Analysis of Third-Party Dependencies – A Systematic Literature Review

Abstract

The aim of this thesis is to provide an aggregate view of the relevant studies done in the field of third-party dependency analysis. Developers often use and rely on third-party libraries in their projects and package managers help to handle and keep track of those dependencies. This paper presents a systematic literature review in the domain and creates an overview of the contributions of the empirical studies. Most of the studies focused in their aims on the third-party dependency maintenance aspects and their security implications. The problems they discussed were related to these aspects as well, with suggestions to incorporate more automated tool support to aid with the maintenance. Such tools were also developed in the scope of some of the studies. Studies were data-heavy, where the metadata was mined from open-source databases or package manager repositories – most investigated package managers were Maven and npm. For future work it was suggested to carry out the existing research for other package managers, extend the research to the mobile domain and complement quantitative approaches with qualitative methods.