SlideShare une entreprise Scribd logo

On the evolution of technical lag in the npm package dependency network

Télécharger en tant que PPTX, PDF
E
econst

Presentation slides of ICSME 2018 article, co-authored by Alexandre Decan, Tom Mens and Eleni Constantinou from University of Mons, Belgium. Research carried out as part of the SECOHealth and SECO-ASSIST research projects. Abstract: Software packages developed and distributed through package managers extensively depend on other packages. These dependencies are regularly updated, for example to add new features, resolve bugs or fix security issues. In order to take full advantage of the benefits of this type of reuse, developers should keep their dependencies up to date by relying on the latest releases. In practice, however, this is not always possible, and packages lag behind with respect to the latest version of their dependencies. This phenomenon is described as technical lag in the literature. In this paper, we perform an empirical study of technical lag in the npm dependency network by investigating its evolution for over 1.4M releases of 120K packages and 8M dependencies between these releases. We explore how technical lag increases over time, taking into account the release type and the use of package dependency constraints. We also discuss how technical lag can be reduced by relying on the semantic versioning policy.

Sciences
1  sur  22
ICSME 2018 ONTHE EVOLUTION OFTECHNICAL LAG IN THE NPM PACKAGE DEPENDENCY NETWORK ALEXANDRE DECAN ELENI CONSTANTINOU TOM MENS @AlexandreDecan @tom_mens @eleni_const
PACKAGE DEPENDENCY NETWORKS & TECHNICAL LAG
Package dependency networks
Semantic versioning major minor patch 3 9 2 Breaking changes Bug fixes Backwards compatible changes 4.0.0 3.10.0 3.9.3
Dependency constraints More Permissive More Restrictive major minor patch 3 9 2
Technical Lag [1] J. M. Gonzalez-Barahona et al.Technical lag in software compilations: Measuring how outdated a software deployment is. IFIP InternationalConf. on Open Source Systems, pp. 182—192, 2017. How outdated a software system is with respect to its upstream dependencies [1]
Δt(d3,t) Δt(d2,t) Δt(d1,t) r p1 p2 p3 Technical lag at time t For a dependency d: For a release r:
Technical lag example 1.0.0 1.0.0 Analysis date Constraint Missed Technical Lag ~1.0.0 {1.1.0, 2.0.0} ^1.0.0 {2.0.0} T10 –T5 T10 –T9 p2p1
Should I keep my dependencies up-to-date? COST  Effort to integrate backwards incompatible changes  Monitor dependency evolution RISK  Backwards incompatible changes BENEFIT  Bug fixes  Security vulnerability fixes  New features
DATASET
NOVEMBER 2017 Libraries.io [2] [2] http://doi.org/10.5281/zenodo.1068916
FINDINGS
How prominent is technical lag (TL)? 25% of dependencies/ 40% of releases suffer from TL Dependency management tools reduce TL presence
How long is the technical lag? >=2015: average TL is 7 to 9 months Only 25% have a TL <52 days TL information in dependency management tools
How frequently are packages updated? It takes an average of 12 to 22 days to update a release Frequent updates can contribute to TL of dependents
During the lifetime of a package release, a new release of its dependency becomes available that does not satisfy the dependency constraint Why does technical lag occur? A package release does not use the highest available release of its dependency 1 out of 3 releases missed a new release of a dependency because it is excluded by the constraint.
How does technical lag evolve? Most packages do not change their constraints to use newer releases of their dependencies. Better tool support for managing constraints
Could technical lag be reduced by proper use of semantic versioning? The proportion of releases suffering from TL could be reduced by 17.7% Package maintainers should adhere to semantic versioning
SUMMARY & CONCLUSION
npm package releases/dependencies suffer from technical lag 7 - 9 months of technical lag Proper use of semantic versioning  Decreases the effect of technical lag (~18%)  Allows to benefit from vulnerability fixes Summary
Conclusion Dependency management tools help package maintainers to reduce the presence technical lag. Dependency monitoring tools should incorporate technical lag information. Ecosystem-wide view of technical lag. Support dependent packages/backport important fixes. Transitive dependencies Direct dependencies Technical lag definition
On the evolution of technical lag in the npm package dependency network

Recommandé

On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkTom Mens
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Tom Mens
 
An empirical comparison of dependency issues in open source software packagin...
An empirical comparison of dependency issues in open source software packagin...An empirical comparison of dependency issues in open source software packagin...
An empirical comparison of dependency issues in open source software packagin...Tom Mens
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8sDevOps Indonesia
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...Fasten Project
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAhmed Zerouali
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemTom Mens
 

Recommandé

On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkTom Mens
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Tom Mens
 
An empirical comparison of dependency issues in open source software packagin...
An empirical comparison of dependency issues in open source software packagin...An empirical comparison of dependency issues in open source software packagin...
An empirical comparison of dependency issues in open source software packagin...Tom Mens
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8sDevOps Indonesia
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...Fasten Project
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAhmed Zerouali
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemTom Mens
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
 
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...Ahmed Zerouali
 
Unsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable AppsUnsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable AppsCAST
 
