research-article

Dependency versioning in the wild

Authors:

David J. Pearce,

Jacob Stringer,

Kelly BlincoeAuthors Info & Claims

MSR '19: Proceedings of the 16th International Conference on Mining Software Repositories

Pages 349 - 359

https://doi.org/10.1109/MSR.2019.00061

Published: 26 May 2019 Publication History

Abstract

Many modern software systems are built on top of existing packages (modules, components, libraries). The increasing number and complexity of dependencies has given rise to automated dependency management where package managers resolve symbolic dependencies against a central repository. When declaring dependencies, developers face various choices, such as whether or not to declare a fixed version or a range of versions. The former results in runtime behaviour that is easier to predict, whilst the latter enables flexibility in resolution that can, for example, prevent different versions of the same package being included and facilitates the automated deployment of bug fixes.

We study the choices developers make across 17 different package managers, investigating over 70 million dependencies. This is complemented by a survey of 170 developers. We find that many package managers support --- and the respective community adapts --- flexible versioning practices. This does not always work: developers struggle to find the sweet spot between the predictability of fixed version dependencies, and the agility of flexible ones, and depending on their experience, adjust practices. We see some uptake of semantic versioning in some package managers, supported by tools. However, there is no evidence that projects switch to semantic versioning on a large scale.

The results of this study can guide further research into better practices for automated dependency management, and aid the adaptation of semantic versioning.

References

[1]

G. Bavota, G. Canfora, M. Di Penta, R. Oliveto, and S. Panichella. How the apache community upgrades dependencies: an evolutionary study. Empirical Software Engineering, 20(5):1275--1317, 2015.

Digital Library

[2]

A. Beugnard, J.-M. Jézéquel, N. Plouzeau, and D. Watkins. Making components contract aware. Computer, 32(7):38--45, 1999.

Digital Library

[3]

C. Bogart, C. Kästner, J. Herbsleb, and F. Thung. How to break an api: cost negotiation and community values in three software ecosystems. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 109--120. ACM, 2016.

Digital Library

[4]

P. Chalin and P. R. James. Non-null references by default in Java: Alleviating the nullity annotation burden. In Proc. ECOOP, pages 227--247, 2007.

Digital Library

[5]

K. Claessen and J. Hughes. QuickCheck: A Lightweight Tool for Random Testing of Haskell Programs. In Proceedings of the International Conference on Functional Programming (ICFP), pages 268--279. ACM, 2000.

Digital Library

[6]

D. R. Cok and J. Kiniry. ESC/Java2: Uniting ESC/Java and JML. In Proc. CASSIS, pages 108--128, 2005.

Digital Library

[7]

B. E. Cossette and R. J. Walker. Seeking the ground truth: a retroactive study on the evolution and migration of software libraries. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, page 55. ACM, 2012.

[8]

A. Decan, T. Mens, and P. Grosjean. An empirical comparison of dependency network evolution in seven software packaging ecosystems. Empirical Software Engineering, pages 1--36, 2018.

Digital Library

[9]

E. Derr, S. Bugiel, S. Fahl, Y. Acar, and M. Backes. Keep me updated: An empirical study of third-party library updatability on android. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 2187--2200. ACM, 2017.

Digital Library

[10]

J. Dietrich, K. Jezek, and P. Brada. Broken promises: An empirical study into evolution problems in java programs caused by library upgrades. In Software Maintenance, Reengineering and Reverse Engineering (CSMR-WCRE), 2014 Software Evolution Week-IEEE Conference on, pages 64--73. IEEE, 2014.

[11]

J. Dietrich, K. Jezek, and P. Brada. What java developers know about compatibility, and why this matters. Empirical Software Engineering, 21(3):1371--1396, 2016.

Digital Library

[12]

J. Dietrich, D. J. Pearce, K. Jezek, and P. Brada. Contracts in the wild: A study of java programs (artifact). In DARTS-Dagstuhl Artifacts Series, volume 3. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, 2017.

[13]

D. Dig and R. Johnson. How do apis evolve? a story of refactoring. Journal of software maintenance and evolution: Research and Practice, 18(2):83--107, 2006.

Digital Library

[14]

T. Ekman and G. Hedin. Pluggable checking and inferencing of non-null types for Java. JOT, 6(9):455--475, 2007.

[15]

T. Espinha, A. Zaidman, and H.-G. Gross. Web api growing pains: Stories from client developers and their code. In Software Maintenance, Reengineering and Reverse Engineering (CSMR-WCRE), 2014 Software Evolution Week-IEEE Conference on, pages 84--93. IEEE, 2014.

[16]

M. Fähndrich and K. R. M. Leino. Declaring and checking non-null types in an object-oriented language. In Proc. OOPSLA, pages 302--312. ACM Press, 2003.

Digital Library

[17]

D. Foo, H. Chua, J. Yeo, M. Y. Ang, and A. Sharma. Efficient static checking of library updates. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 791--796. ACM, 2018.

