Dependency-Induced Waste in Continuous Integration: An Empirical Study on NPM Dependencies
Modern software systems are increasingly dependent upon code from external packages (i.e., dependencies). Building upon external packages boosts developer productivity and allows software reuse to seamlessly span across projects. Package maintainers regularly release updated versions to provide new features, fix defects, and address security vulnerabilities. Due to the potential for regression, managing dependencies is not just a trivial matter of selecting the latest versions. Since it is perceived to be less risky to retain a dependency than remove it, as projects evolve, they tend to accrue dependencies, exacerbating the difficulty of dependency management. It is not uncommon for a considerable proportion of external packages to be unused by the projects that list them as a dependency. Although such unused dependencies are not required to build and run the project, updates to their dependency specifications will still trigger Continuous Integration (CI) builds. The CI builds that are initiated by updates to unused dependencies are fundamentally wasteful. Considering that CI build time is a finite resource that is directly associated with project development and service operational costs, understanding the consequences of unused dependencies within this CI context is of practical importance.
In this paper, we conduct the first study on the CI waste that is generated by updates to unused dependencies. We collect a dataset of 20,743 commits that are solely updating dependency specifications (i.e., the package.json file) and their corresponding builds, spanning 1,487 projects that adopt Node Package Manager (NPM) for managing their dependencies. Our findings illustrate that 55.88% of the build time that is associated with dependency updates is only triggered by unused dependencies. At the project level, the median project spends 54.45% of its dependency-related build time on updates to unused dependencies. Moreover, we find that automated bots are the primary producers of dependency-induced CI waste, contributing 89.12% of the build time that is spent on unused dependencies. The popular Dependabot is responsible for updates to unused dependencies that account for 74.52% of that waste.
To mitigate the impact of unused dependencies on CI resources, we introduce Dep-sCImitar, an approach to cut down wasted CI time by identifying and skipping CI builds that are triggered due to unused-dependency commits. A retrospective evaluation of the 20,743 studied commits shows that Dep-sCImitar reduces 68.34% of the wasted CI build time by skipping wasteful builds with a precision of 94%. We make this approach available as a prototype tool that can be integrated with any JavaScript project that uses NPM for handling dependencies to automatically skip CI builds that are triggered by unused-dependency commits.
Fri 19 JulDisplayed time zone: Brasilia, Distrito Federal, Brazil change
10:30 - 11:00 | |||
10:30 30mPoster | Understanding the Impact of APIs Behavioral Breaking Changes on Client Applications Posters Dhanushka Jayasuriya University of Auckland, Valerio Terragni University of Auckland, Jens Dietrich Victoria University of Wellington, Kelly Blincoe University of Auckland | ||
10:30 30mPoster | Your Code Secret Belongs to Me: Neural Code Completion Tools Can Memorize Hard-coded Credentials Posters Yizhan Huang The Chinese University of Hong Kong, Yichen LI The Chinese University of Hong Kong, Weibin Wu Sun Yat-sen University, Jianping Zhang The Chinese University of Hong Kong, Michael Lyu The Chinese University of Hong Kong | ||
10:30 30mPoster | Natural Is The Best: Model-Agnostic Code Simplification for Pre-trained Large Language Models Posters Yan Wang Central University of Finance and Economics, Xiaoning Li Central University of Finance and Economics, Tien N. Nguyen University of Texas at Dallas, Shaohua Wang Central University of Finance and Economics, Chao Ni School of Software Technology, Zhejiang University, Ling Ding Central University of Finance and Economics | ||
10:30 30mPoster | PyRadar: Towards Automatically Retrieving and Validating Source Code Repository Information for PyPI Packages Posters Kai Gao Peking University, Weiwei Xu Peking University, Wenhao Yang Peking University, Minghui Zhou Peking University | ||
10:30 30mPoster | "The Law Doesn’t Work Like a Computer": Exploring Software Licensing Issues Faced by Legal Practitioners Posters Nathan Wintersgill William & Mary, Trevor Stalnaker William & Mary, Laura A. Heymann William & Mary, Oscar Chaparro William & Mary, Denys Poshyvanyk William & Mary | ||
10:30 30mPoster | RavenBuild: Context, Relevance, and Dependency Aware Build Outcome Prediction Posters Gengyi Sun University of Waterloo, Sarra Habchi Ubisoft Montréal, Shane McIntosh University of Waterloo | ||
10:30 30mPoster | MirrorFair: Fixing Fairness Bugs in Machine Learning Software via Counterfactual Predictions Posters Ying Xiao King's College London / Southern University of Science and Technology, Jie M. Zhang King's College London, Yepang Liu Southern University of Science and Technology, Mohammad Reza Mousavi King's College London, Sicen Liu Southern University of Science and Technology, Dingyuan Xue Southern University of Science and Technology | ||
10:30 30mPoster | Do Code Generation Models Think Like Us? - A Study of Attention Alignment between Large Language Models and Human Programmers Posters Bonan Kou Purdue University, Shengmai Chen Purdue University, Zhijie Wang University of Alberta, Lei Ma The University of Tokyo & University of Alberta, Tianyi Zhang Purdue University | ||
10:30 30mPoster | Dependency-Induced Waste in Continuous Integration: An Empirical Study on NPM Dependencies Posters Nimmi Weeraddana University of Waterloo, Mahmoud Alfadel University of Waterloo, Shane McIntosh University of Waterloo | ||
10:30 30mPoster | A Miss Is as Good as A Mile: Metamorphic Testing for Deep Learning Operators Posters Jinyin Chen Zhejiang University of Technology, Chengyu Jia Zhejiang University of Technology, Yunjie Yan Zhejiang University of Technology, Jie Ge Zhejiang University of Technology, haibin zheng Zhejiang University of Technology, Yao Cheng TÜV SÜD Asia Pacific Pte. Ltd. | ||
10:30 30mPoster | Investigating Documented Privacy Changes in Android OS Posters Chuan Yan University of Queensland, Mark Huasong Meng National University of Singapore, Fuman Xie University of Queensland, Guangdong Bai University of Queensland | ||
10:30 30mPoster | Analyzing Quantum Programs with LintQ: A Static Analysis Framework for Qiskit Posters | ||
10:30 30mPoster | Generative AI for Pull Request Descriptions: Adoption, Impact, and Developer Interventions Posters Tao Xiao Nara Institute of Science and Technology, Hideaki Hata Shinshu University, Christoph Treude Singapore Management University, Kenichi Matsumoto Nara Institute of Science and Technology | ||
10:30 30mPoster | Bloat beneath Python's Scales: A Fine-Grained Inter-Project Dependency Analysis Posters Georgios-Petros Drosos ETH Zurich, Thodoris Sotiropoulos ETH Zurich, Diomidis Spinellis Athens University of Economics and Business & Delft University of Technology, Dimitris Mitropoulos University of Athens | ||
This room is conjoined with the Foyer to provide additional space for the coffee break, and hold poster presentations throughout the event.