Do Developers Update Their Library Dependencies? An Empirical Study on the Impact of Security Advisories on Library Migration

TL;DR

This empirical study investigates how often developers update their library dependencies, revealing that most systems use outdated dependencies and many developers are unaware of vulnerabilities, highlighting challenges in maintaining up-to-date libraries.

Contribution

The paper provides the first large-scale empirical analysis of library dependency updates and security advisory responses in GitHub projects, revealing low update rates and awareness.

Findings

81.5% of systems use outdated dependencies

69% of developers unaware of vulnerable dependencies

Developers cite effort and responsibility as barriers

Abstract

Third-party library reuse has become common practice in contemporary software development, as it includes several benefits for developers. Library dependencies are constantly evolving, with newly added features and patches that fix bugs in older versions. To take full advantage of third-party reuse, developers should always keep up to date with the latest versions of their library dependencies. In this paper, we investigate the extent of which developers update their library dependencies. Specifically, we conducted an empirical study on library migration that covers over 4,600 GitHub software projects and 2,700 library dependencies. Results show that although many of these systems rely heavily on dependencies, 81.5% of the studied systems still keep their outdated dependencies. In the case of updating a vulnerable dependency, the study reveals that affected developers are not likely to respond to a security advisory. Surveying these developers, we find that 69% of the interviewees claim that they were unaware of their vulnerable dependencies. Furthermore, developers are not likely to prioritize library updates, citing it as extra effort and added responsibility. This study concludes that even though third-party reuse is commonplace, the practice of updating a dependency is not as common for many developers.