SlideShare a Scribd company logo

An Empirical Analysis of Technical Lag in npm Package Dependencies

Ahmed Zerouali, profile picture
Ahmed Zerouali

The document analyzes technical lag in npm package dependencies, highlighting that a significant portion of packages suffer from outdated dependencies that are several months behind the latest releases. The study finds that 27% of dependencies are outdated, and technical lag is influenced by strict dependency constraints. Recommendations include waiting a few days before updating to new patch releases to avoid immediate bugs.

Software
1 of 41
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
An Empirical Analysis of Technical Lag in npm Package Dependencies Ahmed Zerouali, Eleni Constantinou, Tom Mens, Gregorio Robles and Jesus M. Gonzalez-Barahona The 17th International Conference on Software Reuse May 21-23, 2018 - Madrid
/background /aims /method /results /limitations /conclusion Outline
/background Packages Releases Dependencies (runtime) +700K +4.5M +20M +145K +825K +2M +130K +840K +2.3M Libraries.io by March 2018 RubyGems
/background Open PRs Active Bugs +2.3M - +2M - - +120K by January 2018 - https://octoverse.github.com/
/background Technical lag*: the increasing difference between deployed software packages and the available upstream packages Measurement: version updates, bugs, vulnerabilities, line of code, commits, etc. (*) Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is." IFIP International Conference on Open Source Systems. Springer, Cham, 2017. Gold standard: stability, security, functionality, etc.
/background Example: different kinds of “gold standards” for Debian Gold standard Scenario Candidate Stability Isolated system, stable functionality Debian Stable Functionality Cloud application Latest upstream Security Reused containers Stable upstream
/background
/aims Decan A, Mens T, Grosjean P. An empirical comparison of dependency network evolution in seven software packaging ecosystems. EMSE2017.
/aims Not update Update “How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript” - https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/
/aims Goal: Analyze technical lag in a wide ecosystem of reused of packages.
/aims / research questions RQ0: How do packages manage their dependencies? RQ1: How often do packages release new versions? RQ2: What is the technical lag induced by outdated dependencies? RQ3: How often do dependencies inducing technical lag release new versions? RQ4: What is the appropriate moment to update dependencies?
/method /dataset
/method /dataset Open Data: - Libraries.io gathers data from 36 package managers and 3 source code repositories. - They track over 2.7m unique open source packages, 33m repositories and 235m interdependencies between them.
/method /dataset - 610K packages - 4.2M releases - 44.9M dependencies by Nov 2017 from
/method /semantic versioning Examples: 0.0.1, 1.0.0, 1.2.3, 1.2.3-beta
/method /semantic versioning Other: *, ==1.2.3, >1.2.3, <1.2.3, 1.2.x, 1.x.x
/method /technical lag - Measurement = version updates, time - version lag : version updates difference - time lag: time difference - Gold standard = being up to date.
/method /technical lag 1.0.1 1.1.0 2.0.01.2.1 2.1.0 Dependency: D npm package version Technical lag
/method /technical lag - time lag = date(latest) - date(used) - version lag = (∆Major, ∆Minor, ∆Patch)
/method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag - time lag= date(2.1.0) - date(1.1.0)
/method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag 1 minor - time lag= date(2.1.0) - date(1.1.0)
/method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag - time lag= date(2.1.0) - date(1.1.0) 1 minor 1 major
/method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag 1 minor 1 major 1 patch - time lag= date(2.1.0) - date(1.1.0) - version lag= (1,1,1)
/method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag * ^1.0.0 ^2.0.0 ^1.0.0 = [ 1.0.0, 2.0.0 [ allowed
/method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [
/method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag = 0 * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [
/results /RQ0: How do packages manage their dependencies? 68.2% 15.7% 7.8% 4.1% - Developers are concerned with backward compatibility - There is a potential of too strict dependency constraints leading to technical lag. 4.3%
/results /RQ0: How do packages manage their dependencies? - New dependencies are mainly added in major and minor releases. - Dependencies are removed almost exclusively in major releases. - Most packages do not appear to change their dependencies over time.
/results /RQ0: How do packages manage their dependencies? Number of updated dependencies between package releases, classified by release type of the update.
/results /RQ1: How often do packages release new versions? - Patch: 80% - Minor: 16% - Major: 04% - Dependent packages in npm mainly benefit from patch releases. - Technical version lag is mainly occurring at the patch level.
/results /RQ1: How often do packages release new versions? Time needed to update a package to a patch, minor or major release - The average time to release a patch, minor and major versions corresponds to 13 days, 1 month and 2 months respectively.
/results /RQ2: What is the technical lag induced by outdated dependencies? - 27% of 44.1M dependencies are outdated. - The outdated dependencies are used by 60% of all considered packages. 57% 28% 12% 3%
/results /RQ2: What is the technical lag induced by outdated dependencies?
/results /RQ2: What is the technical lag induced by outdated dependencies? - Outdated dependencies induce a median of time lag of three months and a half, and median version lag of one minor and two patch versions.
/results /RQ3: How often do dependencies inducing technical lag release new versions? - Packages that are required as dependencies and are outdated have more frequent releases than other required packages.
/results /RQ4: What is the appropriate moment to update dependencies? - Developers should not start using newly available packages immediately because they may still contain bugs that need new patches.
/limitations - If the libraries.io dataset is incomplete, then there is a risk of underestimating technical lag. - We did not differentiate between package characteristics, such as age, size, type, etc. - The results are related to the measurement used to quantify for technical lag. - npm semver had some issues in the past.
/conclusion/ summary Analyzed technical lag induced by outdated dependencies: - A large number of packages suffer from technical lag. - Outdated dependencies are several months behind the latest release. - Technical lag caused by the specific use of dependency constraints, - Maintainers should wait a few days before updating to the new patch dependency release.
/conclusion/ future work - Consider other measurements of technical lag and other gold standards. - Validate the results with bug fixes, vulnerabilities and issues. - Consider other ecosystems. - Carry out cross-ecosystem comparisons.
An Empirical Analysis of Technical Lag in npm Package Dependencies
Questions

