On the evolution of technical lag in the npm package dependency network

TL;DR

This paper empirically analyzes how technical lag evolves in the npm package dependency network, examining over 1.4 million releases to understand factors influencing lag and potential mitigation strategies.

Contribution

It provides a comprehensive empirical study of technical lag dynamics in npm, highlighting how release types and semantic versioning impact lag reduction.

Findings

Technical lag tends to increase over time in npm packages.

Use of semantic versioning policies can help reduce technical lag.

Different release types influence the rate of lag accumulation.

Abstract

Software packages developed and distributed through package managers extensively depend on other packages. These dependencies are regularly updated, for example to add new features, resolve bugs or fix security issues. In order to take full advantage of the benefits of this type of reuse, developers should keep their dependencies up to date by relying on the latest releases. In practice, however, this is not always possible, and packages lag behind with respect to the latest version of their dependencies. This phenomenon is described as technical lag in the literature. In this paper, we perform an empirical study of technical lag in the npm dependency network by investigating its evolution for over 1.4M releases of 120K packages and 8M dependencies between these releases. We explore how technical lag increases over time, taking into account the release type and the use of package dependency constraints. We also discuss how technical lag can be reduced by relying on the semantic versioning policy.