Brussels / 1 & 2 February 2020


Comparing dependency management issues across packaging ecosystems

In the last couple of years, the Software Engineering Lab of the University of Mons has extensively studied different aspects of dependency management within and across different package management ecosystems, including Cargo, npm, Packagist, Rubygems, CPAN, CRAN and NuGet. These ecosystems contain a large number of package releases with many interdependencies. They face challenges related to their scale, complexity, and rate of evolution. Typical problems are backward incompatible package updates, and the increasing proportion of fragile packages due to an excessive number of transitive dependencies.

This talk reports on our findings based on multiple empirical studies that we have conducted to understand different aspects of dependency management and their practical implications. This includes: * the outdatedness of package dependencies, the transitive impact of such "technical lag", and its relation to the presence of bugs and security vulnerabilities. * the impact of using either more permissive or more restrictive version contraints on dependencies. * the virtues and limitations of being compliant to semantic versioning, a common policy to inform dependents whether new releases of software packages introduce possibly backward incompatible changes. * the impact of specific characteristics, policies and tools used by the packaging ecosystem and its supporting community on all of the above.

The contents of the talk will be adapted to the target audience of open source software practitioners, but will be primarily based on the following peer-reviewed scientific articles: * What do package dependencies tell us about semantic versioning? Alexandre Decan, Tom Mens. IEEE Transactions on Software Engineering, 2019. * An empirical comparison of dependency network evolution in seven software packaging ecosystems. Alexandre Decan, Tom Mens, Philippe Grosjean. Empirical Software Engineering 24(1):381-416, 2019. * A formal framework for measuring technical lag in component repositories and its application to npm. Ahmed Zerouali, Tom Mens, Jesus Gonzalez‐Barahona, Alexandre Decan, Eleni Constantinou, Gregorio Robles. Journal of Software: Evolution and Process 31(8), 2019. * On the Impact of Security Vulnerabilities in the npm Package Dependency Network. Alexandre Decan, Tom Mens, Eleni Constantinou. International Conference on Mining Software Repositories, 2018. * On the Evolution of Technical Lag in the npm Package Dependency Network. Alexandre Decan, Tom Mens, Eleni Constantinou. International Conference on Software Maintenance and Evolution, 2018.


Tom Mens