More Related Content

PPTX
On the evolution of technical lag in the npm package dependency network
econst
 
PDF
Technical Lag in Software Ecosystems
Ahmed Zerouali
 
ODP
Openflow
Phuc Tran
 
PDF
Investigating the Impact of Network Topology on the Processing Times of SDN C...
Steffen Gebert
 
PDF
VeriFlow: Verifying Network-Wide Invariants in Real Time
Open Networking Summits
 
PDF
SFA: Stateful Forwarding Abstraction in SDN Data Plane
Open Networking Summits
 
PDF
On the fragility of open source software packaging ecosystems
Tom Mens
 
PDF
Technical Lag in Docker Containers
Ahmed Zerouali
 
On the evolution of technical lag in the npm package dependency network
econst
 
Technical Lag in Software Ecosystems
Ahmed Zerouali
 
Openflow
Phuc Tran
 
Investigating the Impact of Network Topology on the Processing Times of SDN C...
Steffen Gebert
 
VeriFlow: Verifying Network-Wide Invariants in Real Time
Open Networking Summits
 
SFA: Stateful Forwarding Abstraction in SDN Data Plane
Open Networking Summits
 
On the fragility of open source software packaging ecosystems
Tom Mens
 
Technical Lag in Docker Containers
Ahmed Zerouali
 

Similar to An Empirical Analysis of Technical Lag in npm Package Dependencies (20)

PDF
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Project
 
PPTX
Analyzing Packages in Docker images hosted On DockerHub
Ahmed Zerouali
 
PDF
Technical lag in npm and docker ecosystems
Ahmed Zerouali
 
PPTX
On the health of the npm packaging ecosystem
Tom Mens
 
PPTX
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
Tom Mens
 
PDF
Dependency Issues in Open Source Software Package Registries
Tom Mens
 
PDF
On the evolution of technical lag in the npm package dependency network
Tom Mens
 
