Can We Trust Tests To Automate Dependency Updates? A Case Study of Java Projects

Developers are increasingly using services such as Dependabot to automate dependency updates. However, recent research has shown that developers perceive such services as unreliable, as they heavily rely on test coverage to detect conflicts in updates. To understand the prevalence of tests exercising dependencies, we calculate the test coverage of direct and indirect uses of dependencies in 521 well-tested Java projects. We find that tests only cover 58% of direct and 20% of transitive dependency calls. By creating 1,122,420 artificial updates with simple faults covering all dependency usages in 262 projects, we measure the effectiveness of test suites in detecting semantic faults in dependencies; we find that tests can only detect 47% of direct and 35% of indirect artificial faults on average. To increase reliability, we investigate the use of change impact analysis as a means of reducing false negatives; on average, our tool can uncover 74% of injected faults in direct dependencies and 64% for transitive dependencies, nearly two times more than test suites. We then apply our tool in 22 real-world dependency updates, where it identifies three semantically conflicting cases and five cases of unused dependencies. Our findings indicate that the combination of static and dynamic analysis should be a requirement for future dependency updating systems.

• Publication year

  2021

• Venue

  Journal of Systems and Software

• Publication date

  2021-09-01

• Fields of study

  Computer Science

• Identifiers
  DOI 10.1016/j.jss.2021.111097arXiv 2109.11921
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Procyon

  2022cited by this paper
• Comparative Study

  2020cited by this paper
• Static analysis of Java enterprise applications: frameworks and caches, the elephants in the room

  2020cited by this paper
• Detecting Semantic Conflicts via Automated Behavior Change Detection

  2020cited by this paper
• Graph-Based Mining of In-the-Wild, Fine-Grained, Semantic Code Change Patterns

  2019cited by this paper
• Reflection-aware static regression test selection

  2019cited by this paper
• An approach and benchmark to detect behavioral changes of commits in continuous integration

  2019cited by this paper
• Model-based testing of breaking changes in Node.js libraries

  2019cited by this paper
• Chapter Six - Mutation Testing Advances: An Analysis and Survey

  2019cited by this paper
• Judge: identifying, understanding, and evaluating sources of unsoundness in call graphs

  2019cited by this paper
• Surviving software dependencies

  2019cited by this paper
• Dependency Versioning in the Wild

  2019cited by this paper
• Efficient static checking of library updates

  2018influential reference
• A Large-Scale Study of Test Coverage Evolution

  2018cited by this paper
• Type Regression Testing to Detect Breaking Changes in Node.js Libraries

  2018influential reference
• On the Impact of Security Vulnerabilities in the npm Package Dependency Network

  2018cited by this paper
• Beyond Metadata: Code-Centric and Usage-Based Analysis of Known Vulnerabilities in Open-Source Software

  2018cited by this paper
• Adding Sparkle to Social Coding: An Empirical Study of Repository Badges in the npm Ecosystem

  2018cited by this paper
• APIDiff: Detecting API breaking changes

  2018cited by this paper
• SGL: A Domain-Specific Language for Large-Scale Analysis of Open-Source Code

  2018cited by this paper
• Predictive Test Selection

  2018cited by this paper
• Code Coverage and Postrelease Defects: A Large-Scale Study on Open Source Projects

  2017cited by this paper
• An empirical comparison of dependency issues in OSS packaging ecosystems

  2017cited by this paper
• STARTS: STAtic regression test selection

  2017cited by this paper
• Structure and Evolution of Package Dependency Networks

  2017cited by this paper
• Semantic versioning and impact of breaking changes in the Maven repository

  2017cited by this paper
• Refining interprocedural change-impact analysis using equivalence relations

  2017cited by this paper
• An empirical comparison of dependency network evolution in seven software packaging ecosystems

  2017cited by this paper
• Can automated pull requests encourage software developers to upgrade out-of-date dependencies?

  2017influential reference
• Why do developers use trivial packages? an empirical case study on npm

  2017cited by this paper
• Do developers update their library dependencies?

  2017cited by this paper
• PIT a Practical Mutation Testing Tool for Java

  2016cited by this paper
• How to break an API: cost negotiation and community values in three software ecosystems

  2016influential reference
• Predictive Mutation Testing

  2016cited by this paper
• A Look at the Dynamics of the JavaScript Package Ecosystem

  2016cited by this paper
• Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software

  2016cited by this paper
• Measuring Dependency Freshness in Software Systems

  2015cited by this paper
• Hybrid DOM-Sensitive Change Impact Analysis for JavaScript

  2015cited by this paper
• In defense of soundiness

  2015cited by this paper
• Broken promises: An empirical study into evolution problems in Java programs caused by library upgrades

  2014cited by this paper
• The major mutation framework: efficient and scalable mutation analysis for Java

  2014cited by this paper
• Coverage is not strongly correlated with test suite effectiveness

  2014cited by this paper
• Are mutants a valid substitute for real faults in software testing?

