research-article

Structure and evolution of package dependency networks

Authors:

Georgios Gousios,

Dietmar PfahlAuthors Info & Claims

MSR '17: Proceedings of the 14th International Conference on Mining Software Repositories

Pages 102 - 112

https://doi.org/10.1109/MSR.2017.55

Published: 20 May 2017 Publication History

Abstract

Software developers often include available open-source software packages into their projects to minimize redundant effort. However, adding a package to a project can also introduce risks, which can propagate through multiple levels of dependencies. Currently, not much is known about the structure of open-source package ecosystems of popular programming languages and the extent to which transitive bug propagation is possible. This paper analyzes the dependency network structure and evolution of the JavaScript, Ruby, and Rust ecosystems. The reported results reveal significant differences across language ecosystems. The results indicate that the number of transitive dependencies for JavaScript has grown 60% over the last year, suggesting that developers should look more carefully into their dependencies to understand what exactly is included. The study also reveals that vulnerability to a removal of the most popular package is increasing, yet most other packages have a decreasing impact on vulnerability. The findings of this study can inform the development of dependency management tools.

References

[1]

P. Mohagheghi and R. Conradi, "Quality, productivity and economic benefits of software reuse: a review of industrial studies," Empirical Software Engineering, vol. 12, no. 5, pp. 471--516, 2007.

Digital Library

[2]

J. Cox, E. Bouwers, M. v. Eekelen, and J. Visser, "Measuring dependency freshness in software systems," in 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, vol. 2, May 2015, pp. 109--118.

Digital Library

[3]

J. Hejderup, "In dependencies we trust: How vulnerable are dependencies in software modules?" Master's thesis, TU Delft, Delft University of Technology, 2015.

[4]

S. Raemaekers, A. van Deursen, and J. Visser, "Semantic versioning versus breaking changes: A study of the maven repository," in Proceedings of the 2014 IEEE 14th International Working Conference on Source Code Analysis and Manipulation, ser. SCAM '14. Washington, DC, USA: IEEE Computer Society, 2014, pp. 215--224.

Digital Library

[5]

"left-pad issue #4," https://github.com/stevemao/left-pad/issues/4, last accessed 25.01.2017.

[6]

P. Tripathy and K. Naik, Software Evolution and Maintenance. Wiley, 2014.

Digital Library

[7]

T. Mens and S. Demeyer, Software Evolution, ser. SpringerLink: Springer e-Books. Springer Berlin Heidelberg, 2008.

Digital Library

[8]

E. Wittern, P. Suter, and S. Rajagopalan, "A look at the dynamics of the javascript package ecosystem," in Proceedings of the 13th International Workshop on Mining Software Repositories, ser. MSR '16. ACM, 2016, pp. 351--361.

Digital Library

[9]

A. Decan, T. Mens, and M. Claes, "On the topology of package dependency networks: A comparison of three programming language ecosystems," in European Conference on Software Architecture Workshops, 2016.

Digital Library

[10]

A. Decan, T. Mens, and M. Claes, "An empirical comparison of dependency issues in OSS packaging ecosystems," in IEEE 24th International Conference on Software Analysis, Evolution and Reengineering, SANER 2017, Klagenfurt, Austria, February 20--24, 2017, M. Pinzger, G. Bavota, and A. Marcus, Eds. IEEE Computer Society, 2017, pp. 2--12. {Online}. Available

[11]

D. M. German, B. Adams, and A. E. Hassan, "The evolution of the r software ecosystem," in Software Maintenance and Reengineering (CSMR), 2013 17th European Conference on. IEEE, 2013, pp. 243--252.

Digital Library

[12]

A. Decan, T. Mens, M. Claes, and P. Grosjeanm, "When github meets cran: An analysis of inter-repository package dependency problems," in 23rd IEEE International Conference on Software Analysis, Evolution, and Reengineering, 2016.

[13]

C. Bogart, C. Kstner, and J. Herbsleb, "When it breaks, it breaks: How ecosystem developers reason about the stability of dependencies," in 2015 30th IEEE/ACM International Conference on Automated Software Engineering Workshop (ASEW), Nov 2015, pp. 86--89.

Digital Library

[14]

C. Bogart, C. Kästner, J. Herbsleb, and F. Thung, "How to break an api: Cost negotiation and community values in three software ecosystems," in Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE), ser. FSE '16. ACM Press, 11 2016.

