhao YWang H(2024)Decoding Web3: In-depth Analysis of the Third-Party Package Supply ChainProceedings of the 15th Asia-Pacific Symposium on Internetware10.1145/3671016.3671402(457-466)Online publication date: 24-Jul-2024
https://dl.acm.org/doi/10.1145/3671016.3671402
Abramovich SPatitsas E(2024)"Slipping through the cracks": A Duoethnography of Web AccessibilityProceedings of the 26th International ACM SIGACCESS Conference on Computers and Accessibility10.1145/3663548.3688543(1-6)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3663548.3688543
Tsakpinis APretschner A(2024)Analyzing the Accessibility of GitHub Repositories for PyPI and NPM LibrariesProceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering10.1145/3661167.3661231(345-350)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3661167.3661231
Weeraddana NAlfadel MMcIntosh S(2024)Dependency-Induced Waste in Continuous Integration: An Empirical Study of Unused Dependencies in the npm EcosystemProceedings of the ACM on Software Engineering10.1145/36608231:FSE(2632-2655)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660823
Raj RCosta DSpinellis DConstantinou EBacchelli A(2024)The role of library versions in Developer-ChatGPT conversationsProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3645075(172-176)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3645075
Onsori Delicheh HDecan AMens TSpinellis DConstantinou EBacchelli A(2024)Quantifying Security Issues in Reusable JavaScript Actions in GitHub WorkflowsProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644899(692-703)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3644899
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Recommendations

On the impact of security vulnerabilities in the npm package dependency network

Präzi: from package-based to call-based dependency networks

Analysing socio-technical congruence in the package dependency network of Cargo

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations