SlideShare a Scribd company logo

On the evolution of technical lag in the npm package dependency network

Tom Mens, profile picture
Tom Mens

The document discusses the phenomenon of technical lag in the npm package dependency network, highlighting that 25% of dependencies and 40% of releases are affected by it, with an average lag of 7 to 9 months. It emphasizes the importance of semantic versioning and effective dependency management tools in reducing technical lag. The authors conclude that proper monitoring and management of dependencies can help package maintainers mitigate issues associated with outdated packages.

Software
1 of 22
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
ICSME 2018 ON THE EVOLUTION OF TECHNICAL LAG IN THE NPM PACKAGE DEPENDENCY NETWORK ALEXANDRE DECAN ELENI CONSTANTINOU TOM MENS @AlexandreDecan @tom_mens @eleni_const
PACKAGE DEPENDENCY NETWORKS & TECHNICAL LAG
Package dependency networks
Semantic versioning major minor patch 3 9 2 Breaking changes Bug fixes Backwards compatible changes 4.0.0 3.10.0 3.9.3
Dependency constraints More Permissive More Restrictive major minor patch 3 9 2
Technical Lag [1] J. M. Gonzalez-Barahona et al. Technical lag in software compilations: Measuring how outdated a software deployment is. IFIP International Conf. on Open Source Systems, pp. 182—192, 2017. How outdated a software system is with respect to its upstream dependencies [1]
Δt(d3,t) Δt(d2,t) Δt(d1,t) r p1 p2 p3 Technical lag at time t For a dependency d: For a release r:
T1 p1 p2 1.0.0 1.0.1 1.0.21.1.0 r1 r2 T2 T3 T4 T5 T6 T7 T9T8 2.0.0 T10 Technical lag example 1.0.0 1.0.0Analysis date Constraint Missed Technical Lag ~1.0.0 {1.1.0, 2.0.0} ^1.0.0 {2.0.0} T10 – T5 T10 – T9 p2p1
Should I keep my dependencies up-to-date? COST § Effort to integrate backwards incompatible changes § Monitor dependency evolution RISK § Backwards incompatible changes BENEFIT § Bug fixes § Security vulnerability fixes § New features
DATASET
NOVEMBER 2017 Libraries.io [2] [2] http://doi.org/10.5281/zenodo.1068916
FINDINGS
How prominent is technical lag (TL)? 25% of dependencies/ 40% of releases suffer from TL Dependency management tools reduce TL presence
How long is the technical lag? >=2015: average TL is 7 to 9 months Only 25% have a TL <52 days TL information in dependency management tools
How frequently are packages updated? It takes an average of 12 to 22 days to update a release Frequent updates can contribute to TL of dependents
During the lifetime of a package release, a new release of its dependency becomes available that does not satisfy the dependency constraint Why does technical lag occur? A package release does not use the highest available release of its dependency 1 out of 3 releases missed a new release of a dependency because it is excluded by the constraint.
How does technical lag evolve? Most packages do not change their constraints to use newer releases of their dependencies. Better tool support for managing constraints
Could technical lag be reduced by proper use of semantic versioning? The proportion of releases suffering from TL could be reduced by 17.7% Package maintainers should adhere to semantic versioning
SUMMARY & CONCLUSION
npm package releases/dependencies suffer from technical lag 7 - 9 months of technical lag Proper use of semantic versioning Ø Decreases the effect of technical lag (~18%) Ø Allows to benefit from vulnerability fixes Summary
Conclusion Dependency management tools help package maintainers to reduce the presence technical lag. Dependency monitoring tools should incorporate technical lag information. Ecosystem-wide view of technical lag. Support dependent packages/backport important fixes. Transitive dependencies Direct dependencies Technical lag definition
On the evolution of technical lag in the npm package dependency network

More Related Content

PPTX
On the evolution of technical lag in the npm package dependency network
econst
 
PPTX
Comparing dependency issues across software package distributions (FOSDEM 2020)
Tom Mens
 
