Measuring Dependency Freshness in Software Systems

Author(s): Joël Cox, Eric Bouwers, Marko van Eekelen, Joost Visser
Venue: International Conference on Software Engineering
Date: 2015

Type of Experiement: Other
Sample Size: 75
Class/Experience Level: Other
Participant Selection: analyzed systems from different clients
Data Collection Method: Observation


Nowadays, many softwares use third-party components in order to speed up development and reduce the cost of development. But when using third-party components, softwares become dependency of that component. Because of this, needing to update the third-party component with their software can easily cause problems to the code base. When do developers decide it is time to update a dependency? When does it become too expensive to update a dependency? The author came up with a metric, dependency freshness, to help developers decide when it is time to update a third-party component.

In order to determine the dependency freshness, the authors came up with four criteria: Technology independent, Ease of implementation, Simple to understand, and Enable root-cause analysis. In order to satisfy the criteria, they are taking accounts of the third-party component's version sequence number, version release date, and version number delta. Overall, the study shows that systems that has a low dependency freshness are more than four times more likely to have security issues.