An Empirical Study of Dependency Downgrades in the npm EcosystemJournal-First
Thu 27 May 2021 04:25 - 04:45 at Blended Sessions Room 2 - 2.4.2. API: Evolution and Maintenance #1
In a software ecosystem, a dependency relationship enables a client package to reuse a certain version of a provider package. Packages in a software ecosystem often release versions containing bug fixes, new functionalities, and security enhancements. Hence, updating the provider version is an important maintenance task for client packages. Despite the number of investigations about dependency updates, there is a lack of studies about dependency downgrades in software ecosystems. A downgrade indicates that the adopted version of a provider package is not suitable for the client package at a certain moment. In this paper, we investigate downgrades in the npm ecosystem–currently the largest repository of package distribution. We address three research questions. In our first RQ, we provide a list of the reasons behind the occurrence of downgrades. Our manual analysis of the artifacts (e.g., release notes and commit messages) of a package code repository identified two categories of downgrades according to their rationale: reactive and preventive. The reasons behind reactive downgrades are defects in a specific version of a provider, unexpected feature changes in a provider, and incompatibilities. In turn, preventive downgrades are an attempt to avoid issues in future releases. In our second RQ, we investigate how the versioning of dependencies is modified when a downgrade occurs. We observed that 49% of the downgrades are performed by replacing a range of acceptable versions of a provider with a specific old version. This observation suggests that client packages have the tendency to become more conservative regarding the update of their providers after a downgrade. Also, 48% of the downgrades reduce the provider version by a minor level (e.g., from 2.1.0 to 2.0.0). This observation indicates that client packages in npm should be cautious when updating minor releases of the provider (e.g., by prioritizing tests). Finally, in our third RQ we observed that 50% of the downgrades are performed at a rate that is 2.6 times as slow as the median time-between-releases of their associated client packages. We also observed that downgrades that follow an explicit update of a provider package occur faster than downgrades that follow an implicit update. Explicit updates occur when the provider is updated by means of an explicit change to the versioning specification (i.e., the string used by client packages to define the provider version that they are willing to adopt). We conjecture that, due to the controlled nature of explicit updates, it is easier for client packages to identify the provider that is associated with the problem that motivated the downgrade.
Wed 26 MayDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
Thu 27 MayDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
04:05 - 05:05 | 2.4.2. API: Evolution and Maintenance #1Technical Track / Journal-First Papers at Blended Sessions Room 2 | ||
04:05 20mPaper | Semantic Patches for Adaptation of JavaScript Programs to Evolving LibrariesTechnical Track Technical Track Benjamin Barslev Nielsen Aarhus University, Martin Toldam Torp Aarhus University, Anders Møller Aarhus University Pre-print Media Attached | ||
04:25 20mPaper | An Empirical Study of Dependency Downgrades in the npm EcosystemJournal-First Journal-First Papers Filipe Cogo Centre for Software Excellence, Huawei, Canada, Gustavo A. Oliva Queen's University, Ahmed E. Hassan School of Computing, Queen's University Link to publication DOI Pre-print Media Attached | ||
04:45 20mPaper | A3: Assisting Android API Migrations Using Code ExamplesJournal-First Journal-First Papers Maxime Lamothe Concordia University, Weiyi Shang Concordia University, Tse-Hsun (Peter) Chen Concordia University DOI Pre-print Media Attached |