Can automated pull requests encourage software developers to upgrade out-of-date dependencies?

Developers neglect to update legacy software dependencies, resulting in buggy and insecure software. One explanation for this neglect is the difficulty of constantly checking for the availability of new software updates, verifying their safety, and addressing any migration efforts needed when upgrading a dependency. Emerging tools attempt to address this problem by introducing automated pull requests and project badges to inform the developer of stale dependencies. To understand whether these tools actually help developers, we analyzed 7,470 GitHub projects that used these notification mechanisms to identify any change in upgrade behavior. Our results find that, on average, projects that use pull request notifications upgraded 1.6× as often as projects that did not use any tools. Badge notifications were slightly less effective: users upgraded 1.4× more frequently. Unfortunately, although pull request notifications are useful, developers are often overwhelmed by notifications: only a third of pull requests were actually merged. Through a survey, 62 developers indicated that their most significant concerns are breaking changes, understanding the implications of changes, and migration effort. The implications of our work suggests ways in which notifications can be improved to better align with developers' expectations and the need for new mechanisms to reduce notification fatigue and improve confidence in automated pull requests.

[1]  Romain Robbes,et al.  Recovering inter-project dependencies in software ecosystems , 2010, ASE.

[2]  James D. Herbsleb,et al.  How to break an API: cost negotiation and community values in three software ecosystems , 2016, SIGSOFT FSE.

[3]  Tom Mens,et al.  An empirical comparison of dependency issues in OSS packaging ecosystems , 2017, 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[4]  Shane McIntosh,et al.  An empirical study of build maintenance effort , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[5]  Arie van Deursen,et al.  An exploratory study of the pull-based software development model , 2014, ICSE.

[6]  Robert J. Walker,et al.  Seeking the ground truth: a retroactive study on the evolution and migration of software libraries , 2012, SIGSOFT FSE.

[7]  John L. Campbell,et al.  Coding In-depth Semistructured Interviews , 2013 .

[8]  Eleni Stroulia,et al.  API-Evolution Support with Diff-CatchUp , 2007, IEEE Transactions on Software Engineering.

[9]  Ralph Johnson,et al.  How do APIs evolveq A story of refactoring: Research Articles , 2006 .

[10]  D A Norman,et al.  The 'problem' with automation: inappropriate feedback and interaction, not 'over-automation'. , 1990, Philosophical transactions of the Royal Society of London. Series B, Biological sciences.

[11]  Margaret-Anne D. Storey,et al.  Disrupting developer productivity one bot at a time , 2016, SIGSOFT FSE.

[12]  J. Henkel,et al.  CatchUp! Capturing and replaying refactorings to support API evolution , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[13]  Premkumar T. Devanbu,et al.  Wait for It: Determinants of Pull Request Evaluation Latency on GitHub , 2015, 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories.

[14]  Katsuro Inoue,et al.  Studying Reuse of Out-dated Third-party Code in Open Source Projects , 2013 .

[15]  Premkumar T. Devanbu,et al.  Belief & Evidence in Empirical Software Engineering , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[16]  Alberto Bacchelli,et al.  On the Reaction to Deprecation of 25, 357 Clients of 4+1 Popular Java APIs , 2016, ICSME.

[17]  Rabe Abdalkareem,et al.  Why do developers use trivial packages? an empirical case study on npm , 2017, ESEC/SIGSOFT FSE.

[18]  Ralph E. Johnson,et al.  How do APIs evolve? A story of refactoring , 2006, J. Softw. Maintenance Res. Pract..

[19]  Arie van Deursen,et al.  Tracking known security vulnerabilities in proprietary software systems , 2015, 2015 IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[20]  Aldo Dagnino,et al.  Code Drones , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering Companion (ICSE-C).

[21]  Miryung Kim,et al.  A graph-based approach to API usage adaptation , 2010, OOPSLA.

[22]  Darko Marinov,et al.  Usage, costs, and benefits of continuous integration in open-source projects , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[23]  Daniel M. Germán,et al.  A Model to Understand the Building and Running Inter-Dependencies of Software , 2007, 14th Working Conference on Reverse Engineering (WCRE 2007).

[24]  Josh Levenberg,et al.  Why Google stores billions of lines of code in a single repository , 2016, Commun. ACM.

[25]  Xiaoyin Wang,et al.  Beyond API Signatures : An Empirical Study on Behavioral Backward Incompatibilities of Java Software Libraries , 2015 .

[26]  Leif Singer,et al.  Creating a shared understanding of testing culture on a social coding site , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[27]  Miryung Kim,et al.  An Empirical Study of API Stability and Adoption in the Android Ecosystem , 2013, 2013 IEEE International Conference on Software Maintenance.

[28]  Stephen McCamant,et al.  Early Identification of Incompatibilities in Multi-component Upgrades , 2004, ECOOP.

[29]  James D. Herbsleb,et al.  Influence of social and technical factors for evaluating contribution in GitHub , 2014, ICSE.

[30]  Marco Tulio Valente,et al.  Apiwave: Keeping track of API popularity and migration , 2015, 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[31]  Katsuro Inoue,et al.  Do developers update their library dependencies? , 2017, Empirical Software Engineering.

[32]  Gabriele Bavota,et al.  How the Apache community upgrades dependencies: an evolutionary study , 2014, Empirical Software Engineering.