An Empirical Analysis of Technical Lag in npm Package Dependencies

Software library packages are constantly evolving and increasing in number. Not updating to the latest available release of dependent libraries may negatively affect software development by not benefiting from new functionality, vulnerability and bug fixes available in more recent versions. On the other hand, automatically updating to the latest release may introduce incompatibility issues. We introduce a technical lag metric for dependencies in package networks, in order to assess how outdated a software package is compared to the latest available releases of its dependencies. We empirically analyse the package update practices and technical lag for the npm distribution of JavaScript packages. Our results show a strong presence of technical lag caused by the specific use of dependency constraints, indicating a reluctance to update dependencies to avoid backward incompatible changes.

[1]  Andrew Nesbitt,et al.  Libraries.io Open Source Repository and Dependency Metadata , 2017 .

[2]  Tom Mens,et al.  An empirical comparison of dependency network evolution in seven software packaging ecosystems , 2017, Empirical Software Engineering.

[3]  Katsuro Inoue,et al.  Trusting a library: A study of the latency to adopt the latest Maven release , 2015, 2015 IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[4]  Paris Avgeriou,et al.  The Evolution of Technical Debt in the Apache Ecosystem , 2017, ECSA.

[5]  Katsuro Inoue,et al.  Do developers update their library dependencies? , 2017, Empirical Software Engineering.

[6]  Rabe Abdalkareem,et al.  Why do developers use trivial packages? an empirical case study on npm , 2017, ESEC/SIGSOFT FSE.

[7]  Martin Burger,et al.  Mining trends of library usage , 2009, IWPSE-Evol '09.

[8]  Jesús M. González-Barahona,et al.  Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is , 2017, OSS.

[9]  Ward Cunningham,et al.  The WyCash portfolio management system , 1992, OOPSLA '92.

[10]  Tom Mens,et al.  An empirical comparison of dependency issues in OSS packaging ecosystems , 2017, 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[11]  Arie van Deursen,et al.  Semantic Versioning versus Breaking Changes: A Study of the Maven Repository , 2014, 2014 IEEE 14th International Working Conference on Source Code Analysis and Manipulation.

[12]  James D. Herbsleb,et al.  How to break an API: cost negotiation and community values in three software ecosystems , 2016, SIGSOFT FSE.

[13]  Eleni Constantinou,et al.  An empirical comparison of developer retention in the RubyGems and npm software ecosystems , 2017, Innovations in Systems and Software Engineering.

[14]  Jens Dietrich,et al.  Broken promises: An empirical study into evolution problems in Java programs caused by library upgrades , 2014, 2014 Software Evolution Week - IEEE Conference on Software Maintenance, Reengineering, and Reverse Engineering (CSMR-WCRE).