Maven Unzipped: Exploring the Impact of Library Packaging on the Ecosystem

Mehdi Keshani; Gideon Bot; Priyam Rungta; Maliheh Izadi; Arie van Deursen; Sebastian Proksch

doi:10.1109/ICSME58944.2024.00016

Maven Unzipped: Exploring the Impact of Library Packaging on the Ecosystem

Mehdi Keshani, Gideon Bot, Priyam Rungta, Maliheh Izadi, Arie van Deursen, Sebastian Proksch

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

Abstract

MAVEN is a popular dependency management tool and ecosystem used by millions of developers. However, the over-whelming amount of available open-source software and the lack of proper ecosystem governance pose risks to the security and effectiveness of the ecosystem. This necessitates a comprehensive understanding of the ecosystem to guide future decision-making and promote effective practices. Despite numerous studies on aspects of Maven,such as vulnerabilities, breaking changes, and bloated dependencies, a knowledge gap concerning its overall state and health still exists. This gap impedes the adoption of effective practices, potentially impacting the productivity and efficiency of projects and the ecosystem as a whole. This paper explores the fundamental aspects of the Mavenecosystem. We investigate the packaging practices of Mavenlibraries with a focus on the content of the libraries, their impact on the ecosystem and each other, and their evolution over time. Our goal is to provide insights into the ecosystem's practices and trends. To achieve this, we create a scalable infrastructure and collect a comprehensive dataset of 480K unique packages by randomly selecting one version from each Mavenproject. We use this dataset to analyze the content of Mavenreleases and their packaging practices. We discover three concerning practices that deserve the community's attention: various data inconsistencies within Maven,improper use of Mavenarchives, and exponential dependency growth. We discuss practical recommendations to mitigate these issues, such as implementing stricter release checks and dependency minimization during deployments. To help promote more research, we open our dataset and tools for public use.

Original language	English
Title of host publication	2024 IEEE International Conference on Software Maintenance and Evolution (ICSME)
Publisher	IEEE
Pages	50-62
Number of pages	13
ISBN (Electronic)	979-8-3503-9568-6
DOIs	https://doi.org/10.1109/ICSME58944.2024.00016
Publication status	Published - 2024
Event	40th IEEE International Conference on Software Maintenance and Evolution, ICSME 2024 - High Country Conference Center, Flagstaff, United States Duration: 6 Oct 2024 → 11 Oct 2024 https://conf.researchr.org/home/icsme-2024

Conference

Conference	40th IEEE International Conference on Software Maintenance and Evolution, ICSME 2024
Country/Territory	United States
City	Flagstaff
Period	6/10/24 → 11/10/24
Internet address	https://conf.researchr.org/home/icsme-2024

Bibliographical note

Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care
Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

Keywords

Bad practices
Maven
Software ecosystems

Access to Document

10.1109/ICSME58944.2024.00016

Maven_Unzipped_Exploring_the_Impact_of_Library_Packaging_on_the_EcosystemFinal published version, 406 KB

Cite this

@inproceedings{0285d69ba9834b9eb448733a1ed3067e,

title = "Maven Unzipped: Exploring the Impact of Library Packaging on the Ecosystem",

abstract = "MAVEN is a popular dependency management tool and ecosystem used by millions of developers. However, the over-whelming amount of available open-source software and the lack of proper ecosystem governance pose risks to the security and effectiveness of the ecosystem. This necessitates a comprehensive understanding of the ecosystem to guide future decision-making and promote effective practices. Despite numerous studies on aspects of Maven,such as vulnerabilities, breaking changes, and bloated dependencies, a knowledge gap concerning its overall state and health still exists. This gap impedes the adoption of effective practices, potentially impacting the productivity and efficiency of projects and the ecosystem as a whole. This paper explores the fundamental aspects of the Mavenecosystem. We investigate the packaging practices of Mavenlibraries with a focus on the content of the libraries, their impact on the ecosystem and each other, and their evolution over time. Our goal is to provide insights into the ecosystem's practices and trends. To achieve this, we create a scalable infrastructure and collect a comprehensive dataset of 480K unique packages by randomly selecting one version from each Mavenproject. We use this dataset to analyze the content of Mavenreleases and their packaging practices. We discover three concerning practices that deserve the community's attention: various data inconsistencies within Maven,improper use of Mavenarchives, and exponential dependency growth. We discuss practical recommendations to mitigate these issues, such as implementing stricter release checks and dependency minimization during deployments. To help promote more research, we open our dataset and tools for public use.",

keywords = "Bad practices, Maven, Software ecosystems",

author = "Mehdi Keshani and Gideon Bot and Priyam Rungta and Maliheh Izadi and {van Deursen}, Arie and Sebastian Proksch",

