TY - JOUR
T1 - A formal framework for measuring technical lag in component repositories
T2 - and its application to npm
AU - Zerouali, Ahmed
AU - Mens, Tom
AU - González-Barahona, J.M.
AU - Decan, Alexandre
AU - Constantinou, Eleni
AU - Robles, G.
PY - 2019/8
Y1 - 2019/8
N2 - Reusable Open Source Software (OSS) components for major programming languages are available in package repositories. Developers rely on package management tools to automate deployments, specifying which package releases satisfy the needs of their applications. However, these specifications may lead to deploying package releases that are outdated, or otherwise undesirable, because they do not include bug fixes, security fixes, or new functionality. In contrast, automatically updating to a more recent release may introduce incompatibility issues. To capture this delicate balance, we formalise a generic model of technical lag, a concept that quantifies to which extent a deployed collection of components is outdated, with respect to the ideal deployment. We operationalise this model for the npm package manager. We empirically analyze the history of package update practices and technical lag for more than 500K packages with about 4M package releases over a seven-year period. We consider both development and runtime dependencies, and study both direct and transitive dependencies. We also analyze the technical lag of external GitHub applications depending on npm packages. We report our findings, suggesting the need for more awareness of, and integrated tool support for, controlling technical lag in software libraries.
AB - Reusable Open Source Software (OSS) components for major programming languages are available in package repositories. Developers rely on package management tools to automate deployments, specifying which package releases satisfy the needs of their applications. However, these specifications may lead to deploying package releases that are outdated, or otherwise undesirable, because they do not include bug fixes, security fixes, or new functionality. In contrast, automatically updating to a more recent release may introduce incompatibility issues. To capture this delicate balance, we formalise a generic model of technical lag, a concept that quantifies to which extent a deployed collection of components is outdated, with respect to the ideal deployment. We operationalise this model for the npm package manager. We empirically analyze the history of package update practices and technical lag for more than 500K packages with about 4M package releases over a seven-year period. We consider both development and runtime dependencies, and study both direct and transitive dependencies. We also analyze the technical lag of external GitHub applications depending on npm packages. We report our findings, suggesting the need for more awareness of, and integrated tool support for, controlling technical lag in software libraries.
KW - empirical analysis
KW - semantic versioning
KW - software repository mining
KW - software reuse
KW - technical lag
UR - https://zenodo.org/record/1974048#.Xfd_Xtb0lTY
UR - http://www.scopus.com/inward/record.url?scp=85070988945&partnerID=8YFLogxK
U2 - 10.1002/smr.2157
DO - 10.1002/smr.2157
M3 - Article
SN - 2047-7481
VL - 31
JO - Journal of Software : Evolution and Process
JF - Journal of Software : Evolution and Process
IS - 8
M1 - e2157
ER -