PDF
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
Fasten Project
 
PPTX
Four things that are almost guaranteed to reduce the reliability of a softwa...
Ann Marie Neufelder
 
PPT
GE Oil &amp; Gas Threatscan
Ghufran Ahmed
 
PPTX
SecPod Saner
Chandrashekhar B
 
PDF
On the fragility of open source software packaging ecosystems
Tom Mens
 
PDF
An Empirical Analysis of Technical Lag in npm Package Dependencies
Ahmed Zerouali
 
On the evolution of technical lag in the npm package dependency network
econst
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Tom Mens
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
Fasten Project
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Ann Marie Neufelder
 
GE Oil &amp; Gas Threatscan
Ghufran Ahmed
 
SecPod Saner
Chandrashekhar B
 
On the fragility of open source software packaging ecosystems
Tom Mens
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
Ahmed Zerouali
 

Similar to On the evolution of technical lag in the npm package dependency network (20)

PPTX
Empirically Analysing the Socio-Technical Health of Software Package Managers
Tom Mens
 
PPTX
On the health of the npm packaging ecosystem
Tom Mens
 
PPTX
Unsustainable Regaining Control of Uncontrollable Apps
CAST
 
PDF
How to save on software maintenance costs
FrancisJansen
 
PDF
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
Ahmed Zerouali
 
PPTX
Digital Switching System UNIT7_module4 RO.pptx
ganesh shety
 
PDF
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...
IRJET Journal
 
PDF
PacketsNeverLie
Rick Kingsley
 
PDF
Whitepaper Omnext
meijerandre
 
PPTX
PACE-IT: Applying Patches and Upgrades
Pace IT at Edmonds Community College
 
PDF
Alft
Vincenzo De Florio
 
PPTX
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Tom Mens
 
PDF
Towards an empirical analysis of the maintainability of CRAN packages
Tom Mens
 
PPTX
Tune Up Your Network for the New Year
Savvius, Inc
 
PDF
Wait for it: identifying “On-Hold” self-admitted technical debt
RungrojMaipradit1
 
PDF
Managing Software Risk with CAST
CAST
 
PDF
Crypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
IRJET Journal
 
PPTX
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
Tom Mens
 
PDF
NETCDL : THE NETWORK CERTIFICATION DESCRIPTION LANGUAGE
ijcsitcejournal
 
PPTX
Is my software ecosystem healthy? It depends!
Tom Mens
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Tom Mens
 
On the health of the npm packaging ecosystem
Tom Mens
 
Unsustainable Regaining Control of Uncontrollable Apps
CAST
 
How to save on software maintenance costs
FrancisJansen
 
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
Ahmed Zerouali
 
Digital Switching System UNIT7_module4 RO.pptx
ganesh shety
 
Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Serv...
IRJET Journal
 
PacketsNeverLie
Rick Kingsley
 
Whitepaper Omnext
meijerandre
 
PACE-IT: Applying Patches and Upgrades
Pace IT at Edmonds Community College
 
Alft
Vincenzo De Florio
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Tom Mens
 
Towards an empirical analysis of the maintainability of CRAN packages
Tom Mens
 
Tune Up Your Network for the New Year
Savvius, Inc
 
Wait for it: identifying “On-Hold” self-admitted technical debt
RungrojMaipradit1
 
Managing Software Risk with CAST
CAST
 
Crypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
IRJET Journal
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
Tom Mens
 
NETCDL : THE NETWORK CERTIFICATION DESCRIPTION LANGUAGE
ijcsitcejournal
 
Is my software ecosystem healthy? It depends!
Tom Mens
 
Ad

More from Tom Mens (20)

