Removing dependencies from large software projects: Are you really sure?

Ching-Chi Chuang, Luis Cruz, Robbert van Dalen, Vladimir Mikovski, Arie van Deursen

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

63 Downloads (Pure)

Abstract

When developing and maintaining large software systems, a great deal of effort goes into dependency management. During the whole lifecycle of a software project, the set of dependencies keeps changing to accommodate the addition of new features or changes in the running environment. Package management tools are quite popular to automate this process, making it fairly easy to automate the addition of new dependencies and respective versions. However, over the years, a software project might evolve in a way that no longer needs a particular technology or dependency. But the choice of removing that dependency is far from trivial: one cannot be entirely sure that the dependency is not used in any part of the project. Hence, developers have a hard time confidently removing dependencies and trusting that it will not break the system in production. In this paper, we propose a decision framework to improve the detection of unused dependencies. Our approach builds on top of the existing dependency analysis tool DepClean. We start by improving the support of Java dynamic features in DepClean. We do so by augmenting the analysis with the state-of-the-art call graph generation tool OPAL. Then, we analyze the potentially unused dependencies detected by classifying their logical relationship with the other components to decide on follow-up steps, which we provide in the form of a decision diagram. Results show that developers can focus their efforts on maintaining bloated dependencies by following the recommendations of our decision framework. When applying our approach to a large industrial software project, we can reduce one-third of false positives when compared to the state-of-the-art. We also validate our approach by analyzing dependencies that were removed in the history of open-source projects. Results show consistency between our approach and the decisions taken by open-source developers.
Original languageEnglish
Title of host publicationProceedings of the 2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)
EditorsC. Ceballos
Place of PublicationPiscataway
PublisherIEEE
Pages105-115
Number of pages11
ISBN (Electronic)978-1-6654-9609-4
ISBN (Print)978-1-6654-9610-0
DOIs
Publication statusPublished - 2022
Event2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM) - Limassol, Cyprus
Duration: 3 Oct 20223 Oct 2022
Conference number: 22nd

Conference

Conference2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)
Country/TerritoryCyprus
CityLimassol
Period3/10/223/10/22

Bibliographical note

Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care
Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

Keywords

  • unused dependencies
  • call graph generation
  • static analysis

Fingerprint

Dive into the research topics of 'Removing dependencies from large software projects: Are you really sure?'. Together they form a unique fingerprint.

Cite this