Dependency Update Strategies and Package Characteristics

• URL: http://arxiv.org/abs/2305.15675v1
• Date: Thu, 25 May 2023 02:58:21 GMT
• Title: Dependency Update Strategies and Package Characteristics
• Authors: Abbas Javan Jafari, Diego Elias Costa, Emad Shihab, Rabe Abdalkareem
• Abstract summary: This study explores the association between package characteristics and the dependency update strategy selected by its dependents. We study over 112,000 npm packages and use 19 characteristics to build a prediction model that identifies the common dependency update strategy for each package.
• Score: 5.119787101452765
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Managing project dependencies is a key maintenance issue in software development. Developers need to choose an update strategy that allows them to receive important updates and fixes while protecting them from breaking changes. Semantic Versioning was proposed to address this dilemma but many have opted for more restrictive or permissive alternatives. This empirical study explores the association between package characteristics and the dependency update strategy selected by its dependents to understand how developers select and change their update strategies. We study over 112,000 npm packages and use 19 characteristics to build a prediction model that identifies the common dependency update strategy for each package. Our model achieves a minimum improvement of 72% over the baselines and is much better aligned with community decisions than the npm default strategy. We investigate how different package characteristics can influence the predicted update strategy and find that dependent count, age and release status to be the highest influencing features. We complement the work with qualitative analyses of 160 packages to investigate the evolution of update strategies. While the common update strategy remains consistent for many packages, certain events such as the release of the 1.0.0 version or breaking changes influence the selected update strategy over time.

Related papers

• Rethinking Reuse in Dependency Supply Chains: Initial Analysis of NPM packages at the End of the Chain [2.4969046521751768]
  This paper advocates for a shift in software development practices toward minimizing reliance on third-party packages. We find that these end-of-chain packages offer unique insights, as they play a key role in the ecosystem.
  arXiv  Detail & Related papers  (2025-03-04T17:26:34Z)
• Pinning Is Futile: You Need More Than Local Dependency Versioning to Defend against Supply Chain Attacks [23.756533975349985]
  Recent high-profile incidents in open-source software have raised practitioner attention on software supply chain attacks. Security practitioners advocate pinning dependency to specific versions rather than floating in version ranges. We quantify, through counterfactual analysis and simulations, the security and maintenance impact of version constraints in the npm ecosystem.
  arXiv  Detail & Related papers  (2025-02-10T16:50:48Z)
• Semantic Dependency in Microservice Architecture: A Framework for Definition and Detection [0.0]
  This paper introduces the Semantic Dependency Matrix as an instrument to address these challenges. It shows that these hidden dependencies can exist independently of endpoint data dependencies, revealing critical connections that might otherwise be overlooked.
  arXiv  Detail & Related papers  (2025-01-20T23:34:24Z)
• Towards Compatible Fine-tuning for Vision-Language Model Updates [114.25776195225494]
  Class-conditioned Context Optimization (ContCoOp) integrates learnable prompts with class embeddings using an attention layer before inputting them into the text encoder. Our experiments over 15 datasets show that our ContCoOp achieves the highest compatibility over the baseline methods, and exhibits robust out-of-distribution generalization.
  arXiv  Detail & Related papers  (2024-12-30T12:06:27Z)
• How to Understand Whole Software Repository? [64.19431011897515]
  An excellent understanding of the whole repository will be the critical path to Automatic Software Engineering (ASE) We develop a novel method named RepoUnderstander by guiding agents to comprehensively understand the whole repositories. To better utilize the repository-level knowledge, we guide the agents to summarize, analyze, and plan.
  arXiv  Detail & Related papers  (2024-06-03T15:20:06Z)
• Paths to Equilibrium in Games [6.812247730094933]
  We study sequences of strategies satisfying a pairwise constraint inspired by policy updating in reinforcement learning. Our analysis reveals a counterintuitive insight that reward deteriorating strategic updates are key to driving play to equilibrium along a satisficing path.
  arXiv  Detail & Related papers  (2024-03-26T19:58:39Z)
• Characterizing Dependency Update Practice of NPM, PyPI and Cargo Packages [7.739923421146855]
  Keeping dependencies up-to-date prevents software supply chain attacks through outdated and vulnerable dependencies. We propose two update metrics to measure the updatedness of dependencies and updatedness of vulnerable dependencies. We conduct a large-scale empirical study of update metrics with 2.9M packages, 66.8M package versions, and 26.8M unique package-dependency relations.
  arXiv  Detail & Related papers  (2024-03-26T05:01:53Z)
• Automating Dataset Updates Towards Reliable and Timely Evaluation of Large Language Models [81.27391252152199]
  Large language models (LLMs) have achieved impressive performance across various natural language benchmarks. We propose to automate dataset updating and provide systematic analysis regarding its effectiveness. There are two updating strategies: 1) mimicking strategy to generate similar samples based on original data, and 2) extending strategy that further expands existing samples.
  arXiv  Detail & Related papers  (2024-02-19T07:15:59Z)
• Malicious Package Detection using Metadata Information [0.272760415353533]
  We introduce a metadata-based malicious package detection model, MeMPtec. MeMPtec extracts a set of features from package metadata information. Our experiments indicate a significant reduction in both false positives and false negatives.
  arXiv  Detail & Related papers  (2024-02-12T06:54:57Z)
• Off-Policy Evaluation for Large Action Spaces via Policy Convolution [60.6953713877886]
  Policy Convolution family of estimators uses latent structure within actions to strategically convolve the logging and target policies. Experiments on synthetic and benchmark datasets demonstrate remarkable mean squared error (MSE) improvements when using PC.
  arXiv  Detail & Related papers  (2023-10-24T01:00:01Z)
• Dependency Practices for Vulnerability Mitigation [4.710141711181836]
  We analyze more than 450 vulnerabilities in the npm ecosystem to understand why dependent packages remain vulnerable. We identify over 200,000 npm packages that are infected through their dependencies. We use 9 features to build a prediction model that identifies packages that quickly adopt the vulnerability fix and prevent further propagation of vulnerabilities.
  arXiv  Detail & Related papers  (2023-10-11T19:48:46Z)
• A Parametric Class of Approximate Gradient Updates for Policy Optimization [47.69337420768319]
  We develop a unified perspective that re-expresses the underlying updates in terms of a limited choice of gradient form and scaling function. We obtain novel yet well motivated updates that generalize existing algorithms in a way that can deliver benefits both in terms of convergence speed and final result quality.
  arXiv  Detail & Related papers  (2022-06-17T01:28:38Z)
• Who Leads and Who Follows in Strategic Classification? [82.44386576129295]
  We argue that the order of play in strategic classification is fundamentally determined by the relative frequencies at which the decision-maker and the agents adapt to each other's actions. We show that a decision-maker with the freedom to choose their update frequency can induce learning dynamics that converge to Stackelberg equilibria with either order of play.
  arXiv  Detail & Related papers  (2021-06-23T16:48:46Z)
• Contextualizing Meta-Learning via Learning to Decompose [125.76658595408607]
  We propose Learning to Decompose Network (LeadNet) to contextualize the meta-learned support-to-target'' strategy. LeadNet learns to automatically select the strategy associated with the right via incorporating the change of comparison across contexts with polysemous embeddings.
  arXiv  Detail & Related papers  (2021-06-15T13:10:56Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.