ORBi UMONS: What do package dependencies tell us about semantic versioning? - 2019

Article (Scientific journals)

What do package dependencies tell us about semantic versioning?

Decan, Alexandre; Mens, Tom

2019 • In IEEE Transactions on Software Engineering

Peer Reviewed verified by ORBi

Permalink
https://hdl.handle.net/20.500.12907/40608

DOI
10.1109/TSE.2019.2918315

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

TSE-2019.pdf

Author preprint (12.4 MB)

All documents in ORBi UMONS are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

[en] version control; [en] package manager; [en] software ecosystem; [en] software evolution; [en] dependency management; [en] open source software

Abstract :

[en] The semantic versioning (semver) policy is commonly accepted by open source package management systems to inform whether new releases of software packages introduce possibly backward incompatible changes. Maintainers depending on such packages can use this information to avoid or reduce the risk of breaking changes in their own packages by specifying version constraints on their dependencies. Depending on the amount of control a package maintainer desires to have over her package dependencies, these constraints can range from very permissive to very restrictive. This article empirically compares semver compliance of four software packaging ecosystems (Cargo, npm, Packagist and Rubygems), and studies how this compliance evolves over time. We explore to what extent ecosystem-specific characteristics or policies influence the degree of compliance. We also propose an evaluation based on the 'wisdom of the crowds' principle to help package maintainers decide which type of version constraints they should impose on their dependencies.

Disciplines :

Electrical & electronics engineering

Author, co-author :

Decan, Alexandre ; Université de Mons > Faculté des Sciences > Service des Systèmes d'information ; Université de Mons > Faculté des Sciences > Service de Génie Logiciel

Mens, Tom ; Université de Mons > Faculté des Sciences > Service de Génie Logiciel

Language :

English

Title :

What do package dependencies tell us about semantic versioning?

Publication date :

23 May 2019

Journal title :

IEEE Transactions on Software Engineering

ISSN :

0098-5589

eISSN :

1939-3520

Publisher :

Institute of Electrical and Electronics Engineers, New-York, United States - New York

Peer reviewed :

Peer Reviewed verified by ORBi

Research unit :

S852 - Génie Logiciel

Research institute :

R150 - Institut de Recherche sur les Systèmes Complexes

Name of the research project :

Automated Assistance for Developing Software in Ecosystems of the Future - Fédération Wallonie Bruxelles

Available on ORBi UMONS :

since 25 May 2019

Statistics

Number of views

35 (0 by UMONS)

Number of downloads

61 (0 by UMONS)