PDF
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
Fasten Project
 
PPTX
Is my software ecosystem healthy? It depends!
Tom Mens
 
PDF
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
Fasten Project
 
PDF
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
Ahmed Zerouali
 
PPTX
How to increase the technical health of your software?
Tom Mens
 
PPTX
Empirically Analysing the Socio-Technical Health of Software Package Managers
Tom Mens
 
PPTX
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Tom Mens
 
PDF
Software bill of materials: strumenti e analisi di progetti open source dell’...
FedericoBoni3
 
PPTX
Comparing dependency issues across software package distributions (FOSDEM 2020)
Tom Mens
 
PDF
tip oopt pse-summit2017
domenico di mola
 
PDF
Node.js security tour
Giacomo De Liberali
 
PDF
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
NUS-ISS
 
PPTX
OOP - Basing Software Development on Reusable
17090AshikurRahman
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Project
 
Analyzing Packages in Docker images hosted On DockerHub
Ahmed Zerouali
 
Technical lag in npm and docker ecosystems
Ahmed Zerouali
 
On the health of the npm packaging ecosystem
Tom Mens
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
Tom Mens
 
Dependency Issues in Open Source Software Package Registries
Tom Mens
 
On the evolution of technical lag in the npm package dependency network
Tom Mens
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
Fasten Project
 
Is my software ecosystem healthy? It depends!
Tom Mens
 
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
Fasten Project
 
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
Ahmed Zerouali
 
How to increase the technical health of your software?
Tom Mens
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Tom Mens
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Tom Mens
 
Software bill of materials: strumenti e analisi di progetti open source dell’...
FedericoBoni3
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Tom Mens
 
tip oopt pse-summit2017
domenico di mola
 
Node.js security tour
Giacomo De Liberali
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
NUS-ISS
 
OOP - Basing Software Development on Reusable
17090AshikurRahman
 
Ad

More from Ahmed Zerouali (11)

PDF
Prevalence and Evolution of License Violations in npm and RubyGems Dependency...
Ahmed Zerouali
 
PPTX
Analysis And Observations Of The Evolution Of Testing Library Usage
Ahmed Zerouali
 
PPTX
On Popularity and Quality Metrics of npm Packages
Ahmed Zerouali
 
PDF
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
Ahmed Zerouali
 
PDF
A multi-dimensional analysis of technical lag in Debian-based Docker images
Ahmed Zerouali
 
PDF
Evolution of Technical Lag in DockerHub images - Benevol20
Ahmed Zerouali
 
PPTX
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...
Ahmed Zerouali
 
PPTX
ConPan: A Tool to Analyze Packages in Software Containers
Ahmed Zerouali
 
PPTX
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Ahmed Zerouali
 
PPTX
An Empirical Comparison of the Development History of CloudStack and Eucalyptus
Ahmed Zerouali
 
PPTX
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Ahmed Zerouali
 
Prevalence and Evolution of License Violations in npm and RubyGems Dependency...
Ahmed Zerouali
 
Analysis And Observations Of The Evolution Of Testing Library Usage
Ahmed Zerouali
 
On Popularity and Quality Metrics of npm Packages
Ahmed Zerouali
 
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
Ahmed Zerouali
 
A multi-dimensional analysis of technical lag in Debian-based Docker images
Ahmed Zerouali
 
Evolution of Technical Lag in DockerHub images - Benevol20
Ahmed Zerouali
 
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...
Ahmed Zerouali
 
ConPan: A Tool to Analyze Packages in Software Containers
Ahmed Zerouali
 
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Ahmed Zerouali
 
An Empirical Comparison of the Development History of CloudStack and Eucalyptus
Ahmed Zerouali
 