PDF
Dependency Issues in Open Source Software Package Registries
Tom Mens
 
PDF
Model Testing of Executable Statecharts using SISMIC
Tom Mens
 
PDF
How to be(come) a successful PhD student
Tom Mens
 
PPTX
Recognising bot activity in collaborative software development
Tom Mens
 
PDF
A Dataset of Bot and Human Activities in GitHub
Tom Mens
 
PDF
The (r)evolution of CI/CD on GitHub
Tom Mens
 
PDF
Nurturing the Software Ecosystems of the Future
Tom Mens
 
PDF
Comment programmer un robot en 30 minutes?
Tom Mens
 
PPTX
On the rise and fall of CI services in GitHub
Tom Mens
 
PPTX
On backporting practices in package dependency networks
Tom Mens
 
PPTX
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Tom Mens
 
PPTX
Lost in Zero Space
Tom Mens
 
PDF
Evaluating a bot detection model on git commit messages
Tom Mens
 
PPTX
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Tom Mens
 
PPTX
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
Tom Mens
 
PDF
SecoHealth 2019 Research Achievements
Tom Mens
 
PPTX
SECO-Assist 2019 research seminar
Tom Mens
 
PPTX
ConPan: Analysing Packages Installed in Docker Containers
Tom Mens
 
PPTX
On the diversity of software popularity metrics: An empirical study of npm
Tom Mens
 
PPTX
How to increase the technical health of your software?
Tom Mens
 
Dependency Issues in Open Source Software Package Registries
Tom Mens
 
Model Testing of Executable Statecharts using SISMIC
Tom Mens
 
How to be(come) a successful PhD student
Tom Mens
 
Recognising bot activity in collaborative software development
Tom Mens
 
A Dataset of Bot and Human Activities in GitHub
Tom Mens
 
The (r)evolution of CI/CD on GitHub
Tom Mens
 
Nurturing the Software Ecosystems of the Future
Tom Mens
 
Comment programmer un robot en 30 minutes?
Tom Mens
 
On the rise and fall of CI services in GitHub
Tom Mens
 
On backporting practices in package dependency networks
Tom Mens
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Tom Mens
 
Lost in Zero Space
Tom Mens
 
Evaluating a bot detection model on git commit messages
Tom Mens
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Tom Mens
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
Tom Mens
 
SecoHealth 2019 Research Achievements
Tom Mens
 
SECO-Assist 2019 research seminar
Tom Mens
 
ConPan: Analysing Packages Installed in Docker Containers
Tom Mens
 
On the diversity of software popularity metrics: An empirical study of npm
Tom Mens
 
How to increase the technical health of your software?
Tom Mens
 
Ad

Recently uploaded (20)

PPTX
chapter 5 systemdesign2008.pptx for cimputer science students
KemalHussen2
 
PPTX
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
DOCX
How to Use SharePoint as an ISO-Compliant Document Management System
Sharepoint Designs
 
PPTX
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
PDF
Types of Token_ From Utility to Security.pdf
Herond Labs
 
PDF
How AI/LLM recommend to you ? GDG meetup 16 Aug by Fariman Guliev
HusseinMalikMammadli
 
PPTX
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
PPTX
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
DOCX
Greta — No-Code AI for Building Full-Stack Web & Mobile Apps
niloyislam1187
 
PPTX
Cybersecurity: Protecting the Digital World
SURULIAPPANPREMKMAR
 
PPTX
"Secure File Sharing Solutions on AWS".pptx
sudharani74442
 
PDF
DNT Brochure 2025 – ISV Solutions @ D365
sai vignesh
 
PDF
Complete Guide to Website Development in Malaysia for SMEs
Asian Business Services & Technologies
 
PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
PDF
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
PDF
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PDF
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
PDF
Time Tracking Features That Teams and Organizations Actually Need
Orangescrum
 
PDF
Topaz Photo AI Crack New Download (Latest 2025)
hashmi66g66
 
chapter 5 systemdesign2008.pptx for cimputer science students
KemalHussen2
 
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
How to Use SharePoint as an ISO-Compliant Document Management System
Sharepoint Designs
 
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
Types of Token_ From Utility to Security.pdf
Herond Labs
 
