Abstract
Third-party library reuse has become common practice in contemporary software development, as it includes several benefits for developers. Library dependencies are constantly evolving, with newly added features and patches that fix bugs in older versions. To take full advantage of third-party reuse, developers should always keep up to date with the latest versions of their library dependencies. In this paper, we investigate the extent of which developers update their library dependencies. Specifically, we conducted an empirical study on library migration that covers over 4,600 GitHub software projects and 2,700 library dependencies. Results show that although many of these systems rely heavily on dependencies, 81.5% of the studied systems still keep their outdated dependencies. In the case of updating a vulnerable dependency, the study reveals that affected developers are not likely to respond to a security advisory. Surveying these developers, we find that 69% of the interviewees claimed to be unaware of their vulnerable dependencies. Moreover, developers are not likely to prioritize a library update, as it is perceived to be extra workload and responsibility. This study concludes that even though third-party reuse is common practice, updating a dependency is not as common for many developers.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
One of the largest library hosting repositories at http://search.maven.org/.
Link at http://goo.gl/SV9d68.
Statistics accessed Nov-26th-2016 at https://search.maven.org/#stats.
Report published January 02, 2015 at http://goo.gl/i8J1Zq.
An updated listing is available online at http://www.cvedetails.com/product-list/vendor_id-45/apache.html.
It is officially known as the CVSS v2 base score. The calculation is shown at https://www.first.org/cvss/v2/guide.
The complete form is available at http://sel.ist.osaka-u.ac.jp/people/raula-k/librarymigrations/questionaire.html.
References
Balaban I, Tip F, Fuhrer R (2005) Refactoring support for class library migration Proceedings of the 20th Annual ACM SIGPLAN conference on object-oriented programming, systems, languages, and applications, OOPSLA ’05. ISBN 1-59593-031-0. ACM, New York, pp 265–279
Bavota G, Canfora G, Di Penta M, Oliveto R, Panichella S (2015) How the apache community upgrades dependencies: an evolutionary study. Empirical Softw Eng 20(5):1275–1317. ISSN 1382–3256
Bogart C, Kästner C, Herbsleb J (2015) When it breaks, it breaks: how ecosystem developers reason about the stability of dependencies. In: Proceedings of the ASE workshop on software support for collaborative and global software engineering (SCGSE), pp 11
Chow K, Notkin D (1996) Semi-automatic update of applications in response to library changes Proceedings of the 1996 international conference on software maintenance, ICSM ’96. IEEE Computer Society, Washington, DC
Cossette BE, Walker R J (2012) Seeking the ground truth. In: Proc. of the ACM SIGSOFT intrn. symp on the foundations of software engineering - FSE ’12
Cox J, Bouwers E, van Eekelen M, Visser J (2015) Measuring dependency freshness in software systems. In: 2015 IEEE/ACM 37th IEEE International conference on software engineering (ICSE), vol 2, pp 109–118
Dagenais B, Robillard MP (2009) Semdiff: analysis and recommendation support for api evolution Proceedings of the 31st international conference on software engineering, ICSE ’09. ISBN 978-1-4244-3453-4. IEEE Computer Society, Washington, DC, pp 599–602
De Roover C, Lammel R, Pek E (2013) Multi-dimensional exploration of API usage. In: IEEE International conference on program comprehension, pp 152–161
Edgell S, Noon S (1984) Effect of violation of normality on the t test of the correlation coefficient. In: Psychological bulletin, pp 576–583
Eisenberg D S, Stylos J, Faulring A, Myers B A (2010) Using association metrics to help users navigate API documentation. In: VL/HCC2010, pp 23–30
German D M, Adams B, Hassan AE (2013) The evolution of the r software ecosystem. In: Proc. of European conf. on soft. main. and reeng. (CSMR2013), pp 243–252
Godfrey M W, Zou L (2005) Using origin analysis to detect merging and splitting of source code entities. IEEE Trans Softw Eng 31(2):166–181
Haenni N, Lungu M, Schwarz N, Nierstrasz O (2013) Categorizing developer information needs in software ecosystems. In: Proc. of int. work. on soft. eco. arch. (WEA13), pp 1–5
Hora A, Valente M T (2015) Apiwave: keeping track of api popularity and migration. In: International conference on software maintenance and evolution
Hora A, Robbes R, Anquetil N, Etien A, Ducasse S, Valente M T (2015) How do developers react to api evolution? The pharo ecosystem case Proceedings of the 2015 IEEE international conference on software maintenance and evolution (ICSME), ICSME ’15. ISBN 978-1-4673-7532-0. IEEE Computer Society, Washington, DC, pp 251–260, DOI 10.1109/ICSM.2015.7332471, (to appear in print)
Jezek K, Dietrich J, Brada P (2015) How Java APIs break - an empirical study. Inf Softw Technol, 129–146. ISSN 09505849. doi:10.1016/j.infsof.2015.02.014
