short-paper

On the topology of package dependency networks: a comparison of three programming language ecosystems

Authors:

Alexandre Decan,

Maelick ClaesAuthors Info & Claims

ECSAW '16: Proccedings of the 10th European Conference on Software Architecture Workshops

Article No.: 21, Pages 1 - 4

https://doi.org/10.1145/2993412.3003382

Published: 28 November 2016 Publication History

Abstract

Package-based software ecosystems are composed of thousands of interdependent software packages. Many empirical studies have focused on software packages belonging to a single software ecosystem, and suggest to generalise the results to more ecosystems. We claim that such a generalisation is not always possible, because the technical structure of software ecosystems can be very different, even if these ecosystems belong to the same domain. We confirm this claim through a study of three big and popular package-based programming language ecosystems: R's CRAN archive network, Python's PyPI distribution, and JavaScript's NPM package manager. We study and compare the structure of their package dependency graphs and reveal some important differences that may make it difficult to generalise the findings of one ecosystem to another one.

References

[1]

P. Abate, R. Di Cosmo, L. Gesbert, F. L. Fessant, R. Treinen, and S. Zacchiroli. Mining component repositories for installability issues. In Int'l Conf. Mining Software Repositories, pages 24--33, 2015.

Digital Library

[2]

G. Bavota, G. Canfora, M. Di Penta, R. Oliveto, and S. Panichella. The evolution of project inter-dependencies in a software ecosystem: the case of Apache. In Int'l Conf. Software Maintenance, 2013.

Digital Library

[3]

G. Bavota, G. Canfora, M. Di Penta, R. Oliveto, and S. Panichella. How the Apache community upgrades dependencies: an evolutionary study. Empirical Software Engineering, 20(5):1275--1317, 2015.

Digital Library

[4]

C. Bogart, C. Kästner, and J. Herbsleb. When it breaks, it breaks: How ecosystem developers reason about the stability of dependencies. In Automated Software Engineering Workshop, pages 86--89, Nov. 2015.

Digital Library

[5]

C. Bogart, C. Kästner, J. Herbsleb, and F. Thung. How to break an API: Cost negotiation and community values in three software ecosystems. In Int'l Symp. Foundations of Software Engineering, 2016.

Digital Library

[6]

M. Claes, T. Mens, R. D. Cosmo, and J. Vouillon. A historical analysis of Debian package incompatibilities. In Int'l Conf. Mining Software Repositories, pages 212--223, 2015.

Digital Library

[7]

A. Decan, T. Mens, M. Claes, and P. Grosjean. On the development and distribution of R packages: An empirical analysis of the R ecosystem. In European Conference on Software Architecture Workshops, pages 41:1--41:6, 2015.

Digital Library

[8]

A. Decan, T. Mens, M. Claes, and P. Grosjean. When GitHub meets CRAN: An analysis of inter-repository package dependency problems. In Int'l Conf. Software Analysis, Evolution, and Reengineering, pages 493--504. IEEE, Mar. 2016.

[9]

R. Di Cosmo, S. Zacchiroli, and P. Trezentos. Package upgrades in FOSS distributions: details and challenges. CoRR, abs/0902.1610, 2009.

Digital Library

[10]

K. Gullikson. Python dependency analysis - adventures of the datastronomer. http://kgullikson88.github.io/blog/pypi-analysis.html, February 2016.

[11]

D. Haney. NPM & left-pad: Have we forgotten how to program? http://www.haneycodes.net/npm-left-pad-have-we-forgotten-how-to-program/, March 2016.

[12]

Z. Hemel. Javascript: A language in search of a standard library and module system. http://zef.me/blog/2856/javascript-a-language-in-search-of-a-standard-library-and-module-system, February 2010.

[13]

K. Hornik. Are there too many R packages? Austrian Journal of Statistics, 41(1):59--66, 2012.

[14]

N. LaBelle and E. Wallingford. Inter-package dependency networks in open-source software. CoRR, cs.SE/0411096, 2004.

[15]

J. Leek. How I decide when to trust an R package. http://simplystatistics.org/?p=4409, November 2015.

[16]

M. Lungu. Towards reverse engineering software ecosystems. In Int'l Conf. Software Maintenance, pages 428--431, 2008.

[17]

J. Ooms. Possible directions for improving dependency versioning in R. R Journal, 5(1):197--206, June 2013.

[18]

R. Robbes, M. Lungu, and D. Röthlisberger. How do developers react to API deprecation? the case of a Smalltalk ecosystem. In Int'l Symp. Foundations of Software Engineering. ACM, 2012.

Digital Library

[19]

J. Romano, J. Kromrey, J. Coraggio, and J. Skowronek. Appropriate statistics for ordinal level data: Should we really be using t-test and Cohen's d for evaluating group differences on the NSSE and other surveys? In annual meeting of the Florida Association of Institutional Research, pages 1--3, 2006.

[20]

J. Sametinger. Software Engineering with Reusable Components. Springer, 1997.

Digital Library

[21]

I. Z. Schlueter. The npm blog: kik, left-pad, and npm. http://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm, March 2016.

[22]

E. Wittern, P. Suter, and S. Rajagopalan. A look at the dynamics of the JavaScript package ecosystem. In Int'l Conf. Mining Software Repositories, pages 351--361. ACM, 2016.

