Empirical Software Engineering

, Volume 23, Issue 1, pp 384–417 | Cite as

Do developers update their library dependencies?

An empirical study on the impact of security advisories on library migration
  • Raula Gaikovina Kula
  • Daniel M. German
  • Ali Ouni
  • Takashi Ishio
  • Katsuro Inoue


Third-party library reuse has become common practice in contemporary software development, as it includes several benefits for developers. Library dependencies are constantly evolving, with newly added features and patches that fix bugs in older versions. To take full advantage of third-party reuse, developers should always keep up to date with the latest versions of their library dependencies. In this paper, we investigate the extent of which developers update their library dependencies. Specifically, we conducted an empirical study on library migration that covers over 4,600 GitHub software projects and 2,700 library dependencies. Results show that although many of these systems rely heavily on dependencies, 81.5% of the studied systems still keep their outdated dependencies. In the case of updating a vulnerable dependency, the study reveals that affected developers are not likely to respond to a security advisory. Surveying these developers, we find that 69% of the interviewees claimed to be unaware of their vulnerable dependencies. Moreover, developers are not likely to prioritize a library update, as it is perceived to be extra workload and responsibility. This study concludes that even though third-party reuse is common practice, updating a dependency is not as common for many developers.


Software reuse Software maintenance Security vulnerabilities 



This work is supported by JSPS KANENHI (Grant Numbers JP25220003 and JP26280021) and the “Osaka University Program for Promoting International Joint Research.” Ali Ouni is supported by the ‘Research Start-up (2) 2016 Grant G00002211’ funded by UAE University.


