Kayla Matthews


PSA: Upgrading Out-Of-Date Dependencies Is One Of The Most Important Things You Can Do

There’s a reason apps, software and operating systems receive so many updates, patches and fixes. Yes, it helps remedy underlying issues or bugs that crop up — or that were always there under the surface — but it has much more to do with security.

It’s impossible for developers and coders to create a flawless, nigh indestructible piece of software. Furthermore, as time goes on and more updates, features and content are released, it can open up new vulnerabilities and problems — which must be fixed.

The fact of the matter is, failing to release updates and further support your code can and will have severe consequences, especially when it comes to security. You are not only putting your company, reliability and reputation at risk, but you are also putting your end users right at the forefront of those dangers.

The huge data breach at Equifax, for example, arose because of a simple mistake that was entirely preventable.

The Equifax hack was possible because of an external library they relied on, which had a gaping security flaw. The external library itself received a patch to fix the issues, but Equifax never bothered to update the internal code used on their systems. This is despite the fact that the library team made it known about the vulnerability and even released a security update.

But what’s more alarming is that most hacks and data breaches happen because of outdated dependencies or similar user negligence. To think, most of these issues can be fixed, simply by updating the software or more specifically the dependencies at their core.

Like it or not, modern web development often relies on third-party dependencies and libraries, which must also be upgraded from time to time.

Incentives Are The Way

A new study from computer science researchers at North Carolina State University reveals that an auto-fix tool may be the solution to convincing more developers to fix and upgrade their code.

After reviewing a variety of open-source projects on GitHub, the researchers noticed a correlation between automated pull requests and developer support. They analyzed a variety of different ways projects incentivize updates and whether or not it has a direct affect on the developer’s work.

Two groups stood out.

One comprised 2,578 projects total. All of those projects applied automated pull requests for bug and vulnerability reports. The project administrators receive notifications about much-needed upgrades for obsolete dependencies in their code. It is accompanied by suggestions for potential solutions and even uses a test feature to check updated code. So, not only will developers stay informed about their projects, but they are also given the tools to fix their work — and ensure it’s secure.

The other comprised projects that didn’t use any kind of incentivized system for upgrading dependencies that were not current. There were 1,273 projects in this group.

As a developer yourself, you should be able to correctly guess which group was more successful. The researchers found that the larger group with automated pull requests received 60% more of the required upgrades than the projects without this feature.

Chris Parnin, assistant professor of the computer science team and senior author of the paper, revealed some further insights.

“[A] majority of automated pull request projects were using the most up-to-date versions of dependent software, whereas the unincentivized projects were [more fragmented].”

Essentially, it means that automated tools — like the pull requests — can help developers and programmers stay on top of updates. While Parnin says, “these tools can’t replace good programmers,” they sure can make a “significant difference” in terms of security and development. Of course, it’s “up to the programmers” to deploy and utilize these tools in the first place.

So, what’s the takeaway here?

It’s up to you as developers and maintenance crews for these programs and apps to ensure the necessary upgrades happen. But that doesn’t mean you have to go it alone.

There are automated tools and systems you can put to use to stay on top of it all, and that’s what you can use to be more effective.

Image by Negative Space

More by Kayla Matthews

Topics of interest

More Related Stories