Software Ecosystem Call Graph for Dependency Management

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

32 Citations (Scopus)
672 Downloads (Pure)


A popular form of software reuse is the use of open source software libraries hosted on centralized code repositories, such as Maven or npm. Developers only need to declare dependencies to external libraries, and automated tools make them available to the workspace of the project. Recent incidents, such as the Equifax data breach and the leftpad package removal, demonstrate the difficulty in assessing the severity, impact and spread of bugs in dependency networks. While dependency checkers are being adapted as a counter measure, they only provide indicative information. To remedy this situation, we propose a fine-grained dependency network that goes beyond packages and into call graphs. The result is a versioned ecosystem-level call graph. In this paper, we outline the process to construct the proposed graph and present a preliminary evaluation of a security issue from a core package to an affected client application.
Original languageEnglish
Title of host publicationICSE-NIER'18 Proceedings of 40th International Conference on Software Engineering
Subtitle of host publicationNew Ideas and Emerging Results Track
Place of PublicationNew York, NY
PublisherAssociation for Computing Machinery (ACM)
Number of pages4
ISBN (Print)978-1-4503-5662-6
Publication statusPublished - 2018
EventICSE 2018: 40th International Conference on Software Engineering - Gothenburg, Sweden
Duration: 27 May 20183 Jun 2018
Conference number: 40


ConferenceICSE 2018
Internet address

Bibliographical note

R2 - Software Engineering in Other Domains
Accepted author manuscript


  • dependency management
  • software ecosystem
  • dependencies
  • call graph
  • program analysis


Dive into the research topics of 'Software Ecosystem Call Graph for Dependency Management'. Together they form a unique fingerprint.

Cite this