Open-source software supply chains wield significant influence in the software industry, drawing substantial interest from enterprises, researchers, and policymakers. Leveraging third-party libraries to build software applications is a common practice aimed at cost savings and software quality enhancement. However, heavy reliance on external libraries often leads to a state of “dependency hell”, marked by issues like incompatibilities, conflicting versions, bloated dependencies, and the inclusion of vulnerable library versions. Despite extensive research on software dependency management and the evolution of software supply chains, questions linger regarding the variances in dependency challenges across programming language ecosystems and how best to address the dependency hell phenomenon from an ecosystem-wide perspective.
The aim of this book is to offer: (1) a comprehensive literature review on software supply chains, (2) discussions on modeling software supply chains and analyzing their evolutionary behaviors, (3) ecosystem-level strategies for diagnosing various dependency issues and automating problem resolution with cost-benefit analysis, and (4) provision of a toolkit and datasets to support future research and assist practitioners in addressing the challenges of dependency management. The methodologies outlined in this book have been previously presented in top-tier conferences and journals, with some techniques officially integrated into products by Microsoft Corporation and Huawei Technologies Co Ltd. This book is designed to provide readers with a solid understanding of software supply chain fundamentals and practical guidance on implementing theory and techniques in real-world industrial settings.
The book is chiefly intended for software engineering researchers and students with an academic background who are interested in learning about dependency management for third-party libraries, quality assurance for software supply chains, and the evolution of open-source software ecosystems. It will also be of interest to practitioners, including software engineers, quality assurance professionals, and software managers, as well as general readers. All will benefit from our systematic studies on the dependency hell phenomenon in various programming language communities and valuable associated artifacts.