Write a Blog >>
MSR 2021
Mon 17 - Wed 19 May 2021
co-located with ICSE 2021
Wed 19 May 2021 17:20 - 17:24 at MSR Room 2 - Change Management and Analysis Chair(s): Sarah Nadi

Vulnerable dependencies are a major problem in modern software development. As software projects depend on multiple external dependencies, developers struggle to constantly track and check for corresponding security vulnerabilities that affect their project dependencies. To help mitigate this issue, Dependabot has been created, a bot that issues pull-requests to automatically update vulnerable dependencies. However, little is known about the degree to which developers adopt Dependabot to help them update vulnerable dependencies. In this paper, we investigate 2,904 JavaScript open-source GitHub projects that subscribed to Dependabot. Our results show that the vast majority (65.42%) of the created security-related pull-requests are accepted, often merged within a day. Through manual analysis, we identify 7 main reasons for Dependabot security pull-requests not being merged, mostly related to concurrent modifications of the affected dependencies rather than Dependabot failures. Interestingly, only 3.2% of the manually examined pull-requests suffered from build breakages. Finally, we model the time it takes to merge a Dependabot security pull-request using characteristics from projects, the fixed vulnerabilities and issued pull requests. Our model reveals 5 significant features to explain merge times, e.g., projects with relevant experience with Dependabot security pull-requests are most likely associated with rapid merges. Surprisingly, the severity of the dependency vulnerability and the potential risk of breaking changes are not strongly associated with the merge time. To the best of our knowledge, this study is the first to evaluate how developers receive Dependabot’s security contributions. Our findings indicate that Dependabot provides an effective platform for increasing awareness of dependency vulnerabilities and helps developers mitigate vulnerability threats in JavaScript projects.

Wed 19 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

17:00 - 17:50
Change Management and AnalysisTechnical Papers / Registered Reports at MSR Room 2
Chair(s): Sarah Nadi University of Alberta
17:01
4m
Talk
Studying the Change Histories of Stack Overflow and GitHub Snippets
Technical Papers
Saraj Singh Manes Carleton University, Olga Baysal Carleton University
Pre-print
17:05
4m
Talk
Learning Off-By-One Mistakes: An Empirical Study
Technical Papers
Hendrig Sellik Delft University of Technology, Onno van Paridon Adyen N.V., Georgios Gousios Facebook & Delft University of Technology, Maurício Aniche Delft University of Technology
Pre-print
17:09
4m
Talk
Predicting Design Impactful Changes in Modern Code Review: A Large-Scale Empirical Study
Technical Papers
Anderson Uchôa Pontifical Catholic University of Rio de Janeiro (PUC-Rio), Caio Barbosa Pontifical Catholic University of Rio de Janeiro (PUC-Rio), Daniel Coutinho Pontifical Catholic University of Rio de Janeiro (PUC-Rio), Willian Oizumi Pontifical Catholic University of Rio de Janeiro (PUC-Rio), Wesley Assunção Pontifical Catholic University of Rio de Janeiro (PUC-Rio), Silvia Regina Vergilio Federal University of Paraná, Juliana Alves Pereira PUC-Rio, Anderson Oliveira PUC-Rio, Alessandro Garcia PUC-Rio
Pre-print
17:13
4m
Talk
Rollback Edit Inconsistencies in Developer Forum
Technical Papers
Saikat Mondal University of Saskatchewan, Gias Uddin University of Calgary, Canada, Chanchal K. Roy University of Saskatchewan
Pre-print
17:17
3m
Talk
Assessing the Exposure of Software Changes: The DiPiDi Approach
Registered Reports
Mehran Meidani University of Waterloo, Maxime Lamothe University of Waterloo, Shane McIntosh
Pre-print
17:20
4m
Talk
On the Use of Dependabot Security Pull Requests
Technical Papers
Mahmoud Alfadel Concordia Univerisity, Diego Costa Concordia University, Canada, Emad Shihab Concordia University, Mouafak Mkhallalati Concordia University
Pre-print
17:24
26m
Live Q&A
Discussions and Q&A
Technical Papers


Information for Participants
Wed 19 May 2021 17:00 - 17:50 at MSR Room 2 - Change Management and Analysis Chair(s): Sarah Nadi
Info for room MSR Room 2:

Go directly to this room on Clowdr