A Large Scale Analysis of Semantic Versioning in NPM

by   Donald Pinckney, et al.

The NPM package repository contains over two million packages and serves tens of billions of downloads per-week. Nearly every single JavaScript application uses the NPM package manager to install packages from the NPM repository. NPM relies on a "semantic versioning" ('semver') scheme to maintain a healthy ecosystem, where bug-fixes are reliably delivered to downstream packages as quickly as possible, while breaking changes require manual intervention by downstream package maintainers. In order to understand how developers use semver, we build a dataset containing every version of every package on NPM and analyze the flow of updates throughout the ecosystem. We build a time-travelling dependency resolver for NPM, which allows us to determine precisely which versions of each dependency would have been resolved at different times. We segment our analysis to allow for a direct analysis of security-relevant updates (those that introduce or patch vulnerabilities) in comparison to the rest of the ecosystem. We find that when developers use semver correctly, critical updates such as security patches can flow quite rapidly to downstream dependencies in the majority of cases (90.09 does not always occur, due to developers' imperfect use of both semver version constraints and semver version number increments. Our findings have implications for developers and researchers alike. We make our infrastructure and dataset publicly available under an open source license.


page 6

page 8


I depended on you and you broke me: An empirical study of manifesting breaking changes in client packages

Complex software systems have a network of dependencies. Developers ofte...

npm-follower: A Complete Dataset Tracking the NPM Ecosystem

Software developers typically rely upon a large network of dependencies ...

Meta-Maintanance for Dockerfiles: Are We There Yet?

Docker allows for the packaging of applications and dependencies, and it...

Putting the Semantics into Semantic Versioning

The long-standing aspiration for software reuse has made astonishing str...

Accelerating package expansion in Rust through development of a semantic versioning tool

In many programming languages there exist countless nuances, making deve...

Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source Packages

Vulnerabilities in open source packages can be a security risk for the c...

Please sign up or login with your details

Forgot password? Click here to reset