  1. Balaban I, Tip F, Fuhrer R (2005) Refactoring support for class library migration Proceedings of the 20th Annual ACM SIGPLAN conference on object-oriented programming, systems, languages, and applications, OOPSLA ’05. ISBN 1-59593-031-0. ACM, New York, pp 265–279CrossRefGoogle Scholar
  2. Bavota G, Canfora G, Di Penta M, Oliveto R, Panichella S (2015) How the apache community upgrades dependencies: an evolutionary study. Empirical Softw Eng 20(5):1275–1317. ISSN 1382–3256CrossRefGoogle Scholar
  3. Bogart C, Kästner C, Herbsleb J (2015) When it breaks, it breaks: how ecosystem developers reason about the stability of dependencies. In: Proceedings of the ASE workshop on software support for collaborative and global software engineering (SCGSE), pp 11Google Scholar
  4. Chow K, Notkin D (1996) Semi-automatic update of applications in response to library changes Proceedings of the 1996 international conference on software maintenance, ICSM ’96. IEEE Computer Society, Washington, DCGoogle Scholar
  5. Cossette BE, Walker R J (2012) Seeking the ground truth. In: Proc. of the ACM SIGSOFT intrn. symp on the foundations of software engineering - FSE ’12Google Scholar
  6. Cox J, Bouwers E, van Eekelen M, Visser J (2015) Measuring dependency freshness in software systems. In: 2015 IEEE/ACM 37th IEEE International conference on software engineering (ICSE), vol 2, pp 109–118Google Scholar
  7. Dagenais B, Robillard MP (2009) Semdiff: analysis and recommendation support for api evolution Proceedings of the 31st international conference on software engineering, ICSE ’09. ISBN 978-1-4244-3453-4. IEEE Computer Society, Washington, DC, pp 599–602Google Scholar
  8. De Roover C, Lammel R, Pek E (2013) Multi-dimensional exploration of API usage. In: IEEE International conference on program comprehension, pp 152–161Google Scholar
  9. Edgell S, Noon S (1984) Effect of violation of normality on the t test of the correlation coefficient. In: Psychological bulletin, pp 576–583Google Scholar
  10. Eisenberg D S, Stylos J, Faulring A, Myers B A (2010) Using association metrics to help users navigate API documentation. In: VL/HCC2010, pp 23–30Google Scholar
  11. German D M, Adams B, Hassan AE (2013) The evolution of the r software ecosystem. In: Proc. of European conf. on soft. main. and reeng. (CSMR2013), pp 243–252Google Scholar
  12. Godfrey M W, Zou L (2005) Using origin analysis to detect merging and splitting of source code entities. IEEE Trans Softw Eng 31(2):166–181CrossRefGoogle Scholar
  13. Haenni N, Lungu M, Schwarz N, Nierstrasz O (2013) Categorizing developer information needs in software ecosystems. In: Proc. of int. work. on soft. eco. arch. (WEA13), pp 1–5Google Scholar
  14. Hora A, Valente M T (2015) Apiwave: keeping track of api popularity and migration. In: International conference on software maintenance and evolutionGoogle Scholar
  15. Hora A, Robbes R, Anquetil N, Etien A, Ducasse S, Valente M T (2015) How do developers react to api evolution? The pharo ecosystem case Proceedings of the 2015 IEEE international conference on software maintenance and evolution (ICSME), ICSME ’15. ISBN 978-1-4673-7532-0. IEEE Computer Society, Washington, DC, pp 251–260, DOI  10.1109/ICSM.2015.7332471, (to appear in print)
  16. Jezek K, Dietrich J, Brada P (2015) How Java APIs break - an empirical study. Inf Softw Technol, 129–146. ISSN 09505849. doi: 10.1016/j.infsof.2015.02.014
  17. Kabinna S, Bezemer C-P, Shang W, Hassan AE (2016) Logging library migrations: a case study for the apache software foundation projects. In: Proceedings of the 13th International workshop on mining software repositories, MSR ’16. New York, pp 154–164Google Scholar
  18. Kamiya T, Kusumoto S, Inoue K (2002) CCFinder: a multilinguistic token-based code clone detection system for large scale source code. IEEE Trans Softw Eng 28 (7):654–670. doi: 10.1109/TSE.2002.1019480. ISSN 0098-5589CrossRefGoogle Scholar
  19. Kawamitsu N, Ishio T, Kanda T, Kula R G, De Roover C, Inoue K (2014) Identifying source code reuse across repositories using lcs-based source code similarity. In Proc. of SCAMGoogle Scholar
  20. Kula RG, Roover CD, German DM, Ishio T, Inoue K (2014) Visualizing the evolution of systems and their library dependencies. In: Proc. of IEEE Work. conf. on soft. viz. (VISSOFT), ICSME ’15Google Scholar
  21. Kula R G, German D M, Ishio T, Inoue K (2015) Trusting a library: a study of the latency to adopt the latest maven release. In: 22nd IEEE International conference on software analysis, evolution, and reengineering, SANER 2015. MontrealGoogle Scholar
  22. Lehman MM (1996) Laws of software evolution revisited Proceedings of the 5th European workshop on software process technology, EWSPT ’96. ISBN 3-540-61771-X. Springer-Verlag, London, pp 108–124Google Scholar
  23. Lungu M (2008) Towards reverse engineering software ecosystems. In: Intl. conf. on soft. maint. and evo. (ICSME)Google Scholar
  24. McDonnell T, Ray B, Kim M (2013) An empirical study of API stability and adoption in the android ecosystem. In: IEEE International conference on software maintenance. ICSM, pp 70–79. ISSN 1063-6773. doi: 10.1109/ICSM.2013.18
  25. Mens T, Claes Mk, Ecos P G (2014) Ecological studies of open source software ecosystems. In: Soft. main. reeng. and rev. eng. (CSMR-WCRE), pp 403–406Google Scholar
  26. Mileva Y M, Dallmeier V, Burger M, Zeller A (2009) Mining trends of library usage Proc. Intl and ERCIM principles of soft. evol. (IWPSE) and soft. evol. (Evol) workshops, IWPSE-Evol ’09. ACM, New York, pp 57–62CrossRefGoogle Scholar
  27. Plate H, Ponta S A, Elisa S (2015) Impact assessment for vulnerabilities in open-source software libraries Proceedings of the 31st international conference on software maintenance and evolution, ICSME ’15. IEEE Computer Society, BremanGoogle Scholar
  28. Raemaekers S, van Deursen A, Visser J (2012) Measuring software library stability through historical version analysis. In: Proc. of intl. comf. soft. main. (ICSM), pp 378–387Google Scholar
  29. Raemaekers S, van Deursen A, Visser J (2014) Semantic versioning versus breaking changes: a study of the maven repository. In: 2014 IEEE 14th international working conference on source code analysis and manipulation (SCAM), pp 215–224Google Scholar
  30. Robbes R, Lungu M, Röthlisberger D (2012) How do developers react to api deprecation? The case of a smalltalk ecosystem Proceedings of the ACM SIGSOFT 20th international symposium on the foundations of software engineering, FSE ’12. ISBN 978-1-4503-1614-9. ACM, New York, pp 56:1–56:11Google Scholar
  31. Rogers EM (2003) Diffusion of innovations, 5, 08. Free Press, NY. ISBN 0-7432-2209-1, 978-0-7432-2209-9Google Scholar
  32. Sawant AA, Robbes R, Bacchelli A (2016) On the reaction to deprecation of 25,357 clients of 4+1 popular java apis. In: Proceedings of the 32th IEEE international conference on software maintenance and evolutionGoogle Scholar
  33. Schäfer T, Jonas J, Mezini M (2008) Mining framework usage changes from instantiation code Proceedings of the 30th international conference on software engineering, ICSE ’08. ISBN 978-1-60558-079-1. ACM, New York, pp 471–480Google Scholar
  34. Teyton C, Falleri J-R, Palyart M, Blanc X (2014) A study of library migrations in java. J Softw Evol Process, 26, 11Google Scholar
  35. Wittern E, Suter P, Rajagopalan S (2016) A look at the dynamics of the javascript package ecosystem. In: Proc. of work. conf. on mining soft. repo. (MSR2016)Google Scholar
  36. Wu W, Khomh F, Adams B, Guéhéneuc Y-G, Antoniol G (2015a) An exploratory study of api changes and usages based on apache and eclipse ecosystems. Empirical Softw Eng, p.1–47. ISSN 1573-7616Google Scholar
  37. Wu W, Serveaux A, Guéhéneuc Y-G, Antoniol G (2015b) The impact of imperfect change rules on framework api evolution identification: an empirical study. Empirical Softw Engg 20(4):1126–1158. doi: 10.1007/s10664-014-9317-9
  38. Xia P, Matsushita M, Yoshida N, Inoue K (2013) Studying reuse of out-dated third-party code in open source projects. Jpn Soc Softw Sci Technol Comput Softw 30(4):98–104Google Scholar
  39. Xing Z, Stroulia E (2007) API-evolution support with diff-catchup. IEEE Trans Softw Eng 33:818–836. doi: 10.1109/TSE.2007.70747 CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2017

Authors and Affiliations

  • Raula Gaikovina Kula
    • 3
  • Daniel M. German
    • 2
  • Ali Ouni
    • 1
    • 4
  • Takashi Ishio
    • 3
  • Katsuro Inoue
    • 1
  1. 1.Osaka UniversitySuitaJapan
  2. 2.University of VictoriaVictoriaCanada
  3. 3.Nara Institute of Science and TechnologyOsaka UniversityTakayamaJapan
  4. 4.UAE UniversityAl AinUAE

Personalised recommendations