Technical leverage analysis in the Python ecosystem

Ranindya Paramitha; Fabio Massacci

doi:10.1007/s10664-023-10355-2

Technical leverage analysis in the Python ecosystem

Ranindya Paramitha^*, Fabio Massacci

^*Corresponding author for this work

Research output: Contribution to Journal › Article › Academic › peer-review

Abstract

Context:: Technical leverage is the ratio between dependencies (other people’s code) and own codes of a software package. It has been shown to be useful to characterize the Java ecosystem and there are also studies on the NPM ecosystem available. Objective:: By using this metric we aim to analyze the Python ecosystem, how it evolves, and how secure it is, as a developer would perceive it when deciding to adopt or update (or not) a library. Method:: We collect a dataset of the top 600 Python packages (corresponding to 21,205 versions) and used a number of innovative approaches for its analysis including the use of a two-part statistical model to deal with excess zeros, a mathematical closed formulation to estimate vulnerabilities that we confirm with bootstrapping on the actual dataset. Results:: Small Python package versions have a median technical leverage of 6.9x their own code, while bigger package versions rely on dependencies code a tenth of their own (median leverage of 0.1). In terms of evolution, Python packages tend to have stable technical leverage through their evolution (once highly leveraged, always leveraged). On security, the chance of getting a safe package version when choosing a package is actually better than previous research has shown based on the ratio of safe package versions in the ecosystem. Coclusions:: Python packages ship a lot of other people’s code and tend to keep doing so. However, developers will have a good chance to choose a safe package version.

Original language	English
Article number	139
Pages (from-to)	1-31
Number of pages	31
Journal	Empirical Software Engineering
Volume	28
Issue number	6
Early online date	13 Oct 2023
DOIs	https://doi.org/10.1007/s10664-023-10355-2
Publication status	Published - Nov 2023

Bibliographical note

Funding Information:
We would like to thank Ivan Pashchenko for useful discussions on technical leverage and Batbayar Narantsogt for providing the first initial code base for extracting libraries for Python. We also thank the anonymous reviewers whose comments greatly helped to improve the paper. Any remaining mistakes were ours. This work was partly funded by the EU under the H2020 Program AssureMOSS (Grant n. 952647).

Funding Information:
This work was partly funded by the EU under the H2020 Program AssureMOSS (Grant n. 952647).

Publisher Copyright:
© 2023, The Author(s).

Funding

We would like to thank Ivan Pashchenko for useful discussions on technical leverage and Batbayar Narantsogt for providing the first initial code base for extracting libraries for Python. We also thank the anonymous reviewers whose comments greatly helped to improve the paper. Any remaining mistakes were ours. This work was partly funded by the EU under the H2020 Program AssureMOSS (Grant n. 952647). This work was partly funded by the EU under the H2020 Program AssureMOSS (Grant n. 952647).

Keywords

Dependencies
Empirical analysis
Python ecosystem
Security
Software libraries
Technical leverage
Vulnerabilities

Access to Document

10.1007/s10664-023-10355-2

Persistent URL (handle)

Persistent link

Cite this

@article{9b81512b1a14443589f4e1c9a1bdedc8,

title = "Technical leverage analysis in the Python ecosystem",

abstract = "Context:: Technical leverage is the ratio between dependencies (other people{\textquoteright}s code) and own codes of a software package. It has been shown to be useful to characterize the Java ecosystem and there are also studies on the NPM ecosystem available. Objective:: By using this metric we aim to analyze the Python ecosystem, how it evolves, and how secure it is, as a developer would perceive it when deciding to adopt or update (or not) a library. Method:: We collect a dataset of the top 600 Python packages (corresponding to 21,205 versions) and used a number of innovative approaches for its analysis including the use of a two-part statistical model to deal with excess zeros, a mathematical closed formulation to estimate vulnerabilities that we confirm with bootstrapping on the actual dataset. Results:: Small Python package versions have a median technical leverage of 6.9x their own code, while bigger package versions rely on dependencies code a tenth of their own (median leverage of 0.1). In terms of evolution, Python packages tend to have stable technical leverage through their evolution (once highly leveraged, always leveraged). On security, the chance of getting a safe package version when choosing a package is actually better than previous research has shown based on the ratio of safe package versions in the ecosystem. Coclusions:: Python packages ship a lot of other people{\textquoteright}s code and tend to keep doing so. However, developers will have a good chance to choose a safe package version.",

keywords = "Dependencies, Empirical analysis, Python ecosystem, Security, Software libraries, Technical leverage, Vulnerabilities",

author = "Ranindya Paramitha and Fabio Massacci",

note = "Funding Information: We would like to thank Ivan Pashchenko for useful discussions on technical leverage and Batbayar Narantsogt for providing the first initial code base for extracting libraries for Python. We also thank the anonymous reviewers whose comments greatly helped to improve the paper. Any remaining mistakes were ours. This work was partly funded by the EU under the H2020 Program AssureMOSS (Grant n. 952647). Funding Information: This work was partly funded by the EU under the H2020 Program AssureMOSS (Grant n. 952647). Publisher Copyright: {\textcopyright} 2023, The Author(s).",

year = "2023",

month = nov,

doi = "10.1007/s10664-023-10355-2",

language = "English",

volume = "28",

pages = "1--31",

journal = "Empirical Software Engineering",

issn = "1382-3256",

publisher = "Springer Netherlands",

number = "6",

}

TY - JOUR

T1 - Technical leverage analysis in the Python ecosystem

AU - Paramitha, Ranindya

AU - Massacci, Fabio

N1 - Funding Information: We would like to thank Ivan Pashchenko for useful discussions on technical leverage and Batbayar Narantsogt for providing the first initial code base for extracting libraries for Python. We also thank the anonymous reviewers whose comments greatly helped to improve the paper. Any remaining mistakes were ours. This work was partly funded by the EU under the H2020 Program AssureMOSS (Grant n. 952647). Funding Information: This work was partly funded by the EU under the H2020 Program AssureMOSS (Grant n. 952647). Publisher Copyright: © 2023, The Author(s).

PY - 2023/11

Y1 - 2023/11

N2 - Context:: Technical leverage is the ratio between dependencies (other people’s code) and own codes of a software package. It has been shown to be useful to characterize the Java ecosystem and there are also studies on the NPM ecosystem available. Objective:: By using this metric we aim to analyze the Python ecosystem, how it evolves, and how secure it is, as a developer would perceive it when deciding to adopt or update (or not) a library. Method:: We collect a dataset of the top 600 Python packages (corresponding to 21,205 versions) and used a number of innovative approaches for its analysis including the use of a two-part statistical model to deal with excess zeros, a mathematical closed formulation to estimate vulnerabilities that we confirm with bootstrapping on the actual dataset. Results:: Small Python package versions have a median technical leverage of 6.9x their own code, while bigger package versions rely on dependencies code a tenth of their own (median leverage of 0.1). In terms of evolution, Python packages tend to have stable technical leverage through their evolution (once highly leveraged, always leveraged). On security, the chance of getting a safe package version when choosing a package is actually better than previous research has shown based on the ratio of safe package versions in the ecosystem. Coclusions:: Python packages ship a lot of other people’s code and tend to keep doing so. However, developers will have a good chance to choose a safe package version.

AB - Context:: Technical leverage is the ratio between dependencies (other people’s code) and own codes of a software package. It has been shown to be useful to characterize the Java ecosystem and there are also studies on the NPM ecosystem available. Objective:: By using this metric we aim to analyze the Python ecosystem, how it evolves, and how secure it is, as a developer would perceive it when deciding to adopt or update (or not) a library. Method:: We collect a dataset of the top 600 Python packages (corresponding to 21,205 versions) and used a number of innovative approaches for its analysis including the use of a two-part statistical model to deal with excess zeros, a mathematical closed formulation to estimate vulnerabilities that we confirm with bootstrapping on the actual dataset. Results:: Small Python package versions have a median technical leverage of 6.9x their own code, while bigger package versions rely on dependencies code a tenth of their own (median leverage of 0.1). In terms of evolution, Python packages tend to have stable technical leverage through their evolution (once highly leveraged, always leveraged). On security, the chance of getting a safe package version when choosing a package is actually better than previous research has shown based on the ratio of safe package versions in the ecosystem. Coclusions:: Python packages ship a lot of other people’s code and tend to keep doing so. However, developers will have a good chance to choose a safe package version.

KW - Dependencies

KW - Empirical analysis

KW - Python ecosystem

KW - Security

KW - Software libraries

KW - Technical leverage

KW - Vulnerabilities

UR - https://www.scopus.com/pages/publications/85174183871

UR - https://www.scopus.com/inward/citedby.url?scp=85174183871&partnerID=8YFLogxK

U2 - 10.1007/s10664-023-10355-2

DO - 10.1007/s10664-023-10355-2

M3 - Article

AN - SCOPUS:85174183871

SN - 1382-3256

VL - 28

SP - 1

EP - 31

JO - Empirical Software Engineering

JF - Empirical Software Engineering

IS - 6

M1 - 139

ER -

Technical leverage analysis in the Python ecosystem

Abstract

Bibliographical note

Funding

Keywords

Access to Document

Persistent URL (handle)

Other files and links

Fingerprint

Cite this