Navigating Dependency Abandonment
328 | Sat 03 Aug 4:30 p.m.–5:15 p.m.
Presented by
-
Bogdan Vasilescu
@b_vasilescu
https://bvasiles.github.io
Bogdan Vasilescu is an Associate Professor at Carnegie Mellon University, where he leads STRUDEL, the Socio-Technical Research Using Data Excavation Lab. With a spatula in one hand, a keyboard in the other, and a pantry full of data mining and social network analysis techniques, Bogdan whips up delectable recipes for improving the sustainability of open-source software. His work focuses on the socio-technical aspects of online collaboration in open source to inform evidence-based interventions supporting developers and communities. He has a PhD in computer science from Eindhoven University of Technology, where he learned how to make delicious strudels with empirical research methods. While at CMU, he has received several awards for his research, including the Ric Holt Early Career Achievement Award and multiple ACM SIGSOFT Distinguished Paper Awards.
-
Courtney Miller
@courtneyelta
https://courtney-e-miller.github.io
Courtney Miller is a 4th year Ph.D. student in the School of Computer Science at Carnegie Mellon University co-advised by Bogdan Vasilescu and Christian Kästner. Prior to joining CMU, she graduated from New College of Florida with her BA in Computer Science and Statistics. Her primary research interests are open source sustainability and supply chain security, empirical software engineering research, and developer productivity, coordination, and communication. She is an NSF GRFP Fellow and has two Distinguished Paper Awards at premier venues in software engineering.
In her work, she uses a multi-dimensional empirical approach to understand and improve the socio-technical challenges faced by developers within software development and maintenance processes. More specifically, she is passionate about supporting developers and teams by designing mixed-methods research protocols combining human-centered qualitative techniques with large-scale data-driven statistical analysis, modeling, and visualization to develop insights and inform the design of custom solutions.
Bogdan Vasilescu
@b_vasilescu
https://bvasiles.github.io
Courtney Miller
@courtneyelta
https://courtney-e-miller.github.io
Abstract
Many developers relying on open-source digital infrastructure expect continuous maintenance, but even the most critical packages can become unmaintained. Despite this, there is little understanding of the prevalence of abandonment of widely-used packages, of subsequent exposure, and of reactions to abandonment in practice, or the factors that influence them. We did two research studies to address this gap.
First, we interviewed 33 developers who have experienced dependency abandonment, and learned that many felt they had little to no support or guidance when facing abandonment, leaving them to figure out what to do through a trial-and-error process on their own. Often, people used multiple strategies to cope with abandonment, for example, first reaching out to the community to find potential alternatives, then switching to a community-accepted alternative if one exists.
Second, we quantitatively analyzed all widely-used npm packages and found that abandonment is common among them, that abandonment exposes many projects which often do not respond, that responses correlate with other dependency management practices, and that removal is significantly faster when a projects end-of-life status is explicitly stated.
This talk reviews the results of these two studies, and ends with recommendations to both researchers and practitioners who are facing dependency abandonment or are sunsetting projects, such as opportunities for low-effort transparency mechanisms to help exposed projects make better, more informed decisions.
The slide deck can be viewed here: https://cmustrudel.github.io/slides/fossy24-dependency-abandonment.pdf
Many developers relying on open-source digital infrastructure expect continuous maintenance, but even the most critical packages can become unmaintained. Despite this, there is little understanding of the prevalence of abandonment of widely-used packages, of subsequent exposure, and of reactions to abandonment in practice, or the factors that influence them. We did two research studies to address this gap. First, we interviewed 33 developers who have experienced dependency abandonment, and learned that many felt they had little to no support or guidance when facing abandonment, leaving them to figure out what to do through a trial-and-error process on their own. Often, people used multiple strategies to cope with abandonment, for example, first reaching out to the community to find potential alternatives, then switching to a community-accepted alternative if one exists. Second, we quantitatively analyzed all widely-used npm packages and found that abandonment is common among them, that abandonment exposes many projects which often do not respond, that responses correlate with other dependency management practices, and that removal is significantly faster when a projects end-of-life status is explicitly stated. This talk reviews the results of these two studies, and ends with recommendations to both researchers and practitioners who are facing dependency abandonment or are sunsetting projects, such as opportunities for low-effort transparency mechanisms to help exposed projects make better, more informed decisions. The slide deck can be viewed here: https://cmustrudel.github.io/slides/fossy24-dependency-abandonment.pdf