STUDYING THE OVERHEAD AND CROWD-SOURCED RISK ASSESSMENT STRATEGY OF DEPENDENCY MANAGEMENT BOTS

Abstract

As today's software systems are increasingly built with dependency relationships, where a client package makes use of a specific version of a provider package, these client packages must effectively manage their dependencies. To help facilitate this dependency management process, clients are increasingly adopting dependency management bots to alert them when a provider package they depend on releases a new version and whether the new version of said provider package is compatible with their package.

Integrating these dependency management bots into a project requires a certain level of effort on the part of the client, and once the bot begins performing its specific function, human intervention is usually required to either accept or reject any action or recommendation the bot generates. This creates additional, and sometimes unnecessary, work for clients, which can deter them from continuing to use the bot. Additionally, dependency management bots have begun to implement the promising strategy of leveraging "the crowd" to help clients assess the involved risks with accepting a dependency update. This opportunity to use knowledge from "the crowd" to aid client packages with dependency management is interesting and unique to dependency management bots, as they have access to the vast store of data representing how compatible each provider package release is across many client packages. In this thesis, we present two studies that examine these attributes of dependency management bots. First, we describe a large empirical study on the overhead that is introduced in client packages that adopt dependency management bots. In particular, we provide a series of practical recommendations to help designers of dependency management bots reduce the amount of unnecessary work they create in client packages. Next, we describe a large scale study on the efficacy of dependency management bots leveraging "the crowd" to provide supporting metrics to help clients assess the risk of accepting a dependency update. Our findings will help designers of dependency management bots effectively leverage crowd-sourced data to aid client packages with dependency management.