Digital Library

Cited By

Butler AFilkov VRay BZhou M(2024)Software Supply Chain Risk: Characterization, Measurement & AttenuationProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695608(2506-2509)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695608
Li CWu YShen WZhao ZChang RLiu CLiu YRen KRoychoudhury APaiva AAbreu RStorey M(2024)Demystifying Compiler Unstable Feature Usage and Impacts in the Rust EcosystemProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623352(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623352
Ma ZMondal SChen TZhang HHassan A(2024)VulNet: Towards improving vulnerability management in the Maven ecosystemEmpirical Software Engineering10.1007/s10664-024-10448-629:4Online publication date: 5-Jun-2024
https://doi.org/10.1007/s10664-024-10448-6
Show More Cited By

Index Terms

On the topology of package dependency networks: a comparison of three programming language ecosystems
1. Software and its engineering
  1. Software notations and tools
    1. Software libraries and repositories
  2. Software organization and properties
    1. Software system structures
      1. Software architectures

Recommendations

On the impact of security vulnerabilities in the npm package dependency network
MSR '18: Proceedings of the 15th International Conference on Mining Software Repositories

Security vulnerabilities are among the most pressing problems in open source software package libraries. It may take a long time to discover and fix vulnerabilities in packages. In addition, vulnerabilities may propagate to dependent packages, making ...
A look at the dynamics of the JavaScript package ecosystem
MSR '16: Proceedings of the 13th International Conference on Mining Software Repositories

The node package manager (npm) serves as the frontend to a large repository of JavaScript-based software packages, which foster the development of currently huge amounts of server-side Node. js and client-side JavaScript applications. In a span of 6 ...
On the Development and Distribution of R Packages: An Empirical Analysis of the R Ecosystem
ECSAW '15: Proceedings of the 2015 European Conference on Software Architecture Workshops

This paper explores the ecosystem of software packages for R, one of the most popular environments for statistical computing today. We empirically study how R packages are developed and distributed on different repositories: CRAN, BioConductor, R-Forge ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ECSAW '16: Proccedings of the 10th European Conference on Software Architecture Workshops

November 2016

234 pages

ISBN:9781450347815

DOI:10.1145/2993412

Conference Chairs:
Rami Bahsoon
The University of Birmingham, UK
,
Rainer Weinreich
Johannes Kepler University Linz, Austria

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 November 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

University of Mons

Conference

ECSAW '16

ECSAW '16: European Conference on Software Architecture Workshops

November 28 - December 2, 2016

Copenhagen, Denmark

Acceptance Rates

Overall Acceptance Rate 80 of 120 submissions, 67%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

33
Total Citations
View Citations
658
Total Downloads

Downloads (Last 12 months)81
Downloads (Last 6 weeks)12

Reflects downloads up to 01 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Butler AFilkov VRay BZhou M(2024)Software Supply Chain Risk: Characterization, Measurement & AttenuationProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695608(2506-2509)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695608
Li CWu YShen WZhao ZChang RLiu CLiu YRen KRoychoudhury APaiva AAbreu RStorey M(2024)Demystifying Compiler Unstable Feature Usage and Impacts in the Rust EcosystemProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623352(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623352
Ma ZMondal SChen TZhang HHassan A(2024)VulNet: Towards improving vulnerability management in the Maven ecosystemEmpirical Software Engineering10.1007/s10664-024-10448-629:4Online publication date: 5-Jun-2024
https://doi.org/10.1007/s10664-024-10448-6
Janovsky AChmielewski ŁSvenda PJancar JMatyas V(2024)Chain of Trust: Unraveling References Among Common Criteria Certified ProductsICT Systems Security and Privacy Protection10.1007/978-3-031-65175-5_14(191-205)Online publication date: 26-Jul-2024
https://doi.org/10.1007/978-3-031-65175-5_14
Zheng XWan ZZhang YChang RLo D(2023)A Closer Look at the Security Risks in the Rust EcosystemACM Transactions on Software Engineering and Methodology10.1145/362473833:2(1-30)Online publication date: 16-Sep-2023
https://dl.acm.org/doi/10.1145/3624738
Venturini DCogo FPolato IGerosa MWiese I(2023)I Depended on You and You Broke Me: An Empirical Study of Manifesting Breaking Changes in Client PackagesACM Transactions on Software Engineering and Methodology10.1145/357603732:4(1-26)Online publication date: 26-May-2023
https://dl.acm.org/doi/10.1145/3576037
Kannee KKula RWattanakriengkrai SMatsumoto K(2023)Intertwining Communities: Exploring Libraries that Cross Software Ecosystems2023 IEEE/ACM 20th International Conference on Mining Software Repositories (MSR)10.1109/MSR59073.2023.00077(518-522)Online publication date: May-2023
https://doi.org/10.1109/MSR59073.2023.00077
Litzenberger TDüsing JHermann B(2023)DGMF: Fast Generation of Comparable, Updatable Dependency Graphs for Software Repositories2023 IEEE/ACM 20th International Conference on Mining Software Repositories (MSR)10.1109/MSR59073.2023.00028(115-119)Online publication date: May-2023
https://doi.org/10.1109/MSR59073.2023.00028
Düsing JHermann BBissyandé TKlein JBird CSarro F(2023)Persisting and Reusing Results of Static Program Analyses on a Large ScaleProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00080(888-900)Online publication date: 11-Nov-2023
https://dl.acm.org/doi/10.1109/ASE56229.2023.00080
Gu Z(2023)On the dependency heaviness of CRAN/Bioconductor ecosystemJournal of Systems and Software10.1016/j.jss.2023.111610198:COnline publication date: 1-Apr-2023
https://dl.acm.org/doi/10.1016/j.jss.2023.111610
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents