Online / 6 & 7 February 2021


Lost in Zero Space

Can we trust depending on packages with major version zero?

When developing open source software end-user applications or reusable software packages, developers depend on software packages distributed through package managers such as npm, Packagist, Cargo, RubyGems. In addition to this, empirical evidence has shown that these package managers adhere to a large extent to semantic versioning principles. Packages that are still in major version zero are considered unstable according to semantic versioning, as some developers consider such packages as immature, still being under initial development.

This presentation reports on large-scale empirical evidence on the use of dependencies towards 0.y.z versions in four different software package distributions: Cargo, npm, Packagist and RubyGems. We study to which extent packages get stuck in the zero version space, never crossing the psychological barrier of major version zero. We compare the effect of the policies and practices of package managers on this phenomenon. We do not reveal the results of our findings in this abstract yet, as it would spoil the fun of the presentation.

This empirical study builds further on our earlier work, in which we have studied different kinds of dependency management issues in software package distributions.

The current empirical evolutionary study is based on recent package management metadata of 1.5 million packages, totaling 12 million package releases and 56 million package dependencies. We analyse dependency version constraints to determine: * to which extent packages depend on 0.y.z releases of other packages; * whether packages with major version zero ever cross the psychological barrier of 1.0.0; * whether there is any reluctance to depend on 0.y.z packages; * whether dependency constraints are more permissive than what semantic versioning dictates for packages in major version zero.


Photo of Tom Mens Tom Mens