2019
DOI: 10.1002/smr.2157
|View full text |Cite
|
Sign up to set email alerts
|

A formal framework for measuring technical lag in component repositories — and its application to npm

Abstract: Reusable Open Source Software (OSS) components for major programming languages are available in package repositories. Developers rely on package management tools to automate deployments, specifying which package releases satisfy the needs of their applications. However, these specifications may lead to deploying package releases that are outdated, or otherwise undesirable, because they do not include bug fixes, security fixes, or new functionality. In contrast, automatically updating to a more recent release m… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

1
18
0

Year Published

2020
2020
2023
2023

Publication Types

Select...
4
3
1

Relationship

1
7

Authors

Journals

citations
Cited by 36 publications
(19 citation statements)
references
References 31 publications
1
18
0
Order By: Relevance
“…Decan et al [27] measured such technical lag for npm packages and observed that a large number of packages have outdated dependencies, and a large number of dependencies have a technical lag of several months. As a follow-up work, Zerouali et al [28] proposed and validated a formal framework for technical lag measurement.…”
Section: Related Workmentioning
confidence: 99%
“…Decan et al [27] measured such technical lag for npm packages and observed that a large number of packages have outdated dependencies, and a large number of dependencies have a technical lag of several months. As a follow-up work, Zerouali et al [28] proposed and validated a formal framework for technical lag measurement.…”
Section: Related Workmentioning
confidence: 99%
“…. our project has been inactive and production has been halted for indefinite time" Zerouali et al [21] proposed a framework to measure the technical lag (i.e., the time and/or number of versions between the last released library version and the actually used dependency) in open source repositories. In their later study, Zerouali et al [22] claimed that the technical lag of third-party components might lead to the presence of vulnerabilities in Docker images.…”
Section: Maintenance Of Software Librariesmentioning
confidence: 99%
“…Maven libraries are grouped into multi-module projects where each module is released as a separate artifact. According to the Maven naming conventions 21 , within-project dependencies of a multi-module project have the same groupId. Hence, within-project dependencies can be easily identified by comparing their groupIds.…”
Section: Step 3: Identification Of Within-project Dependenciesmentioning
confidence: 99%
See 1 more Smart Citation
“…Note that to reduce the data collection effort, our dependency graph is static, reflecting the dependencies at the time of data collection. By manually inspecting a small sample of projects, we observed that dependency changes typically occur when new libraries get added, while existing libraries rarely get removed [85]; therefore, our static graph can be considered as an over-approximation of the true dependencies.…”
Section: Network Constructionmentioning
confidence: 99%