Digital Library

[18]

D. M. German, J. M. Gonzalez-Barahona, and G. Robles. A model to understand the building and running inter-dependencies of software. In Reverse Engineering, 2007. WCRE 2007. 14th Working Conference on, pages 140--149. IEEE, 2007.

Digital Library

[19]

J. M. Gonzalez-Barahona, G. Robles, M. Michlmayr, J. J. Amor, and D. M. German. Macro-level software evolution: a case study of a large software compilation. Empirical Software Engineering, 14(3):262--285, 2009.

Digital Library

[20]

D. Haney. Npm & left-pad: Have we forgotten how to program?, 2016. https://www.davidhaney.io/npm-left-pad-have-we-forgotten-how-to-program/.

[21]

J. Henkel and A. Diwan. Catchup! capturing and replaying refactorings to support api evolution. In Software Engineering, 2005. ICSE 2005. Proceedings. 27th International Conference on, pages 274--283. IEEE, 2005.

Digital Library

[22]

B. Jacobs and E. Poll. A logic for the Java modeling language JML. In Proc. FASE, pages 284--299. 2001.

Digital Library

[23]

K. Jezek and J. Dietrich. Magic with dynamo-flexible cross-component linking for java with invokedynamic. In LIPIcs-Leibniz International Proceedings in Informatics, volume 56. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, 2016.

[24]

K. Jezek and J. Dietrich. Api evolution and compatibility: A data corpus and tool evaluation. Journal of Object Technology, 16(4):2, 2017.

[25]

R. Kikas, G. Gousios, M. Dumas, and D. Pfahl. Structure and evolution of package dependency networks. In Proceedings of the 14th International Conference on Mining Software Repositories, pages 102--112. IEEE press, 2017.

Digital Library

[26]

R. G. Kula, D. M. German, A. Ouni, T. Ishio, and K. Inoue. Do developers update their library dependencies? Empirical Software Engineering, 23(1):384--417, 2018.

Digital Library

[27]

G. T. Leavens, Y. Cheon, C. Clifton, C. Ruby, and D. R. Cok. How the design of JML accommodates both runtime assertion checking and formal verification. SCP, 55(1--3):185--208, Mar. 2005.

[28]

M. M. Lehman. Programs, life cycles, and laws of software evolution. Proceedings of the IEEE, 68(9):1060--1076, 1980.

[29]

M. Linares-Vásquez, G. Bavota, C. Bernal-Cárdenas, M. Di Penta, R. Oliveto, and D. Poshyvanyk. Api change and fault proneness: a threat to the success of android apps. In Proceedings of the 2013 9th joint meeting on foundations of software engineering, pages 477--487. ACM, 2013.

Digital Library

[30]

M. Lungu, R. Robbes, and M. Lanza. Recovering inter-project dependencies in software ecosystems. In Proceedings of the IEEE/ACM international conference on Automated software engineering, pages 309--312. ACM, 2010.

Digital Library

[31]

C. Male, D. Pearce, A. Potanin, and C. Dymnikov. Java bytecode verification for @NonNull types. In Proc. CC, pages 229--244, 2008.

Digital Library

[32]

M. D. McIlroy, J. Buxton, P. Naur, and B. Randell. Mass-produced software components. In Proceedings of the 1st International Conference on Software Engineering, pages 88--98, 1968.

[33]

T. Mens, J. Fernández-Ramil, and S. Degrandsart. The evolution of eclipse. In Software Maintenance, 2008. ICSM 2008. IEEE International Conference on, pages 386--395. IEEE, 2008.

[34]

OSGi Alliance. Osgi core release 7 specification, 2018. https://www.osgi.org/release-7-1/.

[35]

I. Pashchenko, H. Plate, S. E. Ponta, A. Sabetta, and F. Massacci. Vulnerable open source dependencies: Counting those that matter. In Proceedings of the 12th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement. ACM, 2018.

Digital Library

[36]

T. Preston-Werner. Semantic versioning 2.0.0, 2018. https://semver.org/.

[37]

S. Raemaekers, A. van Deursen, and J. Visser. Semantic versioning and impact of breaking changes in the maven repository. Journal of Systems and Software, 129:140--158, 2017.

Digital Library

[38]

R. Robbes, M. Lungu, and D. Röthlisberger. How do developers react to api deprecation?: the case of a smalltalk ecosystem. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, page 56. ACM, 2012.

[39]

A. A. Sawant, M. Aniche, A. van Deursen, and A. Bacchelli. Understanding developers' needs on deprecation as a language feature. In Proceedings of the 40th ACM/IEEE International Conference on Software Engineering (ICSE 2018), 2018.

Digital Library

[40]

C. Szyperski. Greetings from dll hell. Software Development, 7(10), 1999.

[41]

L. Xavier, A. Brito, A. Hora, and M. T. Valente. Historical and impact analysis of api breaking changes: A large-scale study. In Software Analysis, Evolution and Reengineering (SANER), 2017 IEEE 24th International Conference on, pages 138--147. IEEE, 2017.

