Abstract
Using third-party libraries is common practice when developing software. Package managers have made it easy to add third-party libraries as dependencies and to keep dependency versions up to date. Nevertheless, research shows that developers are prone to not updating their dependencies. We study how the type of version requirements used in the package manager manifest files affect dependency updating lag time (measured in days) and how this lag affects dependencies to vulnerable library versions. We focus on the package managers commonly used in iOS development, i.e., CocoaPods, Carthage and Swift PM. We first measure how the dependency updating lag time evolves over time for each package manager. Then we analyze whether and how the chosen type of version requirement affects the dependency updating lag time. Third, we investigate how not re-running package manager version resolution affects library updates. Lastly, we analyse how many vulnerable dependencies could have been fixed by updating the dependency. We found that dependency updating lag time differs between package managers but grows over time for all of them. We also found that the preferred version requirement types differ between package managers. As expected, version requirement types that are less restrictive produce less dependency updating lag. Moreover, we found that keeping library dependency versions up to date results in less vulnerable dependencies. Interestingly, some of the vulnerable dependencies could have been fixed by simply rerunning the package manager version resolution.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Decan, A., Mens, T., Constantinou, E.: On the evolution of technical lag in the NPM package dependency network. In: 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 404–414. IEEE (2018)
Derr, E., Bugiel, S., Fahl, S., Acar, Y., Backes, M.: Keep me updated: an empirical study of third-party library updatability on android. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2187–2200 (2017)
Ilseman, M.: Swift ABI Stability Manifesto (2022), github.com. https://github.com/apple/swift/blob/main/docs/ABIStabilityManifesto.md. Accessed 17 Aug 2022
Kikas, R., Gousios, G., Dumas, M., Pfahl, D.: Structure and evolution of package dependency networks. In: 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 102–112 (2017). https://doi.org/10.1109/MSR.2017.55
Kula, R.G., German, D.M., Ouni, A., Ishio, T., Inoue, K.: Do developers update their library dependencies? Empir. Softw. Eng. 23(1), 384–417 (2018)
OWASP: M5: Insufficient Cryptography (2016). https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography. Accessed 3 Mar 2022
Rahkema, K., Pfahl, D.: Analysis of Dependency Networks of Package Managers Used in iOS Development, June 2022. https://doi.org/10.36227/techrxiv.20088539.v1
Rahkema, K., Pfahl, D.: Dataset: dependency networks of open source libraries available through CocoaPods, Carthage and Swift PM. In: 2022 IEEE/ACM 19th International Conference on Mining Software Repositories (MSR), pp. 393–397. IEEE (2022)
Salza, P., Palomba, F., Di Nucci, D., D’Uva, C., De Lucia, A., Ferrucci, F.: Do developers update third-party libraries in mobile apps? In: Proceedings of the 26th Conference on Program Comprehension, pp. 255–265 (2018)
Zerouali, A., Constantinou, E., Mens, T., Robles, G., González-Barahona, J.: An empirical analysis of technical lag in NPM package dependencies. In: Capilla, R., Gallina, B., Cetina, C. (eds.) ICSR 2018. LNCS, vol. 10826, pp. 95–110. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-90421-4_6
Acknowledgments
Funding of this research came from the Estonian Center of Excellence in ICT research (EXCITE), European Social Fund via IT Academy program, the Estonia Research Council grant (PRG 1226), the Austrian ministries BMVIT and BMDW, and the Province of Upper Austria under the COMET (Competence Centers for Excellent Technologies) Programme managed by FFG.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Rahkema, K., Pfahl, D. (2022). Analysing the Relationship Between Dependency Definition and Updating Practice When Using Third-Party Libraries. In: Taibi, D., Kuhrmann, M., Mikkonen, T., Klünder, J., Abrahamsson, P. (eds) Product-Focused Software Process Improvement. PROFES 2022. Lecture Notes in Computer Science, vol 13709. Springer, Cham. https://doi.org/10.1007/978-3-031-21388-5_7
Download citation
DOI: https://doi.org/10.1007/978-3-031-21388-5_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-21387-8
Online ISBN: 978-3-031-21388-5
eBook Packages: Computer ScienceComputer Science (R0)