Presentation at the International Conference on Software Maintenance and Evolution (ICSME2018), Madrid, Spain, 28 September 2018. Joint research by Alexandre Decan, Eleni Constantinou, Tom Mens at the Software Engineering Lab of the University of Mons. Research conducted in the context of the SECOHealth and SECO-ASSIST research projects (https://secohealth.github.io, https://secoassist.github.io)
We empirically analyse the context of technical lag in the JavaScript npm package dependency network to assess to which extent npm software packages and their dependencies are outdated.
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
On the evolution of technical lag in the npm package dependency network
1. ICSME 2018
ON THE EVOLUTION OF TECHNICAL LAG IN THE
NPM PACKAGE DEPENDENCY NETWORK
ALEXANDRE
DECAN
ELENI
CONSTANTINOU
TOM MENS
@AlexandreDecan
@tom_mens
@eleni_const
6. Technical Lag
[1] J. M. Gonzalez-Barahona et al. Technical lag in software compilations: Measuring how outdated a software deployment is. IFIP International
Conf. on Open Source Systems, pp. 182—192, 2017.
How outdated a
software system is with
respect to its upstream
dependencies [1]
13. How prominent is technical lag (TL)?
25% of dependencies/
40% of releases suffer from TL
Dependency management tools reduce TL presence
14. How long is the technical lag?
>=2015: average TL is 7 to 9 months
Only 25% have a TL <52 days
TL information in dependency management tools
15. How frequently are packages updated?
It takes an average of 12 to 22 days to update a
release
Frequent updates can contribute to TL of dependents
16. During the lifetime of a
package release, a new
release of its dependency
becomes available that
does not satisfy the
dependency constraint
Why does technical lag occur?
A package release does not use the highest available release of
its dependency
1 out of 3 releases missed a new release of a
dependency because it is excluded by the constraint.
17. How does technical lag evolve?
Most packages do not change their constraints
to use newer releases of their dependencies.
Better tool support for managing constraints
18. Could technical lag be reduced
by proper use of semantic versioning?
The proportion of releases suffering from TL could be
reduced by 17.7%
Package maintainers should adhere to semantic
versioning
20. npm package releases/dependencies suffer from technical lag
7 - 9 months of technical lag
Proper use of semantic versioning
Ø Decreases the effect of technical lag (~18%)
Ø Allows to benefit from vulnerability fixes
Summary
21. Conclusion
Dependency management tools help package maintainers to reduce the
presence technical lag.
Dependency monitoring tools should incorporate technical lag information.
Ecosystem-wide view of technical lag.
Support dependent packages/backport important fixes.
Transitive
dependencies
Direct
dependencies
Technical lag
definition