Gerenciamento Automatizado de Dependências: Um Estudo em Larga Escala sobre a Adoção do Dependabot
Resumo
A gestão e atualização de dependências externas é uma atividade crítica em projetos de software. Ferramentas automatizadas como o Dependabot têm sido amplamente adotadas para auxiliar nesse processo. Este trabalho investiga práticas relacionadas à aceitação do Dependabot em projetos hospedados no GitHub. A partir da mineração de aproximadamente um milhão de pull requests, distribuídos em 500 projetos, analisou-se o comportamento dos mantenedores em relação às atualizações propostas, considerando métricas como frequência das notificações, taxa de aceitação e tempo até a integração. Observa-se que cerca de 46,4% dos projetos analisados utilizaram o Dependabot em algum momento ao longo do período estudado. Os resultados sugerem também que, embora uma parcela significativa de pull requests seja aceita (59,5%), ainda existem barreiras à adoção. Além disso, o tempo para integração de uma atualização de dependência pode variar entre poucos dias e vários meses, indicando que os projetos podem permanecer vulneráveis por longos períodos.Referências
Alfadel, M., Costa, D. E., Shihab, E., and Mkhallalati, M. (2021). On the use of dependabot security pull requests. In 2021 IEEE/ACM 18th International Conference on Mining Software Repositories (MSR), pages 254–265. IEEE.
Birari, S. (2024). Github dependabot: An essential tool for efficient dependency version management. Medium. Accessed: 19 November 2024.
Bogart, C., Kästner, C., Herbsleb, J., and Thung, F. (2016). How to break an API: cost negotiation and community values in three software ecosystems. In 24th International Symposium on the Foundations of Software Engineering (FSE), pages 109–120.
Borges, H., Hora, A., and Valente, M. T. (2016). Understanding the factors that impact the popularity of GitHub repositories. In 32nd International Conference on Software Maintenance and Evolution (ICSME), pages 334–344.
Brito, A., Xavier, L., Hora, A., and Valente, M. T. (2018). Why and how Java developers break APIs. In 25th International Conference on Software Analysis, Evolution and Reengineering (SANER), pages 1–11.
Chowdhury, B., Rabbi, M. F., Hasan, S. M., and Zibran, M. F. (2025a). Insights into dependency maintenance trends in the maven ecosystem. In 2025 IEEE/ACM 22nd International Conference on Mining Software Repositories (MSR), pages 280–284. IEEE.
Chowdhury, B., Rabbi, M. F., Mahedy Hasan, S. M., and Zibran, M. F. (2025b). Insights into dependency maintenance trends in the maven ecosystem. In 2025 IEEE/ACM 22nd International Conference on Mining Software Repositories (MSR), pages 280–284.
Decan, A., Mens, T., and Constantinou, E. (2018). On the impact of security vulnerabilities in the npm package dependency network. In 15th International Conference on Mining Software Repositories (MSR), page 181–191.
Durumeric, Z., Li, F., Kasten, J., Amann, J., Beekman, J., Payer, M., Weaver, N., Adrian, D., Paxson, V., Bailey, M., and Halderman, J. A. (2014). The matter of heartbleed. In 2014 Conference on Internet Measurement Conference (IMC), page 475–488.
Garrett, K., Ferreira, G., Jia, L., Sunshine, J., and Kästner, C. (2019). Detecting suspicious package updates. In 41st International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER), pages 13–16.
He, R., He, H., Zhang, Y., and Zhou, M. (2023). Automating dependency updates in practice: An exploratory study on github dependabot. IEEE Transactions on Software Engineering, 49(8):4004–4022.
Hora, A. and Valente, M. T. (2015). apiwave: Keeping track of api popularity and migration. In 31st IEEE International Conference on Software Maintenance and Evolution (ICSME), pages 321–323.
Jafari, A. J., Costa, D. E., Abdalkareem, R., Shihab, E., and Tsantalis, N. (2022). Dependency smells in javascript projects. IEEE Transactions on Software Engineering, 48(10):3790–3807.
Kula, R., German, D., Ouni, A., et al. (2018). Do developers update their library dependencies? Empirical Software Engineering, 23:384–417.
McDonnell, T., Ray, B., and Kim, M. (2013). An empirical study of API stability and adoption in the Android ecosystem. In 29th International Conference on Software Maintenance (ICSM), pages 70–79.
Mens, T. and Decan, A. (2024). An overview and catalogue of dependency challenges in open source software package registries. In Proceedings of the 23rd Belgium–Netherlands Software Evolution Workshop (BENEVOL24), CEUR Workshop Proceedings, Namur, Belgium.
