Keeping dependencies up-to-date is a crucial software maintenance task that requires significant effort. Developers must choose which dependencies to update, select appropriate target versions, and minimize the impact of updates in terms of breaking changes and incompatibilities. Several factors influence the choice of a new dependency version, including its freshness, popularity, absence of vulnerabilities, and compatibility.
In this paper, we propose to formulate the dependency update problem as a multi-objective optimization problem. This approach allows for the update of dependencies with a global perspective, considering all direct and indirect dependencies. It also enables developers to specify their preferences regarding the quality factors they want to maximize and the costs of updating they want to minimize. The update problem is encoded as a linear program whose solution is an optimal update strategy that aligns with developer priorities and minimizes incompatibilities.
We evaluated our approach using a dataset of 107 well-tested open-source Java projects using various configurations that reflect real-world update scenarios, and considered three quality metrics: dependency freshness, a time-window popularity measure, and a vulnerability score related to CVEs. Our findings indicate that our approach generates updates that compile and pass tests as well as naive approaches typically implemented in dependency bots. Furthermore, our approach can be up to two orders of magnitude better in terms of freshness. By considering a more comprehensive concept of quality debt, which takes into account freshness, popularity, and vulnerabilities, our approach is able to reduce quality debt while maintaining reasonable memory and time consumption.
Wed 30 OctDisplayed time zone: Pacific Time (US & Canada) change
13:30 - 15:00 | Library and dependancyResearch Papers / Industry Showcase / Tool Demonstrations at Magnoila Chair(s): Curtis Atkisson UW | ||
13:30 15mTalk | How to Pet a Two-Headed Snake? Solving Cross-Repository Compatibility Issues with Hera Research Papers Yifan Xie , Zhouyang Jia National University of Defense Technology, Shanshan Li National University of Defense Technology, Ying Wang Northeastern University, Jun Ma National University of Defense Technology, Xiaoling Li National University of Defense Technology, Haoran Liu National University of Defense Technology, Ying Fu National University of Defense Technology, Liao Xiangke National University of Defense Technology | ||
13:45 15mTalk | Towards Robust Detection of Open Source Software Supply Chain Poisoning Attacks in Industry Environments Industry Showcase Xinyi Zheng Huazhong University of Science and Technology, Chen Wei MYbank, Ant Group, Shenao Wang Huazhong University of Science and Technology, Yanjie Zhao Huazhong University of Science and Technology, Peiming Gao MYbank, Ant Group, Yuanchao Zhang Mybank, Ant Group, Kailong Wang Huazhong University of Science and Technology, Haoyu Wang Huazhong University of Science and Technology | ||
14:00 15mTalk | Detect Hidden Dependency to Untangle Commits Research Papers Mengdan Fan , Wei Zhang Peking University, Haiyan Zhao Peking University, Guangtai Liang Huawei Cloud Computing Technologies, Zhi Jin Peking University | ||
14:15 15mTalk | LeanBin: Harnessing Lifting and Recompilation to Debloat Binaries Research Papers Igor Wodiany University of Manchester, Antoniu Pop University of Manchester, Mikel Luján University of Manchester DOI Pre-print | ||
14:30 15mTalk | Balancing the Quality and Cost of Updating Dependencies Research Papers Damien Jaime Université Paris Nanterre & LIP6, Pascal Poizat Université Paris Nanterre & LIP6, Joyce El Haddad Université Paris Dauphine - PSL , Thomas Degueule CNRS | ||
14:45 10mTalk | Depends-Kotlin: A Cross-Language Kotlin Dependency Extractor Tool Demonstrations Qiong Feng Nanjing University of Science and Technology, Xiaotian Ma Nanjing University of Science and Technology, Huan Ji Huawei Nanjing Research Center, Wei Song Nanjing University of Science and Technology, Peng Liang Wuhan University, China DOI Pre-print Media Attached |