When GitHub Meets CRAN: An Analysis of Inter-Repository Package Dependency Problems

Decan, Alexandre; Mens, Tom; Claes, Maelick; Grosjean, Philippe

doi:10.1109/saner.2016.12

Cited by 57 publications

(39 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The latter can go to the extreme of keeping a local copy of the API to avoid migrating to a newer version in the case of R/CRAN. Another behavior is observed by Decan et al (2016) in the case of R/CRAN: the rigid policy of forcing all packages to work together can become burdensome. Indeed, since packages have to react to API changes, the coordination and reaction costs can be excessive.…”

Section: Studies Of Api Evolutionmentioning

confidence: 98%

On the reaction to deprecation of clients of 4 + 1 popular Java APIs and the JDK

2017

View full text Add to dashboard Cite

Application Programming Interfaces (APIs) are a tremendous resource-that is, when they are stable. Several studies have shown that this is unfortunately not the case. Of those, a large-scale study of API changes in the Pharo Smalltalk ecosystem documented several findings about API deprecations and their impact on API clients. We extend this study, by analyzing clients of both popular third-party Java APIs and the JDK API. This results in a dataset consisting of more than 25,000 clients of five popular Java APIs on GitHub, and 60 clients of the JDK API from Maven Central. This work addresses several shortcomings of the previous study, namely: a study of several distinct API clients in a popular, statically-typed language, with more accurate version information. We compare and contrast our findings with the previous study and highlight new ones, particularly on the API client update practices and the startling similarities between reaction behavior in Smalltalk and Java. We make a comparison between reaction behavior for third-party APIs and JDK APIs, given that language APIs are a peculiar case in terms of wide-spread usage, documentation, and support from IDEs. Furthermore, we investigate the connection between reaction patterns of a client and the deprecation policy adopted by the API used.

show abstract

Section: Studies Of Api Evolutionmentioning

confidence: 98%

On the reaction to deprecation of clients of 4 + 1 popular Java APIs and the JDK

2017

View full text Add to dashboard Cite

show abstract

“…The results were inconclusive, in the sence that depending on trivial packages can be useful and unrisky, provided that they are well implemented and tested. The CRAN packaging ecosystem has been previously studied [20,25,34], and dependencies have been shown to be an important cause of errors in R packages both on CRAN and GitHub [21]. Blincoe et al [7] looked at Ruby as part of a larger GitHub study on the emergence of software ecosystems, and observed that most ecosystems are centered around one project and are interconnected with other ecosystems.…”

Section: Related Workmentioning

confidence: 99%

“…Now I try to minimize dependencies on packages that are not maintained by 'established' maintainers or by me [...] " [44]. In earlier work, we observed that more than 40% of the failures observed in CRAN packages were caused by incompatible changes in required packages [21].…”

Section: Rq 2 : How Frequently Are Packages Updated?mentioning

confidence: 99%

“…Indeed, it would require package maintainers to quickly react to backward incompatible changes in package dependencies, which represents a frequent and potentially heavy additional workload. This concern is shared by CRAN package maintainers who consequently try to minimize or avoid dependencies on other packages, or even consider alternatives to CRAN for the distribution of their packages because of this [8,21,44].…”

Section: Why Policies Mattermentioning

confidence: 99%

See 1 more Smart Citation

An empirical comparison of dependency network evolution in seven software packaging ecosystems

2018

Self Cite

View full text Add to dashboard Cite

Nearly every popular programming language comes with one or more package managers. The software packages distributed by such package managers form large software ecosystems. These packaging ecosystems contain a large number of package releases that are updated regularly and that have many dependencies to other package releases. While packaging ecosystems are extremely useful for their respective communities of developers, they face challenges related to their scale, complexity, and rate of evolution. Typical problems are backward incompatible package updates, and the risk of (transitively) depending on packages that have become obsolete or inactive.This manuscript uses the libraries.io dataset to carry out a quantitative empirical analysis of the similarities and differences between the evolution of package dependency networks for seven packaging ecosystems of varying sizes and ages: Cargo for Rust, CPAN for Perl, CRAN for R, npm for JavaScript, NuGet for the .NET platform, Packagist for PHP, and RubyGems for Ruby.We propose novel metrics to capture the growth, changeability, resuability and fragility of these dependency networks, and use these metrics to analyse and compare their evolution. We observe that the dependency networks tend to grow over time, both in size and in number of package updates, while a minority of packages are responsible for most of the package updates. The majority of packages depend on other packages, but only a small proportion of packages accounts for most of the reverse dependencies. We observe a high proportion of "fragile" packages due to a high and increasing number of transitive dependencies. These findings are instrumental for assessing the quality of a package dependency network, and improving it through dependency management tools and imposed policies.

show abstract

“…They also find that growth of the ecosystem comes from user-submitted packages, and it takes a longer time to build a community around usersubmitted packages than around core contributed packages. Another analysis of the R ecosystem [12] studies dependency resolution in R packages finds that lack of dependency constraints in package descriptions and backward incompatible changes often break dependencies. As community contributed packages are hosted on GitHub, there is no way to resolve dependencies among GitHub packages, and therefore a small amount of GitHub packages cannot be automatically installed.…”

Section: B Related Workmentioning

confidence: 99%

Structure and Evolution of Package Dependency Networks

Kikas

Gousios

Dumas

et al. 2017

2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR)

139

129

View full text Add to dashboard Cite

Abstract-Software developers often include available opensource software packages into their projects to minimize redundant effort. However, adding a package to a project can also introduce risks, which can propagate through multiple levels of dependencies. Currently, not much is known about the structure of open-source package ecosystems of popular programming languages and the extent to which transitive bug propagation is possible. This paper analyzes the dependency network structure and evolution of the JavaScript, Ruby, and Rust ecosystems. The reported results reveal significant differences across language ecosystems. The results indicate that the number of transitive dependencies for JavaScript has grown 60% over the last year, suggesting that developers should look more carefully into their dependencies to understand what exactly is included. The study also reveals that vulnerability to a removal of the most popular package is increasing, yet most other packages have a decreasing impact on vulnerability. The findings of this study can inform the development of dependency management tools.

show abstract

When GitHub Meets CRAN: An Analysis of Inter-Repository Package Dependency Problems

Cited by 57 publications

References 19 publications

On the reaction to deprecation of clients of 4 + 1 popular Java APIs and the JDK

On the reaction to deprecation of clients of 4 + 1 popular Java APIs and the JDK

An empirical comparison of dependency network evolution in seven software packaging ecosystems

Structure and Evolution of Package Dependency Networks

Contact Info

Product

Resources

About