Skip to main content

Analysing the Relationship Between Dependency Definition and Updating Practice When Using Third-Party Libraries

  • Conference paper
  • First Online:
Product-Focused Software Process Improvement (PROFES 2022)

Abstract

Using third-party libraries is common practice when developing software. Package managers have made it easy to add third-party libraries as dependencies and to keep dependency versions up to date. Nevertheless, research shows that developers are prone to not updating their dependencies. We study how the type of version requirements used in the package manager manifest files affect dependency updating lag time (measured in days) and how this lag affects dependencies to vulnerable library versions. We focus on the package managers commonly used in iOS development, i.e., CocoaPods, Carthage and Swift PM. We first measure how the dependency updating lag time evolves over time for each package manager. Then we analyze whether and how the chosen type of version requirement affects the dependency updating lag time. Third, we investigate how not re-running package manager version resolution affects library updates. Lastly, we analyse how many vulnerable dependencies could have been fixed by updating the dependency. We found that dependency updating lag time differs between package managers but grows over time for all of them. We also found that the preferred version requirement types differ between package managers. As expected, version requirement types that are less restrictive produce less dependency updating lag. Moreover, we found that keeping library dependency versions up to date results in less vulnerable dependencies. Interestingly, some of the vulnerable dependencies could have been fixed by simply rerunning the package manager version resolution.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://cocoapods.org.

  2. 2.

    https://github.com/Carthage/Carthage.

  3. 3.

    https://www.swift.org/package-manager/.

  4. 4.

    https://guides.cocoapods.org/using/using-cocoapods.html.

  5. 5.

    https://github.com/Carthage/Carthage.

  6. 6.

    https://www.swift.org/package-manager/.

References

  1. Decan, A., Mens, T., Constantinou, E.: On the evolution of technical lag in the NPM package dependency network. In: 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 404–414. IEEE (2018)

    Google Scholar 

  2. Derr, E., Bugiel, S., Fahl, S., Acar, Y., Backes, M.: Keep me updated: an empirical study of third-party library updatability on android. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2187–2200 (2017)

    Google Scholar 

  3. Ilseman, M.: Swift ABI Stability Manifesto (2022), github.com. https://github.com/apple/swift/blob/main/docs/ABIStabilityManifesto.md. Accessed 17 Aug 2022

  4. Kikas, R., Gousios, G., Dumas, M., Pfahl, D.: Structure and evolution of package dependency networks. In: 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 102–112 (2017). https://doi.org/10.1109/MSR.2017.55

  5. Kula, R.G., German, D.M., Ouni, A., Ishio, T., Inoue, K.: Do developers update their library dependencies? Empir. Softw. Eng. 23(1), 384–417 (2018)

    Article  Google Scholar 

  6. OWASP: M5: Insufficient Cryptography (2016). https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography. Accessed 3 Mar 2022

  7. Rahkema, K., Pfahl, D.: Analysis of Dependency Networks of Package Managers Used in iOS Development, June 2022. https://doi.org/10.36227/techrxiv.20088539.v1

  8. Rahkema, K., Pfahl, D.: Dataset: dependency networks of open source libraries available through CocoaPods, Carthage and Swift PM. In: 2022 IEEE/ACM 19th International Conference on Mining Software Repositories (MSR), pp. 393–397. IEEE (2022)

    Google Scholar 

  9. Salza, P., Palomba, F., Di Nucci, D., D’Uva, C., De Lucia, A., Ferrucci, F.: Do developers update third-party libraries in mobile apps? In: Proceedings of the 26th Conference on Program Comprehension, pp. 255–265 (2018)

    Google Scholar 

  10. Zerouali, A., Constantinou, E., Mens, T., Robles, G., González-Barahona, J.: An empirical analysis of technical lag in NPM package dependencies. In: Capilla, R., Gallina, B., Cetina, C. (eds.) ICSR 2018. LNCS, vol. 10826, pp. 95–110. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-90421-4_6

    Chapter  Google Scholar 

Download references

Acknowledgments

Funding of this research came from the Estonian Center of Excellence in ICT research (EXCITE), European Social Fund via IT Academy program, the Estonia Research Council grant (PRG 1226), the Austrian ministries BMVIT and BMDW, and the Province of Upper Austria under the COMET (Competence Centers for Excellent Technologies) Programme managed by FFG.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Kristiina Rahkema .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Rahkema, K., Pfahl, D. (2022). Analysing the Relationship Between Dependency Definition and Updating Practice When Using Third-Party Libraries. In: Taibi, D., Kuhrmann, M., Mikkonen, T., Klünder, J., Abrahamsson, P. (eds) Product-Focused Software Process Improvement. PROFES 2022. Lecture Notes in Computer Science, vol 13709. Springer, Cham. https://doi.org/10.1007/978-3-031-21388-5_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-21388-5_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-21387-8

  • Online ISBN: 978-3-031-21388-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics