Studying Dependency Maintenance Practices Through the Mining of Data from npm Packages

Loading...
Thumbnail Image

Authors

Cogo, Filipe

Date

Type

thesis

Language

eng

Keyword

Software Ecosystem , Dependencies , Package Manager , Dependency Management , Downgrades , Releases , Deprecation

Research Projects

Organizational Units

Journal Issue

Alternative Title

Abstract

Open source software ecosystems have gained significant importance in the last decade. In a software ecosystem, client packages can enable a dependency to reuse the functionalities of a provider package. On the one hand, the diversity of freely reusable provider packages in those ecosystems supports a fast-paced contemporary software development. On the other hand, developers need to cope with the overhead brought by dependency maintenance. Dependencies need to be kept in an updated and working state, otherwise defects from provider packages can negatively impact client packages. Notable incidents denote the importance of timely and proper dependency maintenance. For example, in the "Equifax data breach", a vulnerability coming from an out-of-date dependency was explored to illegally obtain hundreds of millions of financial customers information Also, the "left-pad incident", in which a package with 11-lines of code was removed from \npm, caused a significant downtime on major websites such as Facebook, Instagram and LinkedIn. Hence, proper dependency maintenance contributes to the viability of both individual packages and the whole ecosystem. In this thesis, we propose to leverage data from the npm ecosystem to understand the current dependency maintenance practices and provide actionable information to practitioners. Currently, npm is the largest and most popular open-source software ecosystem. We study three phenomena related to the dependency maintenance in software ecosystems: downgrade of dependencies, same-day releases, and releases deprecation. In this thesis, we discuss in detail the motivation and approach to study these three phenomena. We then perform an empirical analysis of the npm data to evaluate the driving forces behind these phenomena, as well as their prevalence and impact in the ecosystem. Based on our empirical observations, we propose a set of informed suggestions to improve dependency maintenance practices in npm.

Description

Citation

Publisher

License

Queen's University's Thesis/Dissertation Non-Exclusive License for Deposit to QSpace and Library and Archives Canada
ProQuest PhD and Master's Theses International Dissemination Agreement
Intellectual Property Guidelines at Queen's University
Copying and Preserving Your Thesis
This publication is made available by the authority of the copyright owner solely for the purpose of private study and research and may not be copied or reproduced except as permitted by the copyright laws without written authority from the copyright owner.
Attribution 3.0 United States

Journal

Volume

Issue

PubMed ID

External DOI

ISSN

EISSN