Do developers update their library dependencies?: An empirical study on the impact of security advisories on library migration

Do developers update their library dependencies?: An empirical study on the impact of security advisories on library migration

Third-party library reuse has become common practice in contemporary software development, as it includes several benefits for developers. Library dependencies are constantly evolving, with newly added features and patches that fix bugs in older versions. To take full advantage of third-party reuse,...

Full description

Saved in:
Bibliographic Details
Published in:Empirical software engineering : an international journal 2018-02, Vol.23 (1), p.384-417
Main Authors: Kula, Raula Gaikovina, German, Daniel M., Ouni, Ali, Ishio, Takashi, Inoue, Katsuro
Format: Article
Language:eng
Subjects:
Compilers
Computer Science
Interpreters
Programming Languages
Software Engineering/Programming and Operating Systems
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Third-party library reuse has become common practice in contemporary software development, as it includes several benefits for developers. Library dependencies are constantly evolving, with newly added features and patches that fix bugs in older versions. To take full advantage of third-party reuse, developers should always keep up to date with the latest versions of their library dependencies. In this paper, we investigate the extent of which developers update their library dependencies. Specifically, we conducted an empirical study on library migration that covers over 4,600 GitHub software projects and 2,700 library dependencies. Results show that although many of these systems rely heavily on dependencies, 81.5% of the studied systems still keep their outdated dependencies. In the case of updating a vulnerable dependency, the study reveals that affected developers are not likely to respond to a security advisory. Surveying these developers, we find that 69% of the interviewees claimed to be unaware of their vulnerable dependencies. Moreover, developers are not likely to prioritize a library update, as it is perceived to be extra workload and responsibility. This study concludes that even though third-party reuse is common practice, updating a dependency is not as common for many developers.
ISSN:1382-3256
1573-7616