More statistics

Scopus citations^®

55

Scopus citations^®
without self-citations

46

OpenCitations

15

OpenAlex citations

69

Bibliography

M. Lungu and M. Lanza, "The small project observatory: A tool for reverse engineering software ecosystems," in Proc. Int. Conf. Softw. Eng., 2010, pp. 289-292.
S. Jansen, "Measuring the health of open source software ecosystems: Beyond the scope of project health," Inf. Softw. Technol., vol. 56, no. 11, pp. 1508-1519,Nov. 2014.
S.Hyrynsalmi,M. Seppänen, T.Nokkala, A. Suominen, and A. Järvi, "Wealthy, healthy and/or happy-what does 'ecosystem health' stand for?" in Proc. Int. Conf. Softw. Bus., 2015, pp. 272-287.
C. Bogart, C. Kästner, J. Herbsleb, and F. Thung, "How to break an API: Cost negotiation and community values in three software ecosystems," in Proc. 24th ACM SIGSOFT Int. Symp. Found. Softw. Eng., 2016, pp. 109-120.
A. Decan, T. Mens, and P. Grosjean, "An empirical comparison of dependency network evolution in seven software packaging ecosystems," Empirical Softw. Eng., vol. 24, pp. 381-416, Feb. 2019.
T. Preston-Werner, "Semantic versioning 2.0.0," Jun. 2013. [Online]. Available: https://semver.org.
C. Bogart, C. Kästner, and J. Herbsleb, "When it breaks, it breaks: How ecosystem developers reason about the stability of dependencies," in Proc. Autom. Softw. Eng.Workshop, Nov. 2015, pp. 86-89.
B. Ganesan, NPM dependency errors? Then you're doing it wrong. Sept. 2017. [Online]. Available: https://medium.com/ netscape/npm-dependency-errors-then-youre-doing-it-w rong-635 160a89150
C. Bogart, A. Filippova, C. Kästner, J. Herbsleb, and F. Thung, Values and practices in 18 software ecosystems. 2017. [Online]. Available: http://breakingapis.org/survey/
G. Bavota, G. Canfora, M. Di Penta, R. Oliveto, and S. Panichella, "The evolution of project inter-dependencies in a software ecosystem: The case of Apache," in Proc. IEEE Int. Conf. Softw. Maintenance, 2013, pp. 280-289.
A. Decan, T.Mens,M. Claes, and P. Grosjean, "When GitHub meets CRAN: An analysis of inter-repository package dependency problems," in Proc. IEEE 23rd Int. Conf. Softw. Anal. Evolution Reengineering, Mar. 2016, pp. 493-504.
S. Mostafa, R. Rodriguez, and X. Wang, "Experience paper: A study on behavioral backward incompatibilities of Java software libraries," in Proc. Int. Symp. Softw. Testing Anal., 2017, pp. 215-225.
L. Xavier, A. Brito, A. Hora, and M. T. Valente, "Historical and impact analysis of API breaking changes: A large-scale study," in Proc. Int. Conf. Softw. Anal. Evolution Reengineering, Feb. 2017, pp. 138-147.
E. Wittern, P. Suter, and S. Rajagopalan, "A look at the dynamics of the JavaScript package ecosystem," in Proc. Int. Conf. Mining Softw. Repositories, 2016, pp. 351-361.
S. Raemaekers, A. van Deursen, and J. Visser, "Semantic versioning and impact of breaking changes in the Maven repository," J. Syst. Softw., vol. 129, pp. 140-158, 2017.
Y. Wang, M. Wen, Z. Liu, R. Wu, R.Wang, B. Yang, H. Yu, Z. Zhu, and S.-C. Cheung, "Do the dependency conflicts in my project matter?" in Proc. 26th ACM Joint Meeting Eur. Softw. Eng. Conf. Symp. Found. Softw. Eng., 2018, pp. 319-330.
R. Di Cosmo and J. Vouillon, "On software component coinstallability," in Proc. Joint Eur. Conf. Softw. Eng. / Found. Softw. Eng., 2011, pp. 256-266.
J. Vouillon and R. Di Cosmo, "Broken sets in software repository evolution," in Proc. Int. Conf. Softw. Eng., 2013, pp. 412-421.
P. Abate, R. Di Cosmo, L. Gesbert, F. L. Fessant, R. Treinen, and S. Zacchiroli, "Mining component repositories for installability issues," in Proc. Int. Conf. Mining Softw. Repositories, 2015, pp. 24-33.
R. G. Kula, D. M. German, T. Ishio, and K. Inoue, "Trusting a library: A study of the latency to adopt the latest Maven release," in Proc. Int. Conf. Softw. Anal. Evolution Reengineering, Mar. 2015, pp. 520-524.
R. G. Kula, D. M. German, A. Ouni, T. Ishio, and K. Inoue, "Do developers update their library dependencies? An empirical study on the impact of security advisories on library migration," Empirical Softw. Eng., vol. 23, no. 1, pp. 384-417, Feb. 2018.
A. Decan, T. Mens, and M. Claes, "An empirical comparison of dependency issues in OSS packaging ecosystems," in Proc. Int. Conf. Softw. Anal. Evolution Reengineering, 2017, pp. 2-12.
J. Cox, E. Bouwers, M. van Eekelen, and J. Visser, "Measuring dependency freshness in software systems," in Proc. Int. Conf. Softw. Eng., 2015, pp. 109-118.
E. Derr, S. Bugiel, S. Fahl, Y. Acar, and M. Backes, "Keep me updated: An empirical study of third-party library updatability on Android," in Proc. ACM Conf. Comput. Commun. Secur., Oct. 2017, pp. 2187-2200.
A. Decan, T. Mens, and E. Constantinou, "On the impact of security vulnerabilities in the npm package dependency network," in Proc. Int. Conf.Mining Softw. Repositories,May 2018, pp. 181-191.
J.M. Gonzalez-Barahona, P. Sherwood, G. Robles, and D. Izquierdo, "Technical lag in software compilations:Measuring how outdated a software deployment is," in Proc. IFIP Int. Conf. Open Source Syst., 2017, pp. 182-192.
A. Decan, T. Mens, and E. Constantinou, "On the evolution of technical lag in the npm package dependency network," in Proc. IEEE Int. Conf. Softw.Maintenance Evolution, Sep. 2018, pp. 404-414.
A. Zerouali, J. M. Gonzalez-Barahona, T. Mens, A. Decan, E. Constantinou, and G. Robles, "A formal framework for measuring technical lag in component repositories-and its application to npm," J. Softw. Evol. Proc., p. e2157, 2019. [Online]. Available: https://doi.org/10.1002/smr.2157
Y.M.Mileva, V.Dallmeier,M. Burger, and A. Zeller,"Mining trends of library usage," in Proc. Joint Int.Annu. ERCIMWorkshops Principles Softw. Evolution Softw. Evolution Workshops, 2009, pp. 57-62.
A. Nesbitt and B. Nickolls, "Libraries.io open source repository and dependency metadata," 2018. [Online]. Available: https:// doi.org/10.5281/zenodo.1196312
O. Aalen, O. Borgan, and H. Gjessing, Survival and Event History Analysis: A Process Point of View. Berlin, Germany: Springer, 2008.
E. L. Kaplan and P. Meier, "Nonparametric estimation from incomplete observations," J. Amer. Statistical Assoc., vol. 53, no. 282, pp. 457-481, 1958. [Online]. Available: http://www.jstor.org/ stable/2281868
S. Holm, "A simple sequentially rejective multiple test procedure," Scandinavian J. Statist., vol. 6, no. 2, pp. 65-70, 1979. [Online]. Available: http://www.jstor.org/stable/4615733
J. E. Hopcroft, R. Motwani, and J. D. Ullman, "Introduction to automata theory, languages, and computation, 2nd edition," SIGACT News, vol. 32, no. 1, pp. 60-65, Mar. 2001. [Online]. Available: http://doi.acm.org/10.1145/568438.568455
F. Ricci, L. Rokach, B. Shapira, and P. B. Kantor, Recommender Systems Handbook. New York, London: Springer, 2011.
Gemnasium on GitLab. 2019. [Online]. Available: https://docs. gitlab.com/ee/user/project/import/gemnasium.html
Github security alerts for vulnerable dependencies. 2019. [Online]. Available: https://help.github.com/en/articles/about-securityalerts-for-vulnerabl e-dependencies
Tidelift. 2019. [Online]. Available: https://tidelift.com
Greenkeeper. 2019. [Online]. Available: https://greenkeeper.io
Clirr. 2019. [Online]. Available: http://clirr.sourceforge.net
Revapi. 2019. [Online]. Available: https://revapi.org
NDepend. 2019. [Online]. Available: https://www.ndepend.com
semantic-release. 2019. [Online]. Available: https://semanticrelease. gitbook.io/semantic-release
Gitversion. 2019. [Online]. Available: https://github.com/GitTools/ GitVersion
Npm semver calculator. 2019. [Online]. Available: https://semver. npmjs.com
Packagist Semver Checker. 2019. [Online]. Available: https:// semver.mwl.be
Dependabot SemVer stability score. 2019. [Online]. Available: https://dependabot.com/compatibility-score
C. Wohlin, M. C. Ohlsson, P. Runeson, B. Regnell, M. Höst, and A. Wesslen, Experimentation in Software Engineering. Berlin, Germany: Springer, 2000.

Similar publications

Contact ORBi UMONS