Präzi: from package-based to call-based dependency networks

Modern programming languages such as Java, JavaScript, and Rust encourage software reuse by hosting diverse and fast-growing repositories of highly interdependent packages (i.e., reusable libraries) for their users. The standard way to study the interdependence between software packages is to infer...

Full description

Saved in:
Bibliographic Details
Published inEmpirical software engineering : an international journal Vol. 27; no. 5
Main Authors Hejderup, Joseph, Beller, Moritz, Triantafyllou, Konstantinos, Gousios, Georgios
Format Journal Article
LanguageEnglish
Published New York Springer US 01.09.2022
Springer Nature B.V
Subjects
Comparative studies
Compilers
Computer Science
Interpreters
Java
Metadata
Networks
Programming Languages
Repositories
Software Engineering/Programming and Operating Systems
Software packages
Software reuse
Source code
Package repository
Dependency network
Software ecosystem
Package manager
Call graphs
Network analysis
Online AccessGet full text

Cover

More Information
Summary:Modern programming languages such as Java, JavaScript, and Rust encourage software reuse by hosting diverse and fast-growing repositories of highly interdependent packages (i.e., reusable libraries) for their users. The standard way to study the interdependence between software packages is to infer a package dependency network by parsing manifest data. Such networks help answer questions such as “How many packages have dependencies to packages with known security issues?” or “What are the most used packages?”. However, an overlooked aspect in existing studies is that manifest-inferred relationships do not necessarily examine the actual usage of these dependencies in source code. To better model dependencies between packages, we developed Präzi , an approach combining manifests and call graphs of packages. Präzi constructs a dependency network at the more fine-grained function-level, instead of at the manifest level. This paper discusses a prototypical Präzi implementation for the popular system programming language Rust. We use Präzi to characterize Rust’s package repository, Crates.io , at the function level and perform a comparative study with metadata-based networks. Our results show that metadata-based networks generalize how packages use their dependencies. Using Präzi , we find packages call only 40% of their resolved dependencies, and that manual analysis of 34 cases reveals that not all packages use a dependency the same way. We argue that researchers and practitioners interested in understanding how developers or programs use dependencies should account for its context—not the sum of all resolved dependencies.
ISSN:1382-3256
1573-7616
DOI:10.1007/s10664-021-10071-9