Kabinna S, Bezemer C-P, Shang W, Hassan AE (2016) Logging library migrations: a case study for the apache software foundation projects. In: Proceedings of the 13th International workshop on mining software repositories, MSR ’16. New York, pp 154–164
Kamiya T, Kusumoto S, Inoue K (2002) CCFinder: a multilinguistic token-based code clone detection system for large scale source code. IEEE Trans Softw Eng 28 (7):654–670. doi:10.1109/TSE.2002.1019480. ISSN 0098-5589
Kawamitsu N, Ishio T, Kanda T, Kula R G, De Roover C, Inoue K (2014) Identifying source code reuse across repositories using lcs-based source code similarity. In Proc. of SCAM
Kula RG, Roover CD, German DM, Ishio T, Inoue K (2014) Visualizing the evolution of systems and their library dependencies. In: Proc. of IEEE Work. conf. on soft. viz. (VISSOFT), ICSME ’15
Kula R G, German D M, Ishio T, Inoue K (2015) Trusting a library: a study of the latency to adopt the latest maven release. In: 22nd IEEE International conference on software analysis, evolution, and reengineering, SANER 2015. Montreal
Lehman MM (1996) Laws of software evolution revisited Proceedings of the 5th European workshop on software process technology, EWSPT ’96. ISBN 3-540-61771-X. Springer-Verlag, London, pp 108–124
Lungu M (2008) Towards reverse engineering software ecosystems. In: Intl. conf. on soft. maint. and evo. (ICSME)
McDonnell T, Ray B, Kim M (2013) An empirical study of API stability and adoption in the android ecosystem. In: IEEE International conference on software maintenance. ICSM, pp 70–79. ISSN 1063-6773. doi:10.1109/ICSM.2013.18
Mens T, Claes Mk, Ecos P G (2014) Ecological studies of open source software ecosystems. In: Soft. main. reeng. and rev. eng. (CSMR-WCRE), pp 403–406
Mileva Y M, Dallmeier V, Burger M, Zeller A (2009) Mining trends of library usage Proc. Intl and ERCIM principles of soft. evol. (IWPSE) and soft. evol. (Evol) workshops, IWPSE-Evol ’09. ACM, New York, pp 57–62
Plate H, Ponta S A, Elisa S (2015) Impact assessment for vulnerabilities in open-source software libraries Proceedings of the 31st international conference on software maintenance and evolution, ICSME ’15. IEEE Computer Society, Breman
Raemaekers S, van Deursen A, Visser J (2012) Measuring software library stability through historical version analysis. In: Proc. of intl. comf. soft. main. (ICSM), pp 378–387
Raemaekers S, van Deursen A, Visser J (2014) Semantic versioning versus breaking changes: a study of the maven repository. In: 2014 IEEE 14th international working conference on source code analysis and manipulation (SCAM), pp 215–224
Robbes R, Lungu M, Röthlisberger D (2012) How do developers react to api deprecation? The case of a smalltalk ecosystem Proceedings of the ACM SIGSOFT 20th international symposium on the foundations of software engineering, FSE ’12. ISBN 978-1-4503-1614-9. ACM, New York, pp 56:1–56:11
Rogers EM (2003) Diffusion of innovations, 5, 08. Free Press, NY. ISBN 0-7432-2209-1, 978-0-7432-2209-9
Sawant AA, Robbes R, Bacchelli A (2016) On the reaction to deprecation of 25,357 clients of 4+1 popular java apis. In: Proceedings of the 32th IEEE international conference on software maintenance and evolution
Schäfer T, Jonas J, Mezini M (2008) Mining framework usage changes from instantiation code Proceedings of the 30th international conference on software engineering, ICSE ’08. ISBN 978-1-60558-079-1. ACM, New York, pp 471–480
Teyton C, Falleri J-R, Palyart M, Blanc X (2014) A study of library migrations in java. J Softw Evol Process, 26, 11
Wittern E, Suter P, Rajagopalan S (2016) A look at the dynamics of the javascript package ecosystem. In: Proc. of work. conf. on mining soft. repo. (MSR2016)
Wu W, Khomh F, Adams B, Guéhéneuc Y-G, Antoniol G (2015a) An exploratory study of api changes and usages based on apache and eclipse ecosystems. Empirical Softw Eng, p.1–47. ISSN 1573-7616
Wu W, Serveaux A, Guéhéneuc Y-G, Antoniol G (2015b) The impact of imperfect change rules on framework api evolution identification: an empirical study. Empirical Softw Engg 20(4):1126–1158. doi:10.1007/s10664-014-9317-9
Xia P, Matsushita M, Yoshida N, Inoue K (2013) Studying reuse of out-dated third-party code in open source projects. Jpn Soc Softw Sci Technol Comput Softw 30(4):98–104
Xing Z, Stroulia E (2007) API-evolution support with diff-catchup. IEEE Trans Softw Eng 33:818–836. doi:10.1109/TSE.2007.70747
Acknowledgements
This work is supported by JSPS KANENHI (Grant Numbers JP25220003 and JP26280021) and the “Osaka University Program for Promoting International Joint Research.” Ali Ouni is supported by the ‘Research Start-up (2) 2016 Grant G00002211’ funded by UAE University.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by: Martin Robillard
Rights and permissions
About this article
Cite this article
Kula, R.G., German, D.M., Ouni, A. et al. Do developers update their library dependencies?. Empir Software Eng 23, 384–417 (2018). https://doi.org/10.1007/s10664-017-9521-5
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10664-017-9521-5