Select Page

Network analysis to identify open-source software libraries about to become dormant

Published: December 21, 2022
Everybody needs somebody
Library-level DC congruence in npm JavaScript Ecosystem. Credit: Kenichi Matsumoto

Researchers from Japan have used socio-technical techniques to measure the congruence between the network of contributors to open-source programming libraries and the dependencies of that library within the ecosystem. This work suggests that the level of matching between the network of contributors and networks of dependencies could be used as an indicator of libraries at risk of becoming inactive.

The modern computer programs that run your favorite apps or websites can be extremely large, often measured in millions of lines of code. This is obviously much more complex than can be handled by any one individual. Most programming languages therefore rely on specialized modules called third-party libraries to accomplish specific tasks. These libraries are often open-source and freely available to anyone who wants to download and use them.

For example, programmers in JavaScript have access to over one million libraries, while there are more than 300,000 libraries for the Python community. The libraries themselves often rely on each other, with the typical library requiring the use of about five others. However, the ecosystem of interconnected libraries and their dependencies on each other is poorly understood, which is concerning since a failure in one could have cascading effects on the entire system.

Sustained contributions are crucial, because the dependencies of any one library on others must be constantly updated in response to changes. However, maintainers of these libraries are often overworked and often contribute as unpaid volunteers.

Now, a team of researchers at Nara Institute of Science and Technology (NAIST) studied these networks by defining a metric called “dependency-contribution congruence” (DC congruence), which measures how closely the network of library dependencies matches the network of contributor changes. The congruence metric is largest when the same contributor makes changes to both a library and its dependents.

“We found that DC congruence shares an inverse relationship with the likelihood that a library becomes dormant. Specifically, a library is less likely to become dormant if the contributions are congruent with upgrading dependencies,” says first author Supatsara Wattanakriengkrai. The team measured the DC congruence within the npm ecosystem of JavaScript libraries and analyzed over 5.3 million change commits across 107,242 different libraries.

“Peaks in our generated metrics correlate with important ecosystem events,” says senior author Kenichi Matsumoto.

This research may help keep software running and identify fragile points in the dependency network, and may ultimately encourage dependency contributions that support the maintenance of interdependent third-party libraries used in software development.

The study is published in the journal IEEE Transactions on Software Engineering.

More information:
Supatsara Wattanakriengkrai et al, Giving Back: Contributions Congruent to Library Dependency Changes in a Software Ecosystem, IEEE Transactions on Software Engineering (2022). DOI: 10.1109/TSE.2022.3225197

Provided by
Nara Institute of Science and Technology

Network analysis to identify open-source software libraries about to become dormant (2022, December 21)
retrieved 21 December 2022

This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no
part may be reproduced without the written permission. The content is provided for information purposes only.