Präzi: From Package-based to Call-based Dependency Networks

by   Joseph Hejderup, et al.

Software reuse has emerged as one of the most crucial elements of modern software development. The standard way to study the dependency networks caused by reuse is to infer relationships between software packages through manifests in the packages' repositories. Such networks can help answer important questions like "How many packages have dependencies to packages with known security issues?" or "What are the most used packages?". However, an important overlooked aspect of current networks is that manifest-inferred relationships do not necessarily describe how or whether these dependencies are actually used in the code. To better model dependencies between packages, we devise Präzi, an approach combining manifests and call graphs of packages. Präzi constructs a fine-grained dependency network at the more fine-grained function-level, instead of at the manifest-level. For this paper, we provide a prototypical Präzi implementation for the popular system programming language Rust. Using it, we replicate a recent evolution study characterizing Rust's package repository, Cratesio, on the function-level. Our results identify new key characteristics and developments of Cratesio: i) 49 Cratesio target a function in a dependency, suggesting prevalent reuse of dependencies, ii) packages call 40 iii) package maintainers make nearly 7 new calls to their dependencies biannually, and iv) packages have two to three times more indirect callers than direct callers of their APIs. These results show that current analyses of manifest-level dependency networks are not sufficient to understand how packages use each other.


page 24

page 31


License Incompatibilities in Software Ecosystems

Contemporary software is characterized by reuse of components that are d...

Using Solver-Aided Languages to Build Package Managers

Open-source software is critical for modern development, but most open-s...

Methodology for Assessing the State of the Practice for Domain X

To improve software development methods and tools for research software,...

Learning Software Constraints via Installation Attempts

Modern software systems are expected to be secure and contain all the la...

Evolution of a Modular Software Network

"Evolution behaves like a tinkerer" (Francois Jacob, Science, 1977). Sof...

Evolution of ROOT package management

ROOT is a large code base with a complex set of build-time dependencies;...

Characterizing Deep Learning Package Supply Chains in PyPI: Domains, Clusters, and Disengagement

Deep learning (DL) package supply chains (SCs) are critical for DL frame...

Please sign up or login with your details

Forgot password? Click here to reset