ASE 2024
Sun 27 October - Fri 1 November 2024 Sacramento, California, United States
Wed 30 Oct 2024 14:30 - 14:45 at Magnoila - Library and dependancy Chair(s): Curtis Atkisson

Keeping dependencies up-to-date is a crucial software maintenance task that requires significant effort. Developers must choose which dependencies to update, select appropriate target versions, and minimize the impact of updates in terms of breaking changes and incompatibilities. Several factors influence the choice of a new dependency version, including its freshness, popularity, absence of vulnerabilities, and compatibility.

In this paper, we propose to formulate the dependency update problem as a multi-objective optimization problem. This approach allows for the update of dependencies with a global perspective, considering all direct and indirect dependencies. It also enables developers to specify their preferences regarding the quality factors they want to maximize and the costs of updating they want to minimize. The update problem is encoded as a linear program whose solution is an optimal update strategy that aligns with developer priorities and minimizes incompatibilities.

We evaluated our approach using a dataset of 107 well-tested open-source Java projects using various configurations that reflect real-world update scenarios, and considered three quality metrics: dependency freshness, a time-window popularity measure, and a vulnerability score related to CVEs. Our findings indicate that our approach generates updates that compile and pass tests as well as naive approaches typically implemented in dependency bots. Furthermore, our approach can be up to two orders of magnitude better in terms of freshness. By considering a more comprehensive concept of quality debt, which takes into account freshness, popularity, and vulnerabilities, our approach is able to reduce quality debt while maintaining reasonable memory and time consumption.

Wed 30 Oct

Displayed time zone: Pacific Time (US & Canada) change

13:30 - 15:00
13:30
15m
Talk
How to Pet a Two-Headed Snake? Solving Cross-Repository Compatibility Issues with Hera
Research Papers
Yifan Xie , Zhouyang Jia National University of Defense Technology, Shanshan Li National University of Defense Technology, Ying Wang Northeastern University, Jun Ma National University of Defense Technology, Xiaoling Li National University of Defense Technology, Haoran Liu National University of Defense Technology, Ying Fu National University of Defense Technology, Liao Xiangke National University of Defense Technology
13:45
15m
Talk
Towards Robust Detection of Open Source Software Supply Chain Poisoning Attacks in Industry Environments
Industry Showcase
Xinyi Zheng Huazhong University of Science and Technology, Chen Wei MYbank, Ant Group, Shenao Wang Huazhong University of Science and Technology, Yanjie Zhao Huazhong University of Science and Technology, Peiming Gao MYbank, Ant Group, Yuanchao Zhang Mybank, Ant Group, Kailong Wang Huazhong University of Science and Technology, Haoyu Wang Huazhong University of Science and Technology
14:00
15m
Talk
Detect Hidden Dependency to Untangle Commits
Research Papers
Mengdan Fan , Wei Zhang Peking University, Haiyan Zhao Peking University, Guangtai Liang Huawei Cloud Computing Technologies, Zhi Jin Peking University
14:15
15m
Talk
LeanBin: Harnessing Lifting and Recompilation to Debloat Binaries
Research Papers
Igor Wodiany University of Manchester, Antoniu Pop University of Manchester, Mikel Luján University of Manchester
DOI Pre-print
14:30
15m
Talk
Balancing the Quality and Cost of Updating Dependencies
Research Papers
Damien Jaime Université Paris Nanterre & LIP6, Pascal Poizat Université Paris Nanterre & LIP6, Joyce El Haddad Université Paris Dauphine - PSL , Thomas Degueule CNRS
14:45
10m
Talk
Depends-Kotlin: A Cross-Language Kotlin Dependency Extractor
Tool Demonstrations
Qiong Feng Nanjing University of Science and Technology, Xiaotian Ma Nanjing University of Science and Technology, Huan Ji Huawei Nanjing Research Center, Wei Song Nanjing University of Science and Technology, Peng Liang Wuhan University, China
DOI Pre-print Media Attached