A formal framework for measuring technical lag in component repositories -- and its application to npm

Zerouali, Ahmed; Mens, Tom; Gonzalez-Barahona, Jesus; Decan, Alexandre; Constantinou, Eleni; Robles, Gregorio

doi:10.1002/smr.2157

Request a copy

Article (Scientific journals)

A formal framework for measuring technical lag in component repositories -- and its application to npm

Zerouali, Ahmed; Mens, Tom; Gonzalez-Barahona, Jesus et al.

2019 • In Journal of Software: Evolution and Process

Peer Reviewed verified by ORBi

Permalink
https://hdl.handle.net/20.500.12907/9145

DOI
10.1002/smr.2157

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

Zerouali_et_al_2019-Journal_of_Software__Evolution_and_Process.pdf

Publisher postprint (2.1 MB)

Request a copy

All documents in ORBi UMONS are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

[en] software evolution; [en] technical lag; [en] open source software

Abstract :

[en] Reusable Open Source Software (OSS) components for major programming languages are available in package repositories. Developers rely on package management tools to automate deployments, specifying which package releases satisfy the needs of their applications. However, these specifications may lead to deploying package releases that are outdated, or otherwise undesirable, because they do not include bug fixes, security fixes, or new functionality. In contrast, automatically updating to a more recent release may introduce incompatibility issues. To capture this delicate balance, we formalise a generic model of technical lag, a concept that quantifies to which extent a deployed collection of components is outdated, with respect to the ideal deployment. We operationalise this model for the npm package manager. We empirically analyze the history of package update practices and technical lag for more than 500K packages with about 4M package releases over a sevenyear period. We consider both development and runtime dependencies, and study both direct and transitive dependencies. We also analyze the technical lag of external GitHub applications depending on npm packages. We report our findings, suggesting the need for more awareness of, and integrated tool support for, controlling technical lag in software libraries.

Disciplines :

Computer science
Electrical & electronics engineering

Author, co-author :

Zerouali, Ahmed ; Université de Mons > Faculté des Sciences > Service de Génie Logiciel

Mens, Tom ; Université de Mons > Faculté des Sciences > Service de Génie Logiciel

Gonzalez-Barahona, Jesus

Decan, Alexandre ; Université de Mons > Faculté des Sciences > Service des Systèmes d'information ; Université de Mons > Faculté des Sciences > Service de Génie Logiciel

Constantinou, Eleni

Robles, Gregorio

Language :

English

Title :

A formal framework for measuring technical lag in component repositories -- and its application to npm

Publication date :

19 March 2019

Journal title :

Journal of Software: Evolution and Process

ISSN :

2047-7473

eISSN :

2047-7481

Publisher :

John Wiley and Sons, United Kingdom

Peer reviewed :

Peer Reviewed verified by ORBi

Research unit :

S852 - Génie Logiciel

Research institute :

R300 - Institut de Recherche en Technologies de l'Information et Sciences de l'Informatique

Name of the research project :

Automated Assistance for Developing Software in Ecosystems of the Future - Fédération Wallonie Bruxelles

Available on ORBi UMONS :

since 02 May 2019

Statistics

Number of views

3 (0 by UMONS)

