A formal framework for measuring technical lag in component repositories — and its application to npm

Zerouali, Ahmed; Mens, Tom; González-Barahona, Jesús M.; Decan, Alexandre; Constantinou, Eleni; Robles, Gregório

doi:10.1002/smr.2157

Cited by 33 publications

(19 citation statements)

References 31 publications

(43 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Decan et al [27] measured such technical lag for npm packages and observed that a large number of packages have outdated dependencies, and a large number of dependencies have a technical lag of several months. As a follow-up work, Zerouali et al [28] proposed and validated a formal framework for technical lag measurement.…”

Section: Related Workmentioning

confidence: 99%

What Do Package Dependencies Tell Us About Semantic Versioning?

Decan

Mens

2021

IIEEE Trans. Software Eng.

Self Cite

View full text Add to dashboard Cite

The semantic versioning (semver) policy is commonly accepted by open source package management systems to inform whether new releases of software packages introduce possibly backward incompatible changes. Maintainers depending on such packages can use this information to avoid or reduce the risk of breaking changes in their own packages by specifying version constraints on their dependencies. Depending on the amount of control a package maintainer desires to have over her package dependencies, these constraints can range from very permissive to very restrictive. This article empirically compares semver compliance of four software packaging ecosystems (Cargo, npm, Packagist and Rubygems), and studies how this compliance evolves over time. We explore to what extent ecosystem-specific characteristics or policies influence the degree of compliance. We also propose an evaluation based on the "wisdom of the crowds" principle to help package maintainers decide which type of version constraints they should impose on their dependencies.

show abstract

Section: Related Workmentioning

confidence: 99%

What Do Package Dependencies Tell Us About Semantic Versioning?

Decan

Mens

2021

IIEEE Trans. Software Eng.

Self Cite

View full text Add to dashboard Cite

show abstract

“…. our project has been inactive and production has been halted for indefinite time" Zerouali et al [21] proposed a framework to measure the technical lag (i.e., the time and/or number of versions between the last released library version and the actually used dependency) in open source repositories. In their later study, Zerouali et al [22] claimed that the technical lag of third-party components might lead to the presence of vulnerabilities in Docker images.…”

Section: Maintenance Of Software Librariesmentioning

confidence: 99%

“…Maven libraries are grouped into multi-module projects where each module is released as a separate artifact. According to the Maven naming conventions 21 , within-project dependencies of a multi-module project have the same groupId. Hence, within-project dependencies can be easily identified by comparing their groupIds.…”

Section: Step 3: Identification Of Within-project Dependenciesmentioning

confidence: 99%

“…Since the time difference between recent releases should have a bigger impact on the Last release interval comparing to the time difference between older releases, the typical statistical model that describes such a process is a simple Exponential Smoothing model [33]: where Release time i is the time interval needed to release the i-th version of a library, 0 < α < 1 is the smoothing parameter that shows how fast the influence of previous 21. https://maven.apache.org/guides/mini/ guide-naming-conventions.html 22.…”

Section: Step 4: Identification Of Lagging Dependenciesmentioning

confidence: 99%

See 1 more Smart Citation

Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies

Pashchenko

Plate²,

Ponta³

et al. 2022

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Vulnerable dependencies are a known problem in today's free open-source software ecosystems because FOSS libraries are highly interconnected, and developers do not always update their dependencies. Our paper proposes Vuln4Real, the methodology for counting actually vulnerable dependencies, that addresses the over-inflation problem of academic and industrial approaches for reporting vulnerable dependencies in FOSS software, and therefore, caters to the needs of industrial practice for correct allocation of development and audit resources. To understand the industrial impact of a more precise methodology, we considered the 500 most popular FOSS Java libraries used by SAP in its own software. Our analysis included 25767 distinct library instances in Maven. We found that the proposed methodology has visible impacts on both ecosystem view and the individual library developer view of the situation of software dependencies: Vuln4Real significantly reduces the number of false alerts for deployed code (dependencies wrongly flagged as vulnerable), provides meaningful insights on the exposure to third-parties (and hence vulnerabilities) of a library, and automatically predicts when dependency maintenance starts lagging, so it may not receive updates for arising issues.

show abstract

“…Note that to reduce the data collection effort, our dependency graph is static, reflecting the dependencies at the time of data collection. By manually inspecting a small sample of projects, we observed that dependency changes typically occur when new libraries get added, while existing libraries rarely get removed [85]; therefore, our static graph can be considered as an over-approximation of the true dependencies.…”

Section: Network Constructionmentioning

confidence: 99%