article

Do developers update their library dependencies?

Authors:

Raula Gaikovina Kula,

Daniel M. German,

Katsuro InoueAuthors Info & Claims

Empirical Software Engineering, Volume 23, Issue 1

Pages 384 - 417

https://doi.org/10.1007/s10664-017-9521-5

Published: 01 February 2018 Publication History

Abstract

Third-party library reuse has become common practice in contemporary software development, as it includes several benefits for developers. Library dependencies are constantly evolving, with newly added features and patches that fix bugs in older versions. To take full advantage of third-party reuse, developers should always keep up to date with the latest versions of their library dependencies. In this paper, we investigate the extent of which developers update their library dependencies. Specifically, we conducted an empirical study on library migration that covers over 4,600 GitHub software projects and 2,700 library dependencies. Results show that although many of these systems rely heavily on dependencies, 81.5% of the studied systems still keep their outdated dependencies. In the case of updating a vulnerable dependency, the study reveals that affected developers are not likely to respond to a security advisory. Surveying these developers, we find that 69% of the interviewees claimed to be unaware of their vulnerable dependencies. Moreover, developers are not likely to prioritize a library update, as it is perceived to be extra workload and responsibility. This study concludes that even though third-party reuse is common practice, updating a dependency is not as common for many developers.

References

[1]

Balaban I, Tip F, Fuhrer R (2005) Refactoring support for class library migration. In: Proceedings of the 20th Annual ACM SIGPLAN conference on object-oriented programming, systems, languages, and applications, OOPSLA '05. ACM, New York, pp 265-279. ISBN 1-59593-031-0.

[2]

Bavota G, Canfora G, Di Penta M, Oliveto R, Panichella S (2015) How the apache community upgrades dependencies: an evolutionary study. Empirical Softw Eng 20(5):1275-1317. ISSN 1382-3256.

Digital Library

[3]

Bogart C, Kästner C, Herbsleb J (2015) When it breaks, it breaks: how ecosystem developers reason about the stability of dependencies. In: Proceedings of the ASE workshop on software support for collaborative and global software engineering (SCGSE), pp 11.

[4]

Chow K, Notkin D (1996) Semi-automatic update of applications in response to library changes. In: Proceedings of the 1996 international conference on software maintenance, ICSM '96. IEEE Computer Society, Washington, DC.

[5]

Cossette BE, Walker RJ (2012) Seeking the ground truth. In: Proc. of the ACM SIGSOFT intrn. symp on the foundations of software engineering - FSE '12.

[6]

Cox J, Bouwers E, van Eekelen M, Visser J (2015) Measuring dependency freshness in software systems. In: 2015 IEEE/ACM 37th IEEE International conference on software engineering (ICSE), vol 2, pp 109-118.

[7]

Dagenais B, Robillard MP (2009) Semdiff: analysis and recommendation support for api evolution. In: Proceedings of the 31st international conference on software engineering, ICSE '09. IEEE Computer Society, Washington, DC, pp 599-602. ISBN 978-1-4244-3453-4.

[8]

De Roover C, Lammel R, Pek E (2013) Multi-dimensional exploration of API usage. In: IEEE International conference on program comprehension, pp 152-161.

[9]

Edgell S, Noon S (1984) Effect of violation of normality on the t test of the correlation coefficient. In: Psychological bulletin, pp 576-583.

[10]

Eisenberg DS, Stylos J, Faulring A, Myers BA (2010) Using association metrics to help users navigate API documentation. In: VL/HCC2010, pp 23-30.

[11]

German DM, Adams B, Hassan AE (2013) The evolution of the r software ecosystem. In: Proc. of European conf. on soft. main. and reeng. (CSMR2013), pp 243-252.

[12]

Godfrey MW, Zou L (2005) Using origin analysis to detect merging and splitting of source code entities. IEEE Trans Softw Eng 31(2):166-181.

Digital Library

[13]

Haenni N, Lungu M, Schwarz N, Nierstrasz O (2013) Categorizing developer information needs in software ecosystems. In: Proc. of int. work. on soft. eco. arch. (WEA13), pp 1-5.

[14]

Hora A, Valente MT (2015) Apiwave: keeping track of api popularity and migration. In: International conference on software maintenance and evolution.

[15]

Hora A, Robbes R, Anquetil N, Etien A, Ducasse S, Valente MT (2015) How do developers react to api evolution? The pharo ecosystem case. In: Proceedings of the 2015 IEEE international conference on software maintenance and evolution (ICSME), ICSME '15. IEEE Computer Society, Washington, DC, pp 251-260. ISBN 978-1-4673-7532-0.

[16]

Jezek K, Dietrich J, Brada P (2015) How Java APIs break - an empirical study. Inf Softw Technol, 129-146. ISSN 09505849.

[17]

Kabinna S, Bezemer C-P, Shang W, Hassan AE (2016) Logging library migrations: a case study for the apache software foundation projects. In: Proceedings of the 13th International workshop on mining software repositories, MSR '16. New York, pp 154-164.

[18]

Kamiya T, Kusumoto S, Inoue K (2002) CCFinder: a multilinguistic token-based code clone detection system for large scale source code. IEEE Trans Softw Eng 28(7):654-670. ISSN 0098-5589.

Digital Library

[19]

Kawamitsu N, Ishio T, Kanda T, Kula RG, De Roover C, Inoue K (2014) Identifying source code reuse across repositories using lcs-based source code similarity. In Proc. of SCAM.

[20]

Kula RG, Roover CD, German DM, Ishio T, Inoue K (2014) Visualizing the evolution of systems and their library dependencies. In: Proc. of IEEE Work. conf. on soft. viz. (VISSOFT), ICSME '15.

[21]

Kula RG, German DM, Ishio T, Inoue K (2015) Trusting a library: a study of the latency to adopt the latest maven release. In: 22nd IEEE International conference on software analysis, evolution, and reengineering, SANER 2015. Montreal.

[22]

Lehman MM (1996) Laws of software evolution revisited. In: Proceedings of the 5th European workshop on software process technology, EWSPT '96. Springer-Verlag, London, pp 108-124. ISBN 3-540-61771-X.

[23]

Lungu M (2008) Towards reverse engineering software ecosystems. In: Intl. conf. on soft. maint. and evo. (ICSME).

[24]

McDonnell T, Ray B, Kim M (2013) An empirical study of API stability and adoption in the android ecosystem. In: IEEE International conference on software maintenance. ICSM, pp 70-79. ISSN 1063-6773.

[25]

Mens T, Claes Mk, Ecos PG (2014) Ecological studies of open source software ecosystems. In: Soft. main. reeng. and rev. eng. (CSMR-WCRE), pp 403-406.

[26]

Mileva YM, Dallmeier V, Burger M, Zeller A (2009) Mining trends of library usage. In: Proc. Intl and ERCIM principles of soft. evol. (IWPSE) and soft. evol. (Evol) workshops, IWPSE-Evol '09. ACM, New York, pp 57-62.

[27]

Plate H, Ponta SA, Elisa S (2015) Impact assessment for vulnerabilities in open-source software libraries. In: Proceedings of the 31st international conference on software maintenance and evolution, ICSME '15. IEEE Computer Society, Breman.

[28]

Raemaekers S, van Deursen A, Visser J (2012) Measuring software library stability through historical version analysis. In: Proc. of intl. comf. soft. main. (ICSM), pp 378-387.

[29]

Raemaekers S, van Deursen A, Visser J (2014) Semantic versioning versus breaking changes: a study of the maven repository. In: 2014 IEEE 14th international working conference on source code analysis and manipulation (SCAM), pp 215-224.

[30]

Robbes R, Lungu M, Röthlisberger D (2012) How do developers react to api deprecation? The case of a smalltalk ecosystem. In: Proceedings of the ACM SIGSOFT 20th international symposium on the foundations of software engineering, FSE '12. ACM, New York, pp 56:1-56:11. ISBN 978-1-4503-1614-9.

[31]

Rogers EM (2003) Diffusion of innovations, 5, 08. Free Press, NY. ISBN 0-7432-2209-1, 978-0-7432-2209-9.

[32]

Sawant AA, Robbes R, Bacchelli A (2016) On the reaction to deprecation of 25,357 clients of 4+1 popular java apis. In: Proceedings of the 32th IEEE international conference on software maintenance and evolution.

[33]

Schäfer T, Jonas J, Mezini M (2008) Mining framework usage changes from instantiation code. In: Proceedings of the 30th international conference on software engineering, ICSE '08. ACM, New York, pp 471-480. ISBN 978-1-60558-079-1.

[34]

Teyton C, Falleri J-R, Palyart M, Blanc X (2014) A study of library migrations in java. J Softw Evol Process, 26, 11.

Digital Library

[35]

Wittern E, Suter P, Rajagopalan S (2016) A look at the dynamics of the javascript package ecosystem. In: Proc. of work. conf. on mining soft. repo. (MSR2016).

[36]

Wu W, Khomh F, Adams B, Guéhéneuc Y-G, Antoniol G (2015a) An exploratory study of api changes and usages based on apache and eclipse ecosystems. Empirical Softw Eng, p.1-47. ISSN 1573-7616.

[37]

Wu W, Serveaux A, Guéhéneuc Y-G, Antoniol G (2015b) The impact of imperfect change rules on framework api evolution identification: an empirical study. Empirical Softw Engg 20(4):1126-1158.

Digital Library

[38]

Xia P, Matsushita M, Yoshida N, Inoue K (2013) Studying reuse of out-dated third-party code in open source projects. Jpn Soc Softw Sci Technol Comput Softw 30(4):98-104.

