Motivating Version Range Adoption in Maven Through Quantified Trust
G.P.F. Hoedemaker (TU Delft - Electrical Engineering, Mathematics and Computer Science)
C.R. Paulsen – Mentor (TU Delft - Software Engineering)
S. Proksch – Mentor (TU Delft - Software Engineering)
G. Iosifidis – Graduation committee member (TU Delft - Networked Systems)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
As Open-Source projects grow in size and incorporate more and more external dependencies, developers increasingly rely on dependency managers such as Maven to manage version conflicts and automate dependency resolution. However, developers are often unaware of vulnerabilities in their dependencies or do not prioritise security due to the effort required to update dependencies, resulting from a lack of compliance with Semantic Versioning policies. This paper aims to motivate greater adoption of version ranges by empirically analysing a large selection of open-source Maven projects to determine the impact of fixed versions compared to version ranges and identify opportunities for safe updates. It also proposes TeSTer as a conceptual command-line tool that analyse dependencies and provides insight into security practices, release frequency, and SemVer compliance to support informed decisions when incorporating dependencies in a project.