An Empirical Study of Usages, Updates and Risks of Third-Party Libraries in Java Projects

TL;DR

This study analyzes how Java developers use, update, and manage risks associated with third-party libraries, revealing outdated usage patterns and proposing a bug-driven alerting system to enhance library maintenance and ecosystem sustainability.

Contribution

It provides a comprehensive empirical analysis of third-party library usage, updates, and risks in Java projects, and introduces a bug-driven alerting system for better library management.

Findings

High prevalence of outdated libraries in Java projects

Significant delays in updating third-party libraries

Potential risks from outdated libraries identified

Abstract

Third-party libraries are a central building block to develop software systems. However, outdated third-party libraries are commonly used, and developers are usually less aware of the potential risks. Therefore, a quantitative and holistic study on usages, updates and risks of third-party libraries can provide practical insights to improve the ecosystem sustainably. In this paper, we conduct such a study in the Java ecosystem. Specifically, we conduct a library usage analysis (e.g., usage intensity and outdatedness) and a library update analysis (e.g., update intensity and delay) using 806 open-source projects. The two analyses aim to quantify usage and update practices holistically from the perspective of both open-source projects and third-party libraries. Then, we conduct a library risk analysis (e.g., potential risk and developer response) in terms of bugs with 15 popularly-used third-party libraries. This analysis aims to quantify the potential risk of using outdated libraries and the developer response to the risk. Our findings from the three analyses provide practical insights to developers and researchers on problems and potential solutions in maintaining third-party libraries (e.g., smart alerting and automated updating of outdated libraries). To demonstrate the usefulness of our findings, we propose a bug-driven alerting system for assisting developers to make confident decisions in updating third-party library versions. We have released our dataset to foster valuable applications and improve the ecosystem.