Präzi: from package-based to call-based dependency networks

Joseph Hejderup*, Moritz Beller, Konstantinos Triantafyllou, Georgios Gousios

*Corresponding author for this work

Research output: Contribution to journalArticleScientificpeer-review

6 Downloads (Pure)

Abstract

Modern programming languages such as Java, JavaScript, and Rust encourage software reuse by hosting diverse and fast-growing repositories of highly interdependent packages (i.e., reusable libraries) for their users. The standard way to study the interdependence between software packages is to infer a package dependency network by parsing manifest data. Such networks help answer questions such as “How many packages have dependencies to packages with known security issues?” or “What are the most used packages?”. However, an overlooked aspect in existing studies is that manifest-inferred relationships do not necessarily examine the actual usage of these dependencies in source code. To better model dependencies between packages, we developed Präzi, an approach combining manifests and call graphs of packages. Präzi constructs a dependency network at the more fine-grained function-level, instead of at the manifest level. This paper discusses a prototypical Präzi implementation for the popular system programming language Rust. We use Präzi to characterize Rust’s package repository, Crates.io, at the function level and perform a comparative study with metadata-based networks. Our results show that metadata-based networks generalize how packages use their dependencies. Using Präzi, we find packages call only 40% of their resolved dependencies, and that manual analysis of 34 cases reveals that not all packages use a dependency the same way. We argue that researchers and practitioners interested in understanding how developers or programs use dependencies should account for its context—not the sum of all resolved dependencies.

Original languageEnglish
Article number102
Number of pages42
JournalEmpirical Software Engineering
Volume27
Issue number5
DOIs
Publication statusPublished - 2022

Keywords

  • Call graphs
  • Dependency network
  • Network analysis
  • Package manager
  • Package repository
  • Software ecosystem

Fingerprint

Dive into the research topics of 'Präzi: from package-based to call-based dependency networks'. Together they form a unique fingerprint.

Cite this