Number of downloads

0 (0 by UMONS)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

Bibliography

Decan A, Mens T, Grosjean P. An empirical comparison of dependency network evolution in seven software packaging ecosystems. Empir Softw Eng. 2018:1-36. https://doi.org/10.1007/s10664-017-9589-y
Krueger CW. Software reuse. ACM Comput Surveys (CSUR). 1992;24(2):131-183.
Kula RG, German DM, Ishio T, Inoue K. Trusting a library: a study of the latency to adopt the latest Maven release. In: Int'l Conf. on Software Analysis, Evolution, and Reengineering; 2015; Montreal, QC, Canada:520-524.
Mostafa S, Rodriguez R, Xiaoyin W. Experience paper: a study on behavioral backward incompatibilities of Java software libraries. In: Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2017). Santa Barbara, CA, USA; 2017.
Gonzalez-Barahona JM, Sherwood P, Robles G, Izquierdo D. Technical lag in software compilations: measuring how outdated a software deployment is. In: IFIP International Conference on Open Source Systems; 2017; Aires, Argentina:182-192.
Cox J, Bouwers E, van Eekelen M, Visser J. Measuring dependency freshness in software systems. In: International Conference on Software Engineering; 2015; Florence, Italy:109-118.
Zerouali A, Constantinou E, Mens T, Robles G, González-Barahona J. An empirical analysis of technical lag in npm package dependencies. In: International Conference on Software Reuse. Springer; 2018:95-110. Madrid, Spain.
Decan A, Mens T, Constantinou E. On the evolution of technical lag in the npm package dependency network. In: International Conference on Software Maintenance and Evolution. IEEE; 2018; Madrid, Spain.
Mili A, Mili R, Mittermeir RT. A survey of software reuse libraries. Ann Softw Eng. 1998;5(1):349-414.
Maiden NA, Ncube C. Acquiring COTS software selection requirements. IEEE Softw. 1998;15(2):46-56.
Bohner SA. Extending software change impact analysis into COTS components. In: 27th annual NASA Software engineering workshop. IEEE; 2002:175-182.
Frakes WB, Kang K. Software reuse research: Status and future. IEEE Trans Softw Eng. 2005;31(7):529-536.
Gonzalez-Barahona JM, Robles G, Michlmayr M, Amor JJ, German DM. Macro-level software evolution: a case study of a large software compilation. Empir Softw Eng. 2009;14(3):262-285.
Abate P, Di Cosmo R, Boender J, Zacchiroli S. Strong dependencies between software components. In: International Symposium on Empirical Software Engineering and Measurement. Florida, USA: IEEE Computer Society; 2009:89-99.
Abate P, Di Cosmo R, Treinen R, Zacchiroli S. Dependency solving: a separate concern in component evolution management. J Syst Softw. 2012;85(10):2228-2240.
Abate P, Di Cosmo R, Treinen R, Zacchiroli S. Learning from the future of component repositories. Sci Comput Program. 2014;90:93-115.
Mileva YM, Dallmeier V, Burger M, Zeller A. Mining trends of library usage. In: International Workshop on Principles of Software Evolution. ACM; Amsterdam, The Netherlands: ACM; 2009:57-62.
Raemaekers S, Deursen A, Visser J. Semantic versioning versus breaking changes: a study of the Maven repository. In: International Conference on Source Code Analysis and Manipulation; 2014; Victoria, BC, Canada:215-224.
Kula RG, German DM, Ouni A, Ishio T, Inoue K. Do developers update their library dependencies? Empirical Software Engineering. 2018;23(1):384-417.
Macho C, McIntosh S, Pinzger M. Automatically repairing dependency-related build breakage. In: International Conference on Software Analysis, Evolution and Reengineering. IEEE; 2018; Campobasso, Italy:106-117.
Decan A, Mens T, Claes M. An empirical comparison of dependency issues in OSS packaging ecosystems. In: International Conference on Software Analysis, Evolution and Reengineering. Klagenfurt, Austria: IEEE; 2017:2-12.
Abdalkareem R, Nourry O, Wehaibi S, Mujahid S, Shihab E. Why do developers use trivial packages? An empirical case study on npm. In: International Symposium on Foundations of Software Engineering. ACM; 2017:385-395.
Lauinger T, Chaabane A, Arshad S, Robertson W, Wilson C, Kirda E. Thou shalt not depend on me: analysing the use of outdated JavaScript libraries on the Web. In: NDSS Symposium; 2017; San Diego, CA, USA.
Decan A, Mens T, Constantinou E. On the impact of security vulnerabilities in the npm package dependency network. In: International Conference on Mining Software Repositories; Gothenburg, Sweden; 2018.
Bogart C, Kästner C, Herbsleb J, Thung F. How to break an API: cost negotiation and community values in three software ecosystems. In: Int'l Symp. Foundations of Software Engineering. ACM; 2016; Singapore:109-120.
Constantinou E, Mens T. An empirical comparison of developer retention in the RubyGems and npm software ecosystems. Innov Syst Softw Eng. 2017;13(2-3):101-115.
Trockman A, Zhou S, Kästner C, Vasilescu B. Adding sparkle to social coding: an empirical study of repository badges in the npm ecosystem. In: Proceedings of the 40th International Conference on Software Engineering. ACM; 2018; Gothenburg, Sweden:511-522.
Kula RG, Ouni A, German DM, Inoue K. On the impact of micro-packages: an empirical study of the npm JavaScript ecosystem. arXiv preprint arXiv:1709.04638; 2017.
Nesbitt A, Nickolls B. Libraries.io open source repository and dependency metadata (version 1.2.0). [Data set] Zenodo; 2018.
Bogart C, Filippova A, Kästner C, Herbsleb J. Survey of ecosystem values. http://doi.org/breakingapis.org/survey/accessed: 28/10/2017; 2017.
Bogart C, Kästner C, Herbsleb J. When it breaks, it breaks: how ecosystem developers reason about the stability of dependencies. In: Automated Software Engineering Workshop. IEEE; 2015; Lincoln, NE, USA:86-89.
Mezzetti G, Moller A, Torp MT. Type regression testing to detect breaking changes in node. js Libraries. In: European Conference on Object-Oriented Programming (ECOOP). Amsterdam, The Netherlands; 2018.
Cosentino V, Izquierdo JLC, Cabot J. A systematic mapping study of software development with GitHub. IEEE Access. 2017;5:7173-7192.
Vouillon J, Cosmo RD. On software component co-installability. ACM Trans. Softw. Eng. Methodol. 2013;22(4):34:1-34:35.