A formal framework for measuring technical lag in component repositories: and its application to npm

Ahmed Zerouali (Corresponding author), Tom Mens (Corresponding author), J.M. González-Barahona, Alexandre Decan, Eleni Constantinou, G. Robles

Research output: Contribution to journalArticleAcademicpeer-review

7 Citations (Scopus)

Abstract

Reusable Open Source Software (OSS) components for major programming languages are available in package repositories. Developers rely on package management tools to automate deployments, specifying which package releases satisfy the needs of their applications. However, these specifications may lead to deploying package releases that are outdated, or otherwise undesirable, because they do not include bug fixes, security fixes, or new functionality. In contrast, automatically updating to a more recent release may introduce incompatibility issues. To capture this delicate balance, we formalise a generic model of technical lag, a concept that quantifies to which extent a deployed collection of components is outdated, with respect to the ideal deployment. We operationalise this model for the npm package manager. We empirically analyze the history of package update practices and technical lag for more than 500K packages with about 4M package releases over a seven-year period. We consider both development and runtime dependencies, and study both direct and transitive dependencies. We also analyze the technical lag of external GitHub applications depending on npm packages. We report our findings, suggesting the need for more awareness of, and integrated tool support for, controlling technical lag in software libraries.
Original languageEnglish
Article numbere2157
Number of pages20
JournalJournal of Software : Evolution and Process
Volume31
Issue number8
DOIs
Publication statusPublished - Aug 2019
Externally publishedYes

Keywords

  • empirical analysis
  • semantic versioning
  • software repository mining
  • software reuse
  • technical lag

Fingerprint Dive into the research topics of 'A formal framework for measuring technical lag in component repositories: and its application to npm'. Together they form a unique fingerprint.

Cite this