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Ahmed Zerouali
 
Ad

Recently uploaded (20)

PPTX
chapter 5 systemdesign2008.pptx for cimputer science students
KemalHussen2
 
PDF
Autodesk AutoCAD Crack Free Download 2025
hggfcrd hgggref
 
PDF
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
PDF
Complete Guide to Website Development in Malaysia for SMEs
Asian Business Services & Technologies
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
PDF
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
PPTX
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
PDF
AI/ML Infra Meetup | Beyond S3's Basics: Architecting for AI-Native Data Access
Alluxio, Inc.
 
PPTX
Custom Software Development Services.pptx.pptx
TVL IT Solutions
 
PPTX
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PPTX
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
PPTX
Monitoring Stack: Grafana, Loki & Promtail
GhanshyamSwami3
 
PPTX
Tech Workshop Escape Room Tech Workshop
muthuiyad
 
PPTX
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
PDF
STL Containers in C++ : Sequence Container : Vector
Mohammed Sikander
 
PDF
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
chapter 5 systemdesign2008.pptx for cimputer science students
KemalHussen2
 
Autodesk AutoCAD Crack Free Download 2025
hggfcrd hgggref
 
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
Complete Guide to Website Development in Malaysia for SMEs
Asian Business Services & Technologies
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
AI/ML Infra Meetup | Beyond S3's Basics: Architecting for AI-Native Data Access
Alluxio, Inc.
 
Custom Software Development Services.pptx.pptx
TVL IT Solutions
 
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
Monitoring Stack: Grafana, Loki & Promtail
GhanshyamSwami3
 
Tech Workshop Escape Room Tech Workshop
muthuiyad
 
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
STL Containers in C++ : Sequence Container : Vector
Mohammed Sikander
 
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
assetexplorer- product-overview - presentation
nonameist3434
 