Cited By

Weeraddana NAlfadel MMcIntosh S(2024)Dependency-Induced Waste in Continuous Integration: An Empirical Study of Unused Dependencies in the npm EcosystemProceedings of the ACM on Software Engineering10.1145/36608231:FSE(2632-2655)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660823
Menon HNichols DBhatele AGamblin TSpinellis DConstantinou EBacchelli A(2024)Learning to Predict and Improve Build Successes in Package EcosystemsProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644927(531-542)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3644927
Jayasuriya DTerragni VDietrich JBlincoe K(2024)Understanding the Impact of APIs Behavioral Breaking Changes on Client ApplicationsProceedings of the ACM on Software Engineering10.1145/36437821:FSE(1238-1261)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643782
Show More Cited By

Recommendations

Metadata efficiency in versioning file systems
FAST'03: Proceedings of the 2nd USENIX conference on File and storage technologies

Versioning file systems retain earlier versions of modified files, allowing recovery from user mistakes or system corruption. Unfortunately, conventional versioning systems do not efficiently record large numbers of versions. In particular, versioned ...
Metadata Efficiency in Versioning File Systems
FAST '03: Proceedings of the 2nd USENIX Conference on File and Storage Technologies

Versioning file systems retain earlier versions of modified files, allowing recovery from user mistakes or system corruption. Unfortunately, conventional versioning systems do not efficiently record large numbers of versions. In particular, versioned ...
Accumulative versioning file system Moraine and its application to metrics environment MAME

It is essential to manage versions of software products created during software development. There are various versioning tools actually used in these days, although most of them require the developers to issue management commands for consistent ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MSR '19: Proceedings of the 16th International Conference on Mining Software Repositories

May 2019

640 pages

General Chair:
Margaret-Anne Storey
University of Victoria, Canada
,
Program Chairs:
Bram Adams
MCIS, Polytechnique Montreal, Canada
,
Sonia Haiduc
Florida State University

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering
IEEE-CS: Computer Society

Publisher

IEEE Press

Publication History

Published: 26 May 2019

Check for updates

Qualifiers

Research-article

Conference

ICSE '19

Sponsor:

SIGSOFT
IEEE-CS

ICSE '19: 41st International Conference on Software Engineering

May 26 - 27, 2019

Quebec, Montreal, Canada

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

24
Total Citations
View Citations
122
Total Downloads

Downloads (Last 12 months)14
Downloads (Last 6 weeks)2

Reflects downloads up to 20 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Weeraddana NAlfadel MMcIntosh S(2024)Dependency-Induced Waste in Continuous Integration: An Empirical Study of Unused Dependencies in the npm EcosystemProceedings of the ACM on Software Engineering10.1145/36608231:FSE(2632-2655)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660823
Menon HNichols DBhatele AGamblin TSpinellis DConstantinou EBacchelli A(2024)Learning to Predict and Improve Build Successes in Package EcosystemsProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644927(531-542)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3644927
Jayasuriya DTerragni VDietrich JBlincoe K(2024)Understanding the Impact of APIs Behavioral Breaking Changes on Client ApplicationsProceedings of the ACM on Software Engineering10.1145/36437821:FSE(1238-1261)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643782
Na YWoo SLee JLee HRoychoudhury APaiva AAbreu RStorey M(2024)CNEPS: A Precise Approach for Examining Dependencies among Third-Party C/C++ Open-Source ComponentsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639209(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639209
Li CWu YShen WZhao ZChang RLiu CLiu YRen KRoychoudhury APaiva AAbreu RStorey M(2024)Demystifying Compiler Unstable Feature Usage and Impacts in the Rust EcosystemProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623352(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623352
Jayasuriya DOu SHegde STerragni VDietrich JBlincoe K(2024)An extended study of syntactic breaking changes in the wildEmpirical Software Engineering10.1007/s10664-024-10563-430:2Online publication date: 14-Dec-2024
https://dl.acm.org/doi/10.1007/s10664-024-10563-4
Gao HYue CDinh THuang ZOoi B(2023)Enabling Secure and Efficient Data Analytics Pipeline Evolution with Trusted Execution EnvironmentProceedings of the VLDB Endowment10.14778/3603581.360358916:10(2485-2498)Online publication date: 8-Aug-2023
https://dl.acm.org/doi/10.14778/3603581.3603589
Wang HLiu SZhang LXu CChandra SBlincoe KTonella P(2023)Automatically Resolving Dependency-Conflict Building Failures via Behavior-Consistent Loosening of Library Version ConstraintsProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616264(198-210)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616264
Javan Jafari ACosta DShihab EAbdalkareem R(2023)Dependency Update Strategies and Package CharacteristicsACM Transactions on Software Engineering and Methodology10.1145/360311032:6(1-29)Online publication date: 29-Sep-2023
https://dl.acm.org/doi/10.1145/3603110
Jayasuriya DTerragni VDietrich JOu SBlincoe KJust RFraser G(2023)Understanding Breaking Changes in the WildProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598147(1433-1444)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598147
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten