Do developers update their library dependencies?

An empirical study on the impact of security advisories on library migration
  • Raula Gaikovina Kula
  • Daniel M. German
  • Ali Ouni
  • Takashi Ishio
  • Katsuro Inoue
Article

DOI: 10.1007/s10664-017-9521-5

Cite this article as:
Kula, R.G., German, D.M., Ouni, A. et al. Empir Software Eng (2017). doi:10.1007/s10664-017-9521-5

Abstract

Third-party library reuse has become common practice in contemporary software development, as it includes several benefits for developers. Library dependencies are constantly evolving, with newly added features and patches that fix bugs in older versions. To take full advantage of third-party reuse, developers should always keep up to date with the latest versions of their library dependencies. In this paper, we investigate the extent of which developers update their library dependencies. Specifically, we conducted an empirical study on library migration that covers over 4,600 GitHub software projects and 2,700 library dependencies. Results show that although many of these systems rely heavily on dependencies, 81.5% of the studied systems still keep their outdated dependencies. In the case of updating a vulnerable dependency, the study reveals that affected developers are not likely to respond to a security advisory. Surveying these developers, we find that 69% of the interviewees claimed to be unaware of their vulnerable dependencies. Moreover, developers are not likely to prioritize a library update, as it is perceived to be extra workload and responsibility. This study concludes that even though third-party reuse is common practice, updating a dependency is not as common for many developers.

Keywords

Software reuse Software maintenance Security vulnerabilities 

Copyright information

© Springer Science+Business Media New York 2017

Authors and Affiliations

  • Raula Gaikovina Kula
    • 3
  • Daniel M. German
    • 2
  • Ali Ouni
    • 1
    • 4
  • Takashi Ishio
    • 3
  • Katsuro Inoue
    • 1
  1. 1.Osaka UniversitySuitaJapan
  2. 2.University of VictoriaVictoriaCanada
  3. 3.Nara Institute of Science and TechnologyOsaka UniversityTakayamaJapan
  4. 4.UAE UniversityAl AinUAE

Personalised recommendations