An Empirical Analysis of Technical Lag in npm Package Dependencies

  • 1. An Empirical Analysis of Technical Lag in npm Package Dependencies Ahmed Zerouali, Eleni Constantinou, Tom Mens, Gregorio Robles and Jesus M. Gonzalez-Barahona The 17th International Conference on Software Reuse May 21-23, 2018 - Madrid
  • 3. /background Packages Releases Dependencies (runtime) +700K +4.5M +20M +145K +825K +2M +130K +840K +2.3M Libraries.io by March 2018 RubyGems
  • 4. /background Open PRs Active Bugs +2.3M - +2M - - +120K by January 2018 - https://octoverse.github.com/
  • 5. /background Technical lag*: the increasing difference between deployed software packages and the available upstream packages Measurement: version updates, bugs, vulnerabilities, line of code, commits, etc. (*) Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is." IFIP International Conference on Open Source Systems. Springer, Cham, 2017. Gold standard: stability, security, functionality, etc.
  • 6. /background Example: different kinds of “gold standards” for Debian Gold standard Scenario Candidate Stability Isolated system, stable functionality Debian Stable Functionality Cloud application Latest upstream Security Reused containers Stable upstream
  • 8. /aims Decan A, Mens T, Grosjean P. An empirical comparison of dependency network evolution in seven software packaging ecosystems. EMSE2017.
  • 9. /aims Not update Update “How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript” - https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/
  • 10. /aims Goal: Analyze technical lag in a wide ecosystem of reused of packages.
  • 11. /aims / research questions RQ0: How do packages manage their dependencies? RQ1: How often do packages release new versions? RQ2: What is the technical lag induced by outdated dependencies? RQ3: How often do dependencies inducing technical lag release new versions? RQ4: What is the appropriate moment to update dependencies?
  • 13. /method /dataset Open Data: - Libraries.io gathers data from 36 package managers and 3 source code repositories. - They track over 2.7m unique open source packages, 33m repositories and 235m interdependencies between them.
  • 14. /method /dataset - 610K packages - 4.2M releases - 44.9M dependencies by Nov 2017 from
  • 16. /method /semantic versioning Other: *, ==1.2.3, >1.2.3, <1.2.3, 1.2.x, 1.x.x
  • 17. /method /technical lag - Measurement = version updates, time - version lag : version updates difference - time lag: time difference - Gold standard = being up to date.
  • 18. /method /technical lag 1.0.1 1.1.0 2.0.01.2.1 2.1.0 Dependency: D npm package version Technical lag
  • 19. /method /technical lag - time lag = date(latest) - date(used) - version lag = (∆Major, ∆Minor, ∆Patch)
  • 20. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag - time lag= date(2.1.0) - date(1.1.0)
  • 21. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag 1 minor - time lag= date(2.1.0) - date(1.1.0)
  • 22. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag - time lag= date(2.1.0) - date(1.1.0) 1 minor 1 major
  • 23. /method /technical lag 1.0.1 1.1.0 2.0.01.2.0 2.0.1 Dependency: D npm package version Technical lag 1 minor 1 major 1 patch - time lag= date(2.1.0) - date(1.1.0) - version lag= (1,1,1)
  • 24. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag * ^1.0.0 ^2.0.0 ^1.0.0 = [ 1.0.0, 2.0.0 [ allowed
  • 25. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [
  • 26. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag = 0 * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [
  • 27. /results /RQ0: How do packages manage their dependencies? 68.2% 15.7% 7.8% 4.1% - Developers are concerned with backward compatibility - There is a potential of too strict dependency constraints leading to technical lag. 4.3%
  • 28. /results /RQ0: How do packages manage their dependencies? - New dependencies are mainly added in major and minor releases. - Dependencies are removed almost exclusively in major releases. - Most packages do not appear to change their dependencies over time.
  • 29. /results /RQ0: How do packages manage their dependencies? Number of updated dependencies between package releases, classified by release type of the update.
  • 30. /results /RQ1: How often do packages release new versions? - Patch: 80% - Minor: 16% - Major: 04% - Dependent packages in npm mainly benefit from patch releases. - Technical version lag is mainly occurring at the patch level.
  • 31. /results /RQ1: How often do packages release new versions? Time needed to update a package to a patch, minor or major release - The average time to release a patch, minor and major versions corresponds to 13 days, 1 month and 2 months respectively.
  • 32. /results /RQ2: What is the technical lag induced by outdated dependencies? - 27% of 44.1M dependencies are outdated. - The outdated dependencies are used by 60% of all considered packages. 57% 28% 12% 3%
  • 33. /results /RQ2: What is the technical lag induced by outdated dependencies?
  • 34. /results /RQ2: What is the technical lag induced by outdated dependencies? - Outdated dependencies induce a median of time lag of three months and a half, and median version lag of one minor and two patch versions.
  • 35. /results /RQ3: How often do dependencies inducing technical lag release new versions? - Packages that are required as dependencies and are outdated have more frequent releases than other required packages.
  • 36. /results /RQ4: What is the appropriate moment to update dependencies? - Developers should not start using newly available packages immediately because they may still contain bugs that need new patches.
  • 37. /limitations - If the libraries.io dataset is incomplete, then there is a risk of underestimating technical lag. - We did not differentiate between package characteristics, such as age, size, type, etc. - The results are related to the measurement used to quantify for technical lag. - npm semver had some issues in the past.
  • 38. /conclusion/ summary Analyzed technical lag induced by outdated dependencies: - A large number of packages suffer from technical lag. - Outdated dependencies are several months behind the latest release. - Technical lag caused by the specific use of dependency constraints, - Maintainers should wait a few days before updating to the new patch dependency release.
  • 39. /conclusion/ future work - Consider other measurements of technical lag and other gold standards. - Validate the results with bug fixes, vulnerabilities and issues. - Consider other ecosystems. - Carry out cross-ecosystem comparisons.