PacketsNeverLie
PacketsNeverLiePacketsNeverLie
PacketsNeverLieRick Kingsley
 
How to save on software maintenance costs
How to save on software maintenance costsHow to save on software maintenance costs
How to save on software maintenance costsFrancisJansen
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Tom Mens
 
Alft
AlftAlft
AlftVincenzo De Florio
 
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...IRJET Journal
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
 
Whitepaper Omnext
Whitepaper OmnextWhitepaper Omnext
Whitepaper Omnextmeijerandre
 
Tune Up Your Network for the New Year
Tune Up Your Network for the New YearTune Up Your Network for the New Year
Tune Up Your Network for the New YearSavvius, Inc
 
Towards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTowards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTom Mens
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Tom Mens
 
Wait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debtWait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debtRungrojMaipradit1
 
Atifalhas
AtifalhasAtifalhas
AtifalhasEvandro Madeira
 
The Increasing Value and Complexity of Software Call for the Reevaluation of ...
The Increasing Value and Complexity of Software Call for the Reevaluation of ...The Increasing Value and Complexity of Software Call for the Reevaluation of ...
The Increasing Value and Complexity of Software Call for the Reevaluation of ...PRQA
 
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdfX41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdfnattamailru
 
PACE-IT: Applying Patches and Upgrades
PACE-IT: Applying Patches and UpgradesPACE-IT: Applying Patches and Upgrades
PACE-IT: Applying Patches and UpgradesPace IT at Edmonds Community College
 
Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CASTCAST
 
36x48_new_modelling_cloud_infrastructure
36x48_new_modelling_cloud_infrastructure36x48_new_modelling_cloud_infrastructure
36x48_new_modelling_cloud_infrastructureWashington Garcia
 
Artificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PArtificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PPRINCE C P
 
Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Patrick Diehl
 

Contenu connexe

Similaire à On the evolution of technical lag in the npm package dependency network

Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
 
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...Ahmed Zerouali
 
Unsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable AppsUnsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable AppsCAST
 
How to save on software maintenance costs
How to save on software maintenance costsHow to save on software maintenance costs
How to save on software maintenance costsFrancisJansen
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Tom Mens
 
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...IRJET Journal
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
 
Whitepaper Omnext
Whitepaper OmnextWhitepaper Omnext
Whitepaper Omnextmeijerandre
 
Tune Up Your Network for the New Year
Tune Up Your Network for the New YearTune Up Your Network for the New Year
Tune Up Your Network for the New YearSavvius, Inc
 
Towards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTowards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTom Mens
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Tom Mens
 
Wait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debtWait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debtRungrojMaipradit1
 
The Increasing Value and Complexity of Software Call for the Reevaluation of ...
The Increasing Value and Complexity of Software Call for the Reevaluation of ...The Increasing Value and Complexity of Software Call for the Reevaluation of ...
The Increasing Value and Complexity of Software Call for the Reevaluation of ...PRQA
 
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdfX41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdfnattamailru
 
Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CASTCAST
 
36x48_new_modelling_cloud_infrastructure
36x48_new_modelling_cloud_infrastructure36x48_new_modelling_cloud_infrastructure
36x48_new_modelling_cloud_infrastructureWashington Garcia
 

Similaire à On the evolution of technical lag in the npm package dependency network (20)

Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
 
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
 
Unsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable AppsUnsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable Apps
 
PacketsNeverLie
PacketsNeverLiePacketsNeverLie
PacketsNeverLie
 
How to save on software maintenance costs
How to save on software maintenance costsHow to save on software maintenance costs
How to save on software maintenance costs
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
 
Alft
AlftAlft
Alft
 
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
 
Whitepaper Omnext
Whitepaper OmnextWhitepaper Omnext
Whitepaper Omnext
 
Tune Up Your Network for the New Year
Tune Up Your Network for the New YearTune Up Your Network for the New Year
Tune Up Your Network for the New Year
 
Towards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTowards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packages
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!
 
Wait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debtWait for it: identifying “On-Hold” self-admitted technical debt
Wait for it: identifying “On-Hold” self-admitted technical debt
 
Atifalhas
AtifalhasAtifalhas
Atifalhas
 
The Increasing Value and Complexity of Software Call for the Reevaluation of ...
The Increasing Value and Complexity of Software Call for the Reevaluation of ...The Increasing Value and Complexity of Software Call for the Reevaluation of ...
The Increasing Value and Complexity of Software Call for the Reevaluation of ...
 