  2014cited by this paper
• Fine-grained and accurate source code differencing

  2014cited by this paper
• A survey of code‐based change impact analysis techniques

  2013cited by this paper
• GHTorrent: Github's data from a firehose

  2012cited by this paper
• Combining concept lattice with call graph for impact analysis

  2012cited by this paper
• Regression testing minimization, selection and prioritization: a survey

  2012cited by this paper
• A taxonomy for software change impact analysis

  2011cited by this paper
• EvoSuite: automatic test suite generation for object-oriented software

  2011influential reference
• Is it research?

  2010cited by this paper
• A Comparative Study of Industrial Static Analysis Tools

  2008cited by this paper
• Change Impact Graphs: Determining the Impact of Prior Code Changes

  2008cited by this paper
• Compatibility and Regression Testing of COTS-Component-Based Software

  2007cited by this paper
• Change Distilling:Tree Differencing for Fine-Grained Source Code Change Extraction

  2007cited by this paper
• Why Programs Fail: A Guide to Systematic Debugging

  2005cited by this paper
• Supporting predictive change impact analysis: a control call graph based technique

  2005cited by this paper
• Locating causes of program failures

  2005cited by this paper
• Chianti: a tool for change impact analysis of java programs

  2004cited by this paper
• An empirical comparison of dynamic impact analysis algorithms

  2004cited by this paper
• Leveraging field data for impact analysis and regression testing

  2003cited by this paper
• Whole program path-based dynamic impact analysis

  2003cited by this paper
• How to Break Software : A Practical Guide to Testing

  2002cited by this paper
• Change impact analysis for object-oriented programs

  2001cited by this paper
• Automated robustness testing of off-the-shelf software components

  1998cited by this paper
• Software Change Impact Analysis

  1996cited by this paper
• Fault localization using execution slices and dataflow tests

  1995cited by this paper
• A survey of program slicing techniques

  1994cited by this paper
• The program dependence graph and its use in optimization

  1984cited by this paper
• The complete guide to software testing

  1984cited by this paper
• Art of Software Testing

  1979cited by this paper
• Control-flow analysis

  year unknowncited by this paper

• Generating and Contributing Test Cases for C Libraries from Client Code: A Case Study

  2025cites this paper
• Benchmarking Graphics Rendering Capabilities: Java Processing vs. P5.js

  2025cites this paper
• MaRCo: Compatible Version Ranges in Maven

  2025cites this paper
• Client-Library Compatibility Testing with API Interaction Snapshots

  2025influential citation
• Understanding API Usage and Testing: An Empirical Study of C Libraries

  2025cites this paper
• Byam: Fixing Breaking Dependency Updates with Large Language Models

  2025cites this paper
• Automatically Fixing Dependency Breaking Changes

  2025influential citation
• Who makes open source code? The hybridisation of commercial and open source practices

  2024cites this paper
• BUMP: A Benchmark of Reproducible Breaking Dependency Updates

  2024cites this paper
• Leveraging the Crowd for Dependency Management: An Empirical Study on the Dependabot Compatibility Score

  2024influential citation
• Dependency-Induced Waste in Continuous Integration: An Empirical Study of Unused Dependencies in the npm Ecosystem

  2024cites this paper
• An Overview and Catalogue of Dependency Challenges in Open Source Software Package Registries

  2024cites this paper
• Balancing the Quality and Cost of Updating Dependencies

  2024cites this paper
• Detecting semantic conflicts with unit tests

  2024cites this paper
• Detecting Semantic Conflicts with Unit Tests

  2023cites this paper
• Enhanced Multi-Verse Optimizer (TMVO) and Applying it in Test Data Generation for Path Testing

  2023cites this paper
• UPCY: Safely Updating Outdated Dependencies

  2023cites this paper
• Searching for High-Fidelity Builds Using Active Learning

  2022cites this paper
• On the Use of Tests for Software Supply Chain Threats

  2022cites this paper
• Studying and Leveraging API Usage Patterns

  2022cites this paper
• An Experience Report on Technical Debt in Pull Requests: Challenges and Lessons Learned

  2022cites this paper
• VizAPI: Visualizing Interactions between Java Libraries and Clients

  2022cites this paper
• Reliabuild: Searching for High-Fidelity Builds Using Active Learning

  2022cites this paper
• Can We Increase the Test-coverage in Libraries using Dependent Projects’ Test-suites?

  2022cites this paper
• Automating Dependency Updates in Practice: An Exploratory Study on GitHub Dependabot

  2022cites this paper
• The Journal of Systems & Software

  year unknowncites this paper