Digital Library

[15]

G. Bavota, G. Canfora, M. Di Penta, R. Oliveto, and S. Panichella, "How the apache community upgrades dependencies: an evolutionary study," Empirical Software Engineering, vol. 20, no. 5, pp. 1275--1317, 2015.

Digital Library

[16]

G. Bavota, G. Canfora, M. Di Penta, R. Oliveto, and S. Panichella, "The evolution of project inter-dependencies in a software ecosystem: The case of apache." in ICSM, 2013, pp. 280--289.

Digital Library

[17]

R. G. Kula, D. M. Germán, T. Ishio, and K. Inoue, "Trusting a library: A study of the latency to adopt the latest maven release," in 22nd IEEE International Conference on Software Analysis, Evolution, and Reengineering, SANER 2015, Montreal, QC, Canada, March 2--6, 2015, 2015, pp. 520--524.

[18]

M. Claes, T. Mens, R. Di Cosmo, and J. Vouillon, "A historical analysis of debian package incompatibilities," in Proceedings of the 12th Working Conference on Mining Software Repositories, ser. MSR '15. IEEE Press, 2015, pp. 212--223.

Digital Library

[19]

P. Abate, R. Di Cosmo, J. Boender, and S. Zacchiroli, "Strong dependencies between software components," in Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement, ser. ESEM '09. Washington, DC, USA: IEEE Computer Society, 2009, pp. 89--99.

Digital Library

[20]

R. Di Cosmo, B. Durak, X. Leroy, F. Mancinelli, and J. Vouillon, "Maintaining large software distributions: new challenges from the foss era." in Proceedings of the FRCSS 2006 workshop. EASST, 2006, pp. 7--20.

[21]

R. Di Cosmo, S. Zacchiroli, and P. Trezentos, "Package upgrades in foss distributions: Details and challenges," in Proceedings of the 1st International Workshop on Hot Topics in Software Upgrades, ser. HotSWUp '08. ACM, 2008, pp. 7:1--7:5.

Digital Library

[22]

M. Cadariu, E. Bouwers, J. Visser, and A. van Deursen, "Tracking known security vulnerabilities in proprietary software systems," in 2015 IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER), March 2015, pp. 516--519.

[23]

A. Serebrenik and T. Mens, "Challenges in software ecosystems research," in Proceedings of the 2015 European Conference on Software Architecture Workshops, ser. ECSAW '15. ACM, 2015, pp. 40:1--40:6.

Digital Library

[24]

"How a student fooled 17,000 coders into running his sketchy programming code," https://fossbytes.com/typosquatting-technique-used-by-student-tricks-17000-coders/, accessed: 2016-06-19.

[25]

"Npm api," https://registry.npmjs.org/-/all, accessed: 2016-05-01.

[26]

"Rubygems api," https://rubygems.org/pages/data, accessed: 2016-05-01.

[27]

G. Gousios, "The ghtorent dataset and tool suite," in Proceedings of the 10th Working Conference on Mining Software Repositories, ser. MSR '13. IEEE Press, 2013, pp. 233--236.

Digital Library

[28]

D. Easley and J. Kleinberg, Networks, crowds, and markets: Reasoning about a highly connected world. Cambridge University Press, 2010.

Digital Library

[29]

P. Abate, R. Di Cosmo, L. Gesbert, F. Le Fessant, R. Treinen, and S. Zacchiroli, "Mining component repositories for installability issues," in Mining Software Repositories (MSR), 2015 IEEE/ACM 12th Working Conference on. IEEE, 2015, pp. 24--33.

Digital Library

[30]

"Yarn: A new package manager for javascript," https://code.facebook.com/posts/1840075619545360/yarn-a-new-package-manager-for-javascript/, accessed 2016-10-27.

Cited By

Ma KWang ZZhao YWang H(2024)Decoding Web3: In-depth Analysis of the Third-Party Package Supply ChainProceedings of the 15th Asia-Pacific Symposium on Internetware10.1145/3671016.3671402(457-466)Online publication date: 24-Jul-2024
https://dl.acm.org/doi/10.1145/3671016.3671402
Tsakpinis APretschner A(2024)Analyzing the Accessibility of GitHub Repositories for PyPI and NPM LibrariesProceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering10.1145/3661167.3661231(345-350)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3661167.3661231
Onsori Delicheh HDecan AMens TSpinellis DConstantinou EBacchelli A(2024)Quantifying Security Issues in Reusable JavaScript Actions in GitHub WorkflowsProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644899(692-703)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3644899
Show More Cited By