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdfX41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
 
PACE-IT: Applying Patches and Upgrades
PACE-IT: Applying Patches and UpgradesPACE-IT: Applying Patches and Upgrades
PACE-IT: Applying Patches and Upgrades
 
Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CAST
 
36x48_new_modelling_cloud_infrastructure
36x48_new_modelling_cloud_infrastructure36x48_new_modelling_cloud_infrastructure
36x48_new_modelling_cloud_infrastructure
 

Dernier

Artificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PArtificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PPRINCE C P
 
Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Patrick Diehl
 
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...Sérgio Sacani
 
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral AnalysisRaman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral AnalysisDiwakar Mishra
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsSérgio Sacani
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRDelhi Call girls
 
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡anilsa9823
 
Orientation, design and principles of polyhouse
Orientation, design and principles of polyhouseOrientation, design and principles of polyhouse
Orientation, design and principles of polyhousejana861314
 
Cultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptxCultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptxpradhanghanshyam7136
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksSérgio Sacani
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxgindu3009
 
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxUnlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxanandsmhk
 
Chemistry 4th semester series (krishna).pdf
Chemistry 4th semester series (krishna).pdfChemistry 4th semester series (krishna).pdf
Chemistry 4th semester series (krishna).pdfSumit Kumar yadav
 
Botany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdfBotany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdfSumit Kumar yadav
 
Biological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdfBiological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdfmuntazimhurra
 
Grafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeGrafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeSatoshi NAKAHIRA
 
Disentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTDisentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTSérgio Sacani
 
Boyles law module in the grade 10 science
Boyles law module in the grade 10 scienceBoyles law module in the grade 10 science
Boyles law module in the grade 10 sciencefloriejanemacaya1
 
A relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfA relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfnehabiju2046
 

Dernier (20)

Artificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PArtificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C P
 
Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?
 
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
 
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral AnalysisRaman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
 
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
 
Orientation, design and principles of polyhouse
Orientation, design and principles of polyhouseOrientation, design and principles of polyhouse
Orientation, design and principles of polyhouse
 
Cultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptxCultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptx
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disks
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptx
 
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxUnlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
 
Chemistry 4th semester series (krishna).pdf
Chemistry 4th semester series (krishna).pdfChemistry 4th semester series (krishna).pdf
Chemistry 4th semester series (krishna).pdf
 
Botany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdfBotany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdf
 
Biological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdfBiological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdf
 
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
 
Grafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeGrafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real time
 
Disentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTDisentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOST
 
Boyles law module in the grade 10 science
Boyles law module in the grade 10 scienceBoyles law module in the grade 10 science
Boyles law module in the grade 10 science
 
A relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfA relative description on Sonoporation.pdf
A relative description on Sonoporation.pdf
 

On the evolution of technical lag in the npm package dependency network

  • 1. ICSME 2018 ONTHE EVOLUTION OFTECHNICAL LAG IN THE NPM PACKAGE DEPENDENCY NETWORK ALEXANDRE DECAN ELENI CONSTANTINOU TOM MENS @AlexandreDecan @tom_mens @eleni_const
  • 4. Semantic versioning major minor patch 3 9 2 Breaking changes Bug fixes Backwards compatible changes 4.0.0 3.10.0 3.9.3
  • 6. Technical Lag [1] J. M. Gonzalez-Barahona et al.Technical lag in software compilations: Measuring how outdated a software deployment is. IFIP InternationalConf. on Open Source Systems, pp. 182—192, 2017. How outdated a software system is with respect to its upstream dependencies [1]
  • 7. Δt(d3,t) Δt(d2,t) Δt(d1,t) r p1 p2 p3 Technical lag at time t For a dependency d: For a release r:
  • 8. Technical lag example 1.0.0 1.0.0 Analysis date Constraint Missed Technical Lag ~1.0.0 {1.1.0, 2.0.0} ^1.0.0 {2.0.0} T10 –T5 T10 –T9 p2p1
  • 9. Should I keep my dependencies up-to-date? COST  Effort to integrate backwards incompatible changes  Monitor dependency evolution RISK  Backwards incompatible changes BENEFIT  Bug fixes  Security vulnerability fixes  New features
  • 11. NOVEMBER 2017 Libraries.io [2] [2] http://doi.org/10.5281/zenodo.1068916
  • 13. How prominent is technical lag (TL)? 25% of dependencies/ 40% of releases suffer from TL Dependency management tools reduce TL presence
  • 14. How long is the technical lag? >=2015: average TL is 7 to 9 months Only 25% have a TL <52 days TL information in dependency management tools
  • 15. How frequently are packages updated? It takes an average of 12 to 22 days to update a release Frequent updates can contribute to TL of dependents
  • 16. During the lifetime of a package release, a new release of its dependency becomes available that does not satisfy the dependency constraint Why does technical lag occur? A package release does not use the highest available release of its dependency 1 out of 3 releases missed a new release of a dependency because it is excluded by the constraint.
  • 17. How does technical lag evolve? Most packages do not change their constraints to use newer releases of their dependencies. Better tool support for managing constraints
  • 18. Could technical lag be reduced by proper use of semantic versioning? The proportion of releases suffering from TL could be reduced by 17.7% Package maintainers should adhere to semantic versioning
  • 20. npm package releases/dependencies suffer from technical lag 7 - 9 months of technical lag Proper use of semantic versioning  Decreases the effect of technical lag (~18%)  Allows to benefit from vulnerability fixes Summary
  • 21. Conclusion Dependency management tools help package maintainers to reduce the presence technical lag. Dependency monitoring tools should incorporate technical lag information. Ecosystem-wide view of technical lag. Support dependent packages/backport important fixes. Transitive dependencies Direct dependencies Technical lag definition