Session
Schedule FOSDEM 2020
Dependency Management

Comparing dependency management issues across packaging ecosystems

UD2.119
Tom Mens
In the last couple of years, the Software Engineering Lab of the University of Mons has extensively studied different aspects of dependency management within and across different package management ecosystems, including Cargo, npm, Packagist, Rubygems, CPAN, CRAN and NuGet. These ecosystems contain a large number of package releases with many interdependencies. They face challenges related to their scale, complexity, and rate of evolution. Typical problems are backward incompatible package updates, and the increasing proportion of fragile packages due to an excessive number of transitive dependencies.
This talk reports on our findings based on multiple empirical studies that we have conducted to understand different aspects of dependency management and their practical implications. This includes: * the outdatedness of package dependencies, the transitive impact of such "technical lag", and its relation to the presence of bugs and security vulnerabilities. * the impact of using either more permissive or more restrictive version contraints on dependencies. * the virtues and limitations of being compliant to semantic versioning, a common policy to inform dependents whether new releases of software packages introduce possibly backward incompatible changes. * the impact of specific characteristics, policies and tools used by the packaging ecosystem and its supporting community on all of the above. The contents of the talk will be adapted to the target audience of open source software practitioners, but will be primarily based on the following peer-reviewed scientific articles: * What do package dependencies tell us about semantic versioning? Alexandre Decan, Tom Mens. IEEE Transactions on Software Engineering, 2019. https://doi.org/10.1109/TSE.2019.2918315 * An empirical comparison of dependency network evolution in seven software packaging ecosystems. Alexandre Decan, Tom Mens, Philippe Grosjean. Empirical Software Engineering 24(1):381-416, 2019. https://doi.org/10.1007/s10664-017-9589-y * A formal framework for measuring technical lag in component repositories and its application to npm. Ahmed Zerouali, Tom Mens, Jesus Gonzalez‐Barahona, Alexandre Decan, Eleni Constantinou, Gregorio Robles. Journal of Software: Evolution and Process 31(8), 2019. https://doi.org/10.1002/smr.2157 * On the Impact of Security Vulnerabilities in the npm Package Dependency Network. Alexandre Decan, Tom Mens, Eleni Constantinou. International Conference on Mining Software Repositories, 2018. https://doi.org/10.1145/3196398.3196401 * On the Evolution of Technical Lag in the npm Package Dependency Network. Alexandre Decan, Tom Mens, Eleni Constantinou. International Conference on Software Maintenance and Evolution, 2018. https://doi.org/10.1109/ICSME.2018.00050

Additional information

Type devroom

More sessions

2/1/20
Dependency Management
Georgios Gousios
UD2.119
As recent events, such as the leftpad incident and the Equifax data breach, have demonstrated, dependencies on networks of external libraries can introduce projects to significant operational and compliance risks as well as difficult to assess security implications. FASTEN introduces fine-grained, method-level, tracking of dependencies on top of existing dependency management networks. In our talk, we will present how FASTEN works on top of the Rust/Cargo and Java/Maven ecosystems.
2/1/20
Dependency Management
UD2.119
The community seems to be rife with conversations about our sustainability problems. Do we actually have one? We’ll lead a discussion and debate around how we as a community can think about these issues, while drawing out the nuanced aspects of each as well as their potential solutions.
2/1/20
Dependency Management
Jeff McAffer
UD2.119
The ultimate software supply chain self-help guide
2/1/20
Dependency Management
Douglas Creager
UD2.119
GitHub has recently added Code Navigation features (jump to definition and find all references) that let you navigate code directly on github.com. For the languages that we support, we extract and store symbol information for every named branch and tag, of every repository, public or private, with no configuration necessary. The compute and storage requirements to do this for all of the code on GitHub are quite large. In this talk, we'll discuss some of the trade-offs we've made to make this ...
2/1/20
Dependency Management
Todd Gamblin
UD2.119
Dependency resolution is deceptively complex; simply selecting a set of compatible versions for an arbitrary network of dependencies is NP-hard. Much effort has been spent on this problem for modern single-language ecosystems, but many of these ecosystems rely on natively compiled libraries, and dependency mangers often fail at managing the additional complexities that native libraries entail. Further, dependency resolution has traditionally been modeled as a SAT problem, where the package ...
2/1/20
Dependency Management
William Bartholomew
UD2.119
Package managers have become the default way for managing dependencies for most projects but they’re not without their challenges and risks. In this panel we bring together experts representing several popular package managers for a lively discussion on package management best practices, the state of package management communities, and a look forward at what we can expect to see in the future.