How AI/LLM recommend to you ? GDG meetup 16 Aug by Fariman Guliev
HusseinMalikMammadli
 
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
Greta — No-Code AI for Building Full-Stack Web & Mobile Apps
niloyislam1187
 
Cybersecurity: Protecting the Digital World
SURULIAPPANPREMKMAR
 
"Secure File Sharing Solutions on AWS".pptx
sudharani74442
 
DNT Brochure 2025 – ISV Solutions @ D365
sai vignesh
 
Complete Guide to Website Development in Malaysia for SMEs
Asian Business Services & Technologies
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
Time Tracking Features That Teams and Organizations Actually Need
Orangescrum
 
Topaz Photo AI Crack New Download (Latest 2025)
hashmi66g66
 

On the evolution of technical lag in the npm package dependency network

  • 1. ICSME 2018 ON THE EVOLUTION OF TECHNICAL LAG IN THE NPM PACKAGE DEPENDENCY NETWORK ALEXANDRE DECAN ELENI CONSTANTINOU TOM MENS @AlexandreDecan @tom_mens @eleni_const
  • 4. Semantic versioning major minor patch 3 9 2 Breaking changes Bug fixes Backwards compatible changes 4.0.0 3.10.0 3.9.3
  • 6. Technical Lag [1] J. M. Gonzalez-Barahona et al. Technical lag in software compilations: Measuring how outdated a software deployment is. IFIP International Conf. on Open Source Systems, pp. 182—192, 2017. How outdated a software system is with respect to its upstream dependencies [1]
  • 7. Δt(d3,t) Δt(d2,t) Δt(d1,t) r p1 p2 p3 Technical lag at time t For a dependency d: For a release r:
  • 8. T1 p1 p2 1.0.0 1.0.1 1.0.21.1.0 r1 r2 T2 T3 T4 T5 T6 T7 T9T8 2.0.0 T10 Technical lag example 1.0.0 1.0.0Analysis date Constraint Missed Technical Lag ~1.0.0 {1.1.0, 2.0.0} ^1.0.0 {2.0.0} T10 – T5 T10 – T9 p2p1
  • 9. Should I keep my dependencies up-to-date? COST § Effort to integrate backwards incompatible changes § Monitor dependency evolution RISK § Backwards incompatible changes BENEFIT § Bug fixes § Security vulnerability fixes § New features
  • 11. NOVEMBER 2017 Libraries.io [2] [2] http://doi.org/10.5281/zenodo.1068916
  • 13. How prominent is technical lag (TL)? 25% of dependencies/ 40% of releases suffer from TL Dependency management tools reduce TL presence
  • 14. How long is the technical lag? >=2015: average TL is 7 to 9 months Only 25% have a TL <52 days TL information in dependency management tools
  • 15. How frequently are packages updated? It takes an average of 12 to 22 days to update a release Frequent updates can contribute to TL of dependents
  • 16. During the lifetime of a package release, a new release of its dependency becomes available that does not satisfy the dependency constraint Why does technical lag occur? A package release does not use the highest available release of its dependency 1 out of 3 releases missed a new release of a dependency because it is excluded by the constraint.
  • 17. How does technical lag evolve? Most packages do not change their constraints to use newer releases of their dependencies. Better tool support for managing constraints
  • 18. Could technical lag be reduced by proper use of semantic versioning? The proportion of releases suffering from TL could be reduced by 17.7% Package maintainers should adhere to semantic versioning
  • 20. npm package releases/dependencies suffer from technical lag 7 - 9 months of technical lag Proper use of semantic versioning Ø Decreases the effect of technical lag (~18%) Ø Allows to benefit from vulnerability fixes Summary
  • 21. Conclusion Dependency management tools help package maintainers to reduce the presence technical lag. Dependency monitoring tools should incorporate technical lag information. Ecosystem-wide view of technical lag. Support dependent packages/backport important fixes. Transitive dependencies Direct dependencies Technical lag definition