Diplomatist: What Do Cross-language Dependencies Reflect Software Ecosystem Health? (ASE 2025 - Research Papers)

Who

Fanyi Meng, Ying Wang, Chun Yong Chong, Hai Yu, Zhiliang Zhu

Track

ASE 2025 Research Papers

This program is tentative and subject to change.

Time Zone

The program is currently displayed in (GMT+09:00) Seoul.

Use conference time zone: (GMT+09:00) SeoulSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Mon 17 Nov 2025 11:40 - 11:50 at Grand Hall 5 - Log & Dependency

Abstract

In large-scale software development, multilingual projects, those involving multiple interacting programming languages, have become increasingly common in both industry and the open-source community. Research indicates that cross-language dependencies in these projects can increase the likelihood of risks, such as functionality defects and security vulnerabilities. While most existing studies focus on cross-language dependencies between host languages and specific guest languages (e.g., C/C++), interactions between host languages and a broader range of guest languages, as well as the broader impact of such dependencies on software ecosystems, remain underexplored.

To address the above limitations, in this paper, we develop a technique, \textsc{Diplomatist}, to identify and analyze cross-language dependencies between host languages, such as Java, and guest languages, including JavaScript, Python, Ruby, PHP, and C/C++. \textsc{Diplomatist} automatically analyzes \textit{cross-language invocation APIs} and constructs a large-scale knowledge repository to standardize code features for identifying library versions across various guest languages, enabling host languages to trace the guest language libraries they invoke. Evaluation shows that \textsc{Diplomatist} achieved an average precision of 88.9% and a recall of 91.5% on a high-quality benchmark, indicating its high accuracy in detecting cross-language dependencies. Using \textsc{Diplomatist}, we identified 435,258 Java libraries that indirectly or transitively depend on libraries from other ecosystems. \textsc{Diplomatist} provides a list of cross-language pivotal libraries that contribute to preserving the long-term health and sustainability of software ecosystems. Moreover, we conduct a case study to examine the impact of the risks introduced due to cross-language dependencies on programming language ecosystems, by analyzing a full-picture of the cross-language dependency graph. Our findings show that fragile projects or libraries can propagate security issues across ecosystems via these dependencies, impacting 13,739 downstream projects in the \textit{Maven} ecosystem. We utilized \textsc{Diplomatist} to provide remediation suggestions to relevant project developers. Issue reports of some subjects have been confirmed by developers.

Fanyi Meng

Shenyang University of Technology

Ying Wang

Northeastern University

China

Chun Yong Chong

Monash University Malaysia

Malaysia

Hai Yu

Northeastern University, China

Zhiliang Zhu