note = "Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.; 40th IEEE International Conference on Software Maintenance and Evolution, ICSME 2024 ; Conference date: 06-10-2024 Through 11-10-2024",

year = "2024",

doi = "10.1109/ICSME58944.2024.00016",

language = "English",

pages = "50--62",

booktitle = "2024 IEEE International Conference on Software Maintenance and Evolution (ICSME)",

publisher = "IEEE",

address = "United States",

url = "https://conf.researchr.org/home/icsme-2024",

}

Keshani, M, Bot, G, Rungta, P, Izadi, M , van Deursen, A & Proksch, S 2024, Maven Unzipped: Exploring the Impact of Library Packaging on the Ecosystem. in 2024 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, pp. 50-62, 40th IEEE International Conference on Software Maintenance and Evolution, ICSME 2024, Flagstaff, Arizona, United States, 6/10/24. https://doi.org/10.1109/ICSME58944.2024.00016

TY - GEN

T1 - Maven Unzipped

T2 - 40th IEEE International Conference on Software Maintenance and Evolution, ICSME 2024

AU - Keshani, Mehdi

AU - Bot, Gideon

AU - Rungta, Priyam

AU - Izadi, Maliheh

AU - van Deursen, Arie

AU - Proksch, Sebastian

N1 - Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

PY - 2024

Y1 - 2024

N2 - MAVEN is a popular dependency management tool and ecosystem used by millions of developers. However, the over-whelming amount of available open-source software and the lack of proper ecosystem governance pose risks to the security and effectiveness of the ecosystem. This necessitates a comprehensive understanding of the ecosystem to guide future decision-making and promote effective practices. Despite numerous studies on aspects of Maven,such as vulnerabilities, breaking changes, and bloated dependencies, a knowledge gap concerning its overall state and health still exists. This gap impedes the adoption of effective practices, potentially impacting the productivity and efficiency of projects and the ecosystem as a whole. This paper explores the fundamental aspects of the Mavenecosystem. We investigate the packaging practices of Mavenlibraries with a focus on the content of the libraries, their impact on the ecosystem and each other, and their evolution over time. Our goal is to provide insights into the ecosystem's practices and trends. To achieve this, we create a scalable infrastructure and collect a comprehensive dataset of 480K unique packages by randomly selecting one version from each Mavenproject. We use this dataset to analyze the content of Mavenreleases and their packaging practices. We discover three concerning practices that deserve the community's attention: various data inconsistencies within Maven,improper use of Mavenarchives, and exponential dependency growth. We discuss practical recommendations to mitigate these issues, such as implementing stricter release checks and dependency minimization during deployments. To help promote more research, we open our dataset and tools for public use.

AB - MAVEN is a popular dependency management tool and ecosystem used by millions of developers. However, the over-whelming amount of available open-source software and the lack of proper ecosystem governance pose risks to the security and effectiveness of the ecosystem. This necessitates a comprehensive understanding of the ecosystem to guide future decision-making and promote effective practices. Despite numerous studies on aspects of Maven,such as vulnerabilities, breaking changes, and bloated dependencies, a knowledge gap concerning its overall state and health still exists. This gap impedes the adoption of effective practices, potentially impacting the productivity and efficiency of projects and the ecosystem as a whole. This paper explores the fundamental aspects of the Mavenecosystem. We investigate the packaging practices of Mavenlibraries with a focus on the content of the libraries, their impact on the ecosystem and each other, and their evolution over time. Our goal is to provide insights into the ecosystem's practices and trends. To achieve this, we create a scalable infrastructure and collect a comprehensive dataset of 480K unique packages by randomly selecting one version from each Mavenproject. We use this dataset to analyze the content of Mavenreleases and their packaging practices. We discover three concerning practices that deserve the community's attention: various data inconsistencies within Maven,improper use of Mavenarchives, and exponential dependency growth. We discuss practical recommendations to mitigate these issues, such as implementing stricter release checks and dependency minimization during deployments. To help promote more research, we open our dataset and tools for public use.

KW - Bad practices

KW - Maven

KW - Software ecosystems

UR - http://www.scopus.com/inward/record.url?scp=85215524322&partnerID=8YFLogxK

U2 - 10.1109/ICSME58944.2024.00016

DO - 10.1109/ICSME58944.2024.00016

M3 - Conference contribution

AN - SCOPUS:85215524322

SP - 50

EP - 62

BT - 2024 IEEE International Conference on Software Maintenance and Evolution (ICSME)

PB - IEEE

Y2 - 6 October 2024 through 11 October 2024

ER -

Maven Unzipped: Exploring the Impact of Library Packaging on the Ecosystem

Abstract

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this