[39]

Xing Z, Stroulia E (2007) API-evolution support with diff-catchup. IEEE Trans Softw Eng 33:818-836.

Digital Library

Cited By

Almeida AXavier LValente M(2024)Automatic Library Migration Using Large Language Models: First ResultsProceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3674805.3690746(427-433)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3674805.3690746
Weeraddana NAlfadel MMcIntosh S(2024)Dependency-Induced Waste in Continuous Integration: An Empirical Study of Unused Dependencies in the npm EcosystemProceedings of the ACM on Software Engineering10.1145/36608231:FSE(2632-2655)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660823
Iannone ESellitto GIaccarino EFerrucci FDe Lucia APalomba F(2024)Early and Realistic Exploitability Prediction of Just-Disclosed Software Vulnerabilities: How Reliable Can It Be?ACM Transactions on Software Engineering and Methodology10.1145/365444333:6(1-41)Online publication date: 27-Jun-2024
https://dl.acm.org/doi/10.1145/3654443
Show More Cited By

Recommendations

Visualizing the Evolution of Systems and Their Library Dependencies
VISSOFT '14: Proceedings of the 2014 Second IEEE Working Conference on Software Visualization

System maintainers face several challenges stemming from a system and its library dependencies evolving separately. Novice maintainers may lack the historical knowledge required to efficiently manage an inherited system. While some libraries are ...
An empirical study of developers views on software reuse in statoil ASA
ISESE '06: Proceedings of the 2006 ACM/IEEE international symposium on Empirical software engineering

In this article, we describe the results from our survey in the ITdepartment of a large Oil and Gas company in Norway (Statoil ASA), in order to characterize developers' views on software reuse. We have used a survey followed by semi-structured ...
Are you smelling it? Investigating how similar developers detect code smells

ContextA code smell indicates a poor implementation choice that often worsens software quality. Thus, code smell detection is an elementary technique to identify refactoring opportunities in software systems. Unfortunately, there is limited knowledge on ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Empirical Software Engineering

Empirical Software Engineering Volume 23, Issue 1

February 2018

564 pages

ISSN:1382-3256

Issue’s Table of Contents

Copyright © Copyright © 2018 Springer Science+Business Media, LLC, part of Springer Nature.

Publisher

Kluwer Academic Publishers

United States

Publication History

Published: 01 February 2018

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

109
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Almeida AXavier LValente M(2024)Automatic Library Migration Using Large Language Models: First ResultsProceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3674805.3690746(427-433)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3674805.3690746
Weeraddana NAlfadel MMcIntosh S(2024)Dependency-Induced Waste in Continuous Integration: An Empirical Study of Unused Dependencies in the npm EcosystemProceedings of the ACM on Software Engineering10.1145/36608231:FSE(2632-2655)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660823
Iannone ESellitto GIaccarino EFerrucci FDe Lucia APalomba F(2024)Early and Realistic Exploitability Prediction of Just-Disclosed Software Vulnerabilities: How Reliable Can It Be?ACM Transactions on Software Engineering and Methodology10.1145/365444333:6(1-41)Online publication date: 27-Jun-2024
https://dl.acm.org/doi/10.1145/3654443
Chen YGao CYang ZZhang HLiao QChristakis MPradel M(2024)Bridge and Hint: Extending Pre-trained Language Models for Long-Range CodeProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3652127(274-286)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3652127
Menon HNichols DBhatele AGamblin TSpinellis DConstantinou EBacchelli A(2024)Learning to Predict and Improve Build Successes in Package EcosystemsProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644927(531-542)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3644927
Job RHora ASpinellis DConstantinou EBacchelli A(2024)Availability and Usage of Platform-Specific APIs: A First Empirical StudyProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644925(27-31)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3644925
Weyssow MDi Sipio CDi Ruscio DSahraoui HSpinellis DConstantinou EBacchelli A(2024)CodeLL: A Lifelong Learning Dataset to Support the Co-Evolution of Data and Language Models of CodeProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644864(637-641)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3644864
Jayasuriya DTerragni VDietrich JBlincoe K(2024)Understanding the Impact of APIs Behavioral Breaking Changes on Client ApplicationsProceedings of the ACM on Software Engineering10.1145/36437821:FSE(1238-1261)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643782
Islam MJha AAkhmetov INadi S(2024)Characterizing Python Library MigrationsProceedings of the ACM on Software Engineering10.1145/36437311:FSE(92-114)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643731
Wen JYuan DMa LChen H(2024)Code Ownership in Open-Source AI Software SecurityProceedings of the 2nd International Workshop on Responsible AI Engineering10.1145/3643691.3648586(28-35)Online publication date: 16-Apr-2024
https://dl.acm.org/doi/10.1145/3643691.3648586
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents