Measuring Dependency Freshness in Software Systems

Cox, Joel; Bouwers, Eric; Eekelen, M.C.J.D. van; Visser, Joost

doi:10.1109/icse.2015.140

Cited by 78 publications

(90 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They conclude that over time, the maintainers become more trusting and update faster, although no reason is known for this behavior. Cox et al [2] measure dependency freshness in 75 different closed source projects of 30 different vendors. Their findings indicate that projects with low dependency freshness are more than four times likely to include a security vulnerability.…”

Section: B Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Structure and Evolution of Package Dependency Networks

Kikas

Gousios

Dumas

et al. 2017

2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR)

130

129

View full text Add to dashboard Cite

Abstract-Software developers often include available opensource software packages into their projects to minimize redundant effort. However, adding a package to a project can also introduce risks, which can propagate through multiple levels of dependencies. Currently, not much is known about the structure of open-source package ecosystems of popular programming languages and the extent to which transitive bug propagation is possible. This paper analyzes the dependency network structure and evolution of the JavaScript, Ruby, and Rust ecosystems. The reported results reveal significant differences across language ecosystems. The results indicate that the number of transitive dependencies for JavaScript has grown 60% over the last year, suggesting that developers should look more carefully into their dependencies to understand what exactly is included. The study also reveals that vulnerability to a removal of the most popular package is increasing, yet most other packages have a decreasing impact on vulnerability. The findings of this study can inform the development of dependency management tools.

show abstract

Section: B Related Workmentioning

confidence: 99%

“…However, introducing third-party libraries makes a project dependent on them. Dependencies need to be kept up-do-date to prevent exposure to vulnerabilities and bugs [2]. At the same time, bugs can also originate through transitive dependencies [3].…”

Section: Introductionmentioning

confidence: 99%

Structure and Evolution of Package Dependency Networks

Kikas

Gousios

Dumas

et al. 2017

2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR)

130

129

View full text Add to dashboard Cite

show abstract

“…Although our tool computes a rating for each system, we asked our experts to come up with a ranking (similar to Cox et al [8]). The reason is that the interviewees were not all familiar with automated tooling to rate software systems.…”

Section: A Comparing the Outcomes Of Our Tool With Expert Rankingsmentioning

confidence: 99%

“…Cox [8] has used expert opinion to rate a dependency freshness metric. The dependency freshness metric tries to capture how well developers keep third-party dependencies of their software system up-to-date.…”

Section: Related Workmentioning

confidence: 99%

How good is your puppet? An empirically defined and validated quality model for puppet

Bent

Hage

Visser

et al. 2018

2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER)

Self Cite

View full text Add to dashboard Cite

Abstract-Puppet is a declarative language for configuration management that has rapidly gained popularity in recent years. Numerous organizations now rely on Puppet code for deploying their software systems onto cloud infrastructures. In this paper we provide a definition of code quality for Puppet code and an automated technique for measuring and rating Puppet code quality. To this end, we first explore the notion of code quality as it applies to Puppet code by performing a survey among Puppet developers. Second, we develop a measurement model for the maintainability aspect of Puppet code quality. To arrive at this measurement model, we derive appropriate quality metrics from our survey results and from existing software quality models. We implemented the Puppet code quality model in a software analysis tool. We validate our definition of Puppet code quality and the measurement model by a structured interview with Puppet experts and by comparing the tool results with quality judgments of those experts. The validation shows that the measurement model and tool provide quality judgments of Puppet code that closely match the judgments of experts. Also, the experts deem the model appropriate and usable in practice. The Software Improvement Group (SIG) has started using the model in its consultancy practice.

show abstract

“…Recently, there has been large-scale empirical studies conducted on library migrations and evolution. Empirical studies by Raemakers et al [27,58], Jezek et al [26] and Joel et al [59] studied in-depth how libraries that reside in the Maven Central super-repository evolve and break APIs.…”

Section: Threats To Validitymentioning

confidence: 99%

An empirical study on the impact of refactoring activities on evolving client-used APIs

Kula

Ouni

Germán

et al. 2018

Information and Software Technology

View full text Add to dashboard Cite

Context: Refactoring is recognized as an effective practice to maintain evolving software systems. For software libraries, we study how library developers refactor their Application Programming Interfaces (APIs), especially when it impacts client users by breaking an API of the library. Objective: Our work aims to understand how clients that use a library API are affected by refactoring activities. We target popular libraries that potentially impact more library client users. Method: We distinguish between library APIs based on their client-usage (refereed to as client-used APIs) in order to understand the extent to which API breakages relate to refactorings. Our tool-based approach allows for a large-scale study across eight libraries (i.e., totaling 183 consecutive versions) with around 900 clients projects. Results: We find that library maintainers are less likely to break client-used API classes. Quantitatively, we find that refactoring activities break less than 37% of all client-used APIs. In a more qualitative analysis, we show two documented cases of where non-refactoring API breaking changes are motivated by other maintenance issues (i.e., bug fix and new features) and involve more complex refactoring operations. Conclusion: Using our automated approach, we find that library developers are less likely to break APIs and tend to break client-used APIs when addressing these maintenance issues.

show abstract

Measuring Dependency Freshness in Software Systems

Cited by 78 publications

References 14 publications

Structure and Evolution of Package Dependency Networks

Structure and Evolution of Package Dependency Networks

How good is your puppet? An empirically defined and validated quality model for puppet

An empirical study on the impact of refactoring activities on evolving client-used APIs

Contact Info

Product

Resources

About