Measuring Dependency Freshness in Software Systems

Joel Cox, Eric Bouwers, Marko van Eekelen, Joost Visser
2015 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering  
Modern software systems often make use of thirdparty components to speed-up development and reduce maintenance costs. In return, developers need to update to new releases of these dependencies to avoid, for example, security and compatibility risks. In practice, prioritizing these updates is difficult because the use of outdated dependencies is often opaque. In this paper we aim to make this concept more transparent by introducing metrics to quantify the use of recent versions of dependencies,
more » ... s of dependencies, i.e. the system's "dependency freshness". We propose and investigate a system-level metric based on an industry benchmark. We validate the usefulness of the metric using interviews, analyze the variance of the metric through time, and investigate the relationship between outdated dependencies and security vulnerabilities. The results show that the measurements are considered useful, and that systems using outdated dependencies four times as likely to have security issues as opposed to systems that are up-to-date.
doi:10.1109/icse.2015.140 dblp:conf/icse/CoxBEV15 fatcat:6renqxlv7bbivcs4svxgfalgtm