Recommendations

On the impact of security vulnerabilities in the npm package dependency network
MSR '18: Proceedings of the 15th International Conference on Mining Software Repositories

Security vulnerabilities are among the most pressing problems in open source software package libraries. It may take a long time to discover and fix vulnerabilities in packages. In addition, vulnerabilities may propagate to dependent packages, making ...
On the topology of package dependency networks: a comparison of three programming language ecosystems
ECSAW '16: Proccedings of the 10th European Conference on Software Architecture Workshops

Package-based software ecosystems are composed of thousands of interdependent software packages. Many empirical studies have focused on software packages belonging to a single software ecosystem, and suggest to generalise the results to more ecosystems. ...
Präzi: from package-based to call-based dependency networks
Abstract
Modern programming languages such as Java, JavaScript, and Rust encourage software reuse by hosting diverse and fast-growing repositories of highly interdependent packages (i.e., reusable libraries) for their users. The standard way to study the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

MSR '17: Proceedings of the 14th International Conference on Mining Software Repositories

May 2017

567 pages

ISBN:9781538615447

General Chair:
Jesus M. Gonzalez-Barahona
Universidad Rey Juan Carlos
,
Program Chairs:
Abram Hindle
University of Alberta
,
Lin Tan
University of Waterloo

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering
IEEE-CS: Computer Society
SADIO: SADIO

Publisher

IEEE Press

Publication History

Published: 20 May 2017

Check for updates

Qualifiers

Research-article

Conference

ICSE '17

Sponsor:

SIGSOFT
IEEE-CS
SADIO

ICSE '17: 39th International Conference on Software Engineering

May 20 - 28, 2017

Buenos Aires, Argentina

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

50
Total Citations
View Citations
284
Total Downloads

Downloads (Last 12 months)17
Downloads (Last 6 weeks)2

Reflects downloads up to 04 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ma KWang ZZhao YWang H(2024)Decoding Web3: In-depth Analysis of the Third-Party Package Supply ChainProceedings of the 15th Asia-Pacific Symposium on Internetware10.1145/3671016.3671402(457-466)Online publication date: 24-Jul-2024
https://dl.acm.org/doi/10.1145/3671016.3671402
Tsakpinis APretschner A(2024)Analyzing the Accessibility of GitHub Repositories for PyPI and NPM LibrariesProceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering10.1145/3661167.3661231(345-350)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3661167.3661231
Onsori Delicheh HDecan AMens TSpinellis DConstantinou EBacchelli A(2024)Quantifying Security Issues in Reusable JavaScript Actions in GitHub WorkflowsProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644899(692-703)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3644899
Delicheh HMens T(2024)Mitigating Security Issues in GitHub ActionsProceedings of the 2024 ACM/IEEE 4th International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) and 2024 IEEE/ACM Second International Workshop on Software Vulnerability10.1145/3643662.3643961(6-11)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643662.3643961
Gao KHe RXie BZhou M(2024)Characterizing Deep Learning Package Supply Chains in PyPI: Domains, Clusters, and DisengagementACM Transactions on Software Engineering and Methodology10.1145/364033633:4(1-27)Online publication date: 10-Jan-2024
https://dl.acm.org/doi/10.1145/3640336
Malka JZacchiroli SZimmermann TRoychoudhury APaiva AAbreu RStorey MHierons RMadeira H(2024)Reproducibility of Build Environments through Space and TimeProceedings of the 2024 ACM/IEEE 44th International Conference on Software Engineering: New Ideas and Emerging Results10.1145/3639476.3639767(97-101)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3639476.3639767
Carruthers JDiaz-Pace JIrrazábal E(2024)A longitudinal study on the temporal validity of software samplesInformation and Software Technology10.1016/j.infsof.2024.107404168:COnline publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1016/j.infsof.2024.107404
Staicu CRahaman SKiss ÁBackes MCalandrino JTroncoso C(2023)Bilingual problemsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620580(6133-6150)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620580
Wang HLiu SZhang LXu CChandra SBlincoe KTonella P(2023)Automatically Resolving Dependency-Conflict Building Failures via Behavior-Consistent Loosening of Library Version ConstraintsProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616264(198-210)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616264
Jayasuriya DTerragni VDietrich JOu SBlincoe KJust RFraser G(2023)Understanding Breaking Changes in the WildProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598147(1433-1444)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598147
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents