Write a Blog >>
ICSE 2021
Mon 17 May - Sat 5 June 2021

In a software ecosystem, a dependency relationship enables a client package to reuse a certain version of a provider package. Packages in a software ecosystem often release versions containing bug fixes, new functionalities, and security enhancements. Hence, updating the provider version is an important maintenance task for client packages. Despite the number of investigations about dependency updates, there is a lack of studies about dependency downgrades in software ecosystems. A downgrade indicates that the adopted version of a provider package is not suitable for the client package at a certain moment. In this paper, we investigate downgrades in the npm ecosystem–currently the largest repository of package distribution. We address three research questions. In our first RQ, we provide a list of the reasons behind the occurrence of downgrades. Our manual analysis of the artifacts (e.g., release notes and commit messages) of a package code repository identified two categories of downgrades according to their rationale: reactive and preventive. The reasons behind reactive downgrades are defects in a specific version of a provider, unexpected feature changes in a provider, and incompatibilities. In turn, preventive downgrades are an attempt to avoid issues in future releases. In our second RQ, we investigate how the versioning of dependencies is modified when a downgrade occurs. We observed that 49% of the downgrades are performed by replacing a range of acceptable versions of a provider with a specific old version. This observation suggests that client packages have the tendency to become more conservative regarding the update of their providers after a downgrade. Also, 48% of the downgrades reduce the provider version by a minor level (e.g., from 2.1.0 to 2.0.0). This observation indicates that client packages in npm should be cautious when updating minor releases of the provider (e.g., by prioritizing tests). Finally, in our third RQ we observed that 50% of the downgrades are performed at a rate that is 2.6 times as slow as the median time-between-releases of their associated client packages. We also observed that downgrades that follow an explicit update of a provider package occur faster than downgrades that follow an implicit update. Explicit updates occur when the provider is updated by means of an explicit change to the versioning specification (i.e., the string used by client packages to define the provider version that they are willing to adopt). We conjecture that, due to the controlled nature of explicit updates, it is easier for client packages to identify the provider that is associated with the problem that motivated the downgrade.

Wed 26 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

16:05 - 17:05
2.4.2. API: Evolution and Maintenance #1Journal-First Papers / Technical Track at Blended Sessions Room 2 +12h
Chair(s): Davide Falessi California Polytechnic State University
16:05
20m
Paper
Semantic Patches for Adaptation of JavaScript Programs to Evolving LibrariesArtifact ReusableTechnical Track
Technical Track
Benjamin Barslev Nielsen Aarhus University, Martin Toldam Torp Aarhus University, Anders Møller Aarhus University
Pre-print Media Attached
16:25
20m
Paper
An Empirical Study of Dependency Downgrades in the npm EcosystemJournal-First
Journal-First Papers
Filipe R. Cogo Centre for Software Excellence, Huawei, Canada, Gustavo A. Oliva Queen's University, Ahmed E. Hassan School of Computing, Queen's University
Link to publication DOI Pre-print Media Attached
16:45
20m
Paper
A3: Assisting Android API Migrations Using Code ExamplesJournal-First
Journal-First Papers
Maxime Lamothe Concordia University, Weiyi Shang Concordia University, Tse-Hsun (Peter) Chen Concordia University
DOI Pre-print Media Attached

Thu 27 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

04:05 - 05:05
2.4.2. API: Evolution and Maintenance #1Technical Track / Journal-First Papers at Blended Sessions Room 2
04:05
20m
Paper
Semantic Patches for Adaptation of JavaScript Programs to Evolving LibrariesArtifact ReusableTechnical Track
Technical Track
Benjamin Barslev Nielsen Aarhus University, Martin Toldam Torp Aarhus University, Anders Møller Aarhus University
Pre-print Media Attached
04:25
20m
Paper
An Empirical Study of Dependency Downgrades in the npm EcosystemJournal-First
Journal-First Papers
Filipe R. Cogo Centre for Software Excellence, Huawei, Canada, Gustavo A. Oliva Queen's University, Ahmed E. Hassan School of Computing, Queen's University
Link to publication DOI Pre-print Media Attached
04:45
20m
Paper
A3: Assisting Android API Migrations Using Code ExamplesJournal-First
Journal-First Papers
Maxime Lamothe Concordia University, Weiyi Shang Concordia University, Tse-Hsun (Peter) Chen Concordia University
DOI Pre-print Media Attached