When studying for a doctoral degree (PhD), candidates submit a thesis that provides a critical review of the current state of knowledge of the thesis subject as well as the student’s own contributions to the subject. The distinguishing criterion of doctoral graduate research is a significant and original contribution to knowledge.
Once accepted, the candidate presents the thesis orally. This oral exam is open to the public.
Software ecosystems provide developers with the opportunity to accelerate development by relying on third-party dependencies. Developers use third-party packages to increase productivity and improve quality. However, the increased reliance on third-party dependencies has emphasized dependency-related challenges. Developers need to be aware of such challenges and be equipped with techniques to mitigate their impact. Poor management of third-party dependencies can subject the project to breaking changes, bugs and vulnerabilities, which negatively impact the quality of software. In this thesis, we use a mixture of quantitative and qualitative methods to understand dependency management challenges in the npm ecosystem and provide actionable mitigation techniques to help developers better manage their dependencies.
We first study, catalog and quantify recurring patterns of dependency mis-management in the npm ecosystem and provide evidence of their prevalence and accumulation. In the second part of the thesis, we analyze the relationship between the characteristics of npm packages and how they are used by the community. We propose to developers a technique to determine the update strategy of their direct dependencies based on the individual characteristics of each package. In the last part of the thesis, we focus on the impact of transitive dependencies and quantify the impact of dependency decisions on continued exposure to security vulnerabilities. We propose a technique to select dependencies that mitigates the propagation of vulnerabilities to our project. Throughout our research, we identify implications that can serve both researchers and practitioners.