Analyzing Maintenance Activities of Software Libraries
Alexandros Tsakpinis
TL;DR
Industrial software increasingly relies on OSS libraries, yet active maintenance signals can be missing for some dependencies, especially transitive ones, creating security risks. The paper proposes a two-task framework of maintenance-label classification (multi-class: active, feature complete, dormant, inactive) and future maintenance activity prediction, incorporating direct and transitive dependencies via network measures such as PageRank. A dataset of extended maintenance features/labels across GitHub, PyPI, and Maven is planned, with classification and prediction methods evaluated and a case study on effort-awareness to quantify potential savings. The work aims to deliver an industry-ready, CI-integrated tool and reproducible artifacts to reduce manual monitoring effort and improve dependency health and security.
Abstract
Industrial applications heavily integrate open-source software libraries nowadays. Beyond the benefits that libraries bring, they can also impose a real threat in case a library is affected by a vulnerability but its community is not active in creating a fixing release. Therefore, I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities. Since most research in this field is limited due to lack of features, labels, and transitive links, and thus is not applicable in industry, my approach aims to close this gap by capturing the impact of direct and transitive dependencies in terms of their maintenance activities. Automatically monitoring the maintenance activities of dependencies reduces the manual effort of application maintainers and supports application security by continuously having well-maintained dependencies.