Presentation slides of ICSME 2018 article, co-authored by Alexandre Decan, Tom Mens and Eleni Constantinou from University of Mons, Belgium. Research carried out as part of the SECOHealth and SECO-ASSIST research projects. Abstract: Software packages developed and distributed through package managers extensively depend on other packages. These dependencies are regularly updated, for example to add new features, resolve bugs or fix security issues. In order to take full advantage of the benefits of this type of reuse, developers should keep their dependencies up to date by relying on the latest releases. In practice, however, this is not always possible, and packages lag behind with respect to the latest version of their dependencies. This phenomenon is described as technical lag in the literature. In this paper, we perform an empirical study of technical lag in the npm dependency network by investigating its evolution for over 1.4M releases of 120K packages and 8M dependencies between these releases. We explore how technical lag increases over time, taking into account the release type and the use of package dependency constraints. We also discuss how technical lag can be reduced by relying on the semantic versioning policy.
On the evolution of technical lag in the npm package dependency network
1. ICSME 2018
ONTHE EVOLUTION OFTECHNICAL LAG IN
THE NPM PACKAGE DEPENDENCY NETWORK
ALEXANDRE
DECAN
ELENI
CONSTANTINOU
TOM MENS
@AlexandreDecan
@tom_mens
@eleni_const
6. Technical Lag
[1] J. M. Gonzalez-Barahona et al.Technical lag in software compilations: Measuring how outdated a software deployment is. IFIP
InternationalConf. on Open Source Systems, pp. 182—192, 2017.
How outdated a
software system is with
respect to its upstream
dependencies [1]
13. How prominent is technical lag (TL)?
25% of dependencies/
40% of releases suffer from TL
Dependency management tools reduce TL presence
14. How long is the technical lag?
>=2015: average TL is 7 to 9 months
Only 25% have a TL <52 days
TL information in dependency management tools
15. How frequently are packages updated?
It takes an average of 12 to 22 days to update a
release
Frequent updates can contribute to TL of dependents
16. During the lifetime of a
package release, a new
release of its dependency
becomes available that
does not satisfy the
dependency constraint
Why does technical lag occur?
A package release does not use the highest available release
of its dependency
1 out of 3 releases missed a new release of a
dependency because it is excluded by the constraint.
17. How does technical lag evolve?
Most packages do not change their
constraints to use newer releases of their
dependencies.
Better tool support for managing constraints
18. Could technical lag be reduced
by proper use of semantic versioning?
The proportion of releases suffering from TL could be
reduced by 17.7%
Package maintainers should adhere to semantic
versioning
20. npm package releases/dependencies suffer from technical lag
7 - 9 months of technical lag
Proper use of semantic versioning
Decreases the effect of technical lag (~18%)
Allows to benefit from vulnerability fixes
Summary
21. Conclusion
Dependency management tools help package maintainers to reduce the
presence technical lag.
Dependency monitoring tools should incorporate technical lag
information.
Ecosystem-wide view of technical lag.
Support dependent packages/backport important fixes.
Transitive
dependencies
Direct
dependencies
Technical lag
definition