Studying Dependency Maintenance Practices Through the Mining of Data from npm Packages

Thumbnail Image
Cogo, Filipe
Software Ecosystem , Dependencies , Package Manager , Dependency Management , Downgrades , Releases , Deprecation
Open source software ecosystems have gained significant importance in the last decade. In a software ecosystem, client packages can enable a dependency to reuse the functionalities of a provider package. On the one hand, the diversity of freely reusable provider packages in those ecosystems supports a fast-paced contemporary software development. On the other hand, developers need to cope with the overhead brought by dependency maintenance. Dependencies need to be kept in an updated and working state, otherwise defects from provider packages can negatively impact client packages. Notable incidents denote the importance of timely and proper dependency maintenance. For example, in the "Equifax data breach", a vulnerability coming from an out-of-date dependency was explored to illegally obtain hundreds of millions of financial customers information Also, the "left-pad incident", in which a package with 11-lines of code was removed from \npm, caused a significant downtime on major websites such as Facebook, Instagram and LinkedIn. Hence, proper dependency maintenance contributes to the viability of both individual packages and the whole ecosystem. In this thesis, we propose to leverage data from the npm ecosystem to understand the current dependency maintenance practices and provide actionable information to practitioners. Currently, npm is the largest and most popular open-source software ecosystem. We study three phenomena related to the dependency maintenance in software ecosystems: downgrade of dependencies, same-day releases, and releases deprecation. In this thesis, we discuss in detail the motivation and approach to study these three phenomena. We then perform an empirical analysis of the npm data to evaluate the driving forces behind these phenomena, as well as their prevalence and impact in the ecosystem. Based on our empirical observations, we propose a set of informed suggestions to improve dependency maintenance practices in npm.
External DOI