NAIST researchers employ network analysis methods from social science to study volunteer contributions to open-source software libraries, and find correlations between dependency networks and viability, which may identify libraries about to become dormant

Researchers from Japan have used socio-technical techniques to measure the congruence between the network of contributors to open-source programming libraries and the dependencies of that library within the ecosystem. This work suggests that the level of matching between the network of contributors and networks of dependencies could be used as an indicator of libraries at risk of becoming inactive.

The modern computer programs that run your favorite apps or websites can be extremely large, often measured in millions of lines of code. This is obviously much more complex than can be handled by any one individual. Most programming languages therefore rely on specialized modules called third-party libraries to accomplish specific tasks. These libraries are often open-source and freely available to anyone who wants to download and use them. For example, programmers in JavaScript have access to over one million libraries, while there are more than 300,000 libraries for the Python community. The libraries themselves often rely on each other, with the typical library requiring the use of about five others. However, the ecosystem of interconnected libraries and their dependencies on each other is poorly understood, which is concerning since a failure in one could have cascading effects on the entire system. Sustained contributions are crucial, because the dependencies of any one library on others must be constantly updated in response to changes. However, maintainers of these libraries are often overworked and often contribute as unpaid volunteers.

Now, a team of researchers at Nara Institute of Science and Technology (NAIST) studied these networks by defining a metric called "dependency-contribution congruence" (DC congruence), which measures how closely the network of library dependencies matches the network of contributor changes. The congruence metric is largest when the same contributor makes changes to both a library and its dependents. "We found that DC congruence shares an inverse relationship with the likelihood that a library becomes dormant. Specifically, a library is less likely to become dormant if the contributions are congruent with upgrading dependencies," says first author Supatsara Wattanakriengkrai. The team measured the DC congruence within the npm ecosystem of JavaScript libraries and analyzed over 5.3 million change commits across 107,242 different libraries. "Peaks in our generated metrics correlate with important ecosystem events," says senior author Kenichi Matsumoto.

This research may help keep software running and identify fragile points in the dependency network, and may ultimately encourage dependency contributions that support the maintenance of interdependent third-party libraries used in software development.

###

Resource

• Title: Giving back: Contributions congruent to library dependency changes in a software ecosystem
• Authors: Supatsara Wattanakriengkrai, Dong Wang, Raula Gaikovina Kula, Christoph Treude, Patanamon Thongtanunam, Takashi Ishio & Kenichi Matsumoto
• Journal: IEEE Transactions on Software Engineering
• DOI: 10.1109/TSE.2022.3225197
• Information about the Software Engineering Laboratory can be found at the following
  website: https://isw3.naist.jp/Research/cs-se-en.html