Modeling Library Dependencies and Updates in Large Software Repository Universes

TL;DR

This paper introduces a novel approach using the Software Universe Graph (SUG) to model and visualize library dependencies and updates in large software repositories, aiding developers in making informed update decisions.

Contribution

It presents the SUG model that captures dependency and update information from repositories, enabling comparison and visualization to facilitate library update decisions.

Findings

Constructed a SUG from 188,951 nodes and 6,374 artifacts.

Demonstrated the application of metrics and visualizations with real-world examples.

Found 79% overlap in dependencies between Maven and GitHub repositories.

Abstract

Popular (re)use of third-party open-source software (OSS) is evidence of the impact of hosting repositories like maven on software development today. Updating libraries is crucial, with recent studies highlighting the associated vulnerabilities with aging OSS libraries. The decision to migrate to a newer library can range from trivial (security threat) to complex (assessment of work required to accommodate the changes). By leveraging the `wisdom of the software repository crowd' we propose a simple and efficient approach to recommending `consented' library updates. Our Software Universe Graph (SUG) models library dependency and update information mined from super repositories to provide different metrics and visualizations that aid in the update decision. To evaluate, we first constructed a SUG from 188,951 nodes of 6,374 maven unique artifacts. Then, we demonstrate how our metrics and visualizations are applied through real-world examples. As an extension, we show how the SUG can compare dependencies between different super repositories. From a sample of 100 GitHub applications, our method found that on average 79% similar overlapping dependencies combinations exist between the maven and github super repository universes.