Structure and Evolution of Package Dependency Networks

Riivo Kikas, Georgios Gousios, Marlon Dumas, Dietmar Pfahl

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

55 Citations (Scopus)
449 Downloads (Pure)


Software developers often include available open-source software packages into their projects to minimize redundant effort. However, adding a package to a project can also introduce risks, which can propagate through multiple levels of dependencies. Currently, not much is known about the structure of open-source package ecosystems of popular programming languages and the extent to which transitive bug propagation is possible. This paper analyzes the dependency network structure and evolution of the JavaScript, Ruby, and Rust ecosystems. The reported results reveal significant differences across language ecosystems. The results indicate that the number of transitive dependencies for JavaScript has grown 60% over the last year, suggesting that developers should look more carefully into their dependencies to understand what exactly is included. The study also reveals that vulnerability to a removal of the most popular package is increasing, yet most other packages have a decreasing impact on vulnerability. The findings of this study can inform the development of dependency management tools.
Original languageEnglish
Title of host publicationProceedings - 2017 IEEE/ACM 14th International Conference on Mining Software Repositories, MSR 2017
EditorsR. Bilof
Place of PublicationPiscataway
Number of pages11
ISBN (Electronic)978-1-5386-1544-7
ISBN (Print)978-1-5386-1545-4
Publication statusPublished - May 2017
EventMSR 2017: 14th International Conference on Mining Software Repositories - Buenos Aires, Argentina
Duration: 20 May 201721 May 2017
Conference number: 14


ConferenceMSR 2017
Abbreviated titleMSR
CityBuenos Aires
Internet address

Bibliographical note

Accepted author manuscript


  • Ecosystems
  • Computer languages
  • Computer bugs
  • Tools
  • Libraries
  • Software packages


Dive into the research topics of 'Structure and Evolution of Package Dependency Networks'. Together they form a unique fingerprint.

Cite this