Mirhosseini, S. and Parnin, C. (2017). Can automated pull requests encourage software developers to upgrade out-of-date dependencies? In 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE), pages 84–94. IEEE.
Mohayeji, H., Agaronian, A., Constantinou, E., Zannone, N., and Serebrenik, A. (2023). Investigating the resolution of vulnerable dependencies with dependabot security updates. In 20th International Conference on Mining Software Repositories (MSR), pages 234–246.
Prana, G. A. A., Sharma, A., Shar, L. K., Foo, D., Santosa, A. E., Sharma, A., and Lo, D. (2021). Out of sight, out of mind? how vulnerable dependencies affect open-source projects. Empirical Software Engineering, 26:1–34.
Rebatchi, H., Bissyandé, T. F., and Moha, N. (2024). Dependabot and security pull requests: large empirical study. Empirical Software Engineering, 29(5):128.
Robbes, R., Lungu, M., and Röthlisberger, D. (2012). How do developers react to API deprecation? the case of a Smalltalk ecosystem. In 20th International Symposium on the Foundations of Software Engineering (FSE), pages 56:1–56:11.
Silva, H. and Valente, M. T. (2018). What’s in a GitHub star? Understanding repository starring practices in a social coding platform. Journal of Systems and Software, 146:112–129.
Wu, W., Gueheneuc, Y.-G., Antoniol, G., and Kim, M. (2010). AURA: a hybrid approach to identify framework evolution. In 32nd International Conference on Software Engineering (ICSE), pages 325–334.
Xavier, L., Brito, A., Hora, A., and Valente, M. T. (2017). Historical and impact analysis of API breaking changes: A large scale study. In 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), pages 138–147.
Birari, S. (2024). Github dependabot: An essential tool for efficient dependency version management. Medium. Accessed: 19 November 2024.
Bogart, C., Kästner, C., Herbsleb, J., and Thung, F. (2016). How to break an API: cost negotiation and community values in three software ecosystems. In 24th International Symposium on the Foundations of Software Engineering (FSE), pages 109–120.
Borges, H., Hora, A., and Valente, M. T. (2016). Understanding the factors that impact the popularity of GitHub repositories. In 32nd International Conference on Software Maintenance and Evolution (ICSME), pages 334–344.
Brito, A., Xavier, L., Hora, A., and Valente, M. T. (2018). Why and how Java developers break APIs. In 25th International Conference on Software Analysis, Evolution and Reengineering (SANER), pages 1–11.
Chowdhury, B., Rabbi, M. F., Hasan, S. M., and Zibran, M. F. (2025a). Insights into dependency maintenance trends in the maven ecosystem. In 2025 IEEE/ACM 22nd International Conference on Mining Software Repositories (MSR), pages 280–284. IEEE.
Chowdhury, B., Rabbi, M. F., Mahedy Hasan, S. M., and Zibran, M. F. (2025b). Insights into dependency maintenance trends in the maven ecosystem. In 2025 IEEE/ACM 22nd International Conference on Mining Software Repositories (MSR), pages 280–284.
Decan, A., Mens, T., and Constantinou, E. (2018). On the impact of security vulnerabilities in the npm package dependency network. In 15th International Conference on Mining Software Repositories (MSR), page 181–191.
Durumeric, Z., Li, F., Kasten, J., Amann, J., Beekman, J., Payer, M., Weaver, N., Adrian, D., Paxson, V., Bailey, M., and Halderman, J. A. (2014). The matter of heartbleed. In 2014 Conference on Internet Measurement Conference (IMC), page 475–488.
Garrett, K., Ferreira, G., Jia, L., Sunshine, J., and Kästner, C. (2019). Detecting suspicious package updates. In 41st International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER), pages 13–16.
He, R., He, H., Zhang, Y., and Zhou, M. (2023). Automating dependency updates in practice: An exploratory study on github dependabot. IEEE Transactions on Software Engineering, 49(8):4004–4022.
Hora, A. and Valente, M. T. (2015). apiwave: Keeping track of api popularity and migration. In 31st IEEE International Conference on Software Maintenance and Evolution (ICSME), pages 321–323.
Jafari, A. J., Costa, D. E., Abdalkareem, R., Shihab, E., and Tsantalis, N. (2022). Dependency smells in javascript projects. IEEE Transactions on Software Engineering, 48(10):3790–3807.
Kula, R., German, D., Ouni, A., et al. (2018). Do developers update their library dependencies? Empirical Software Engineering, 23:384–417.
McDonnell, T., Ray, B., and Kim, M. (2013). An empirical study of API stability and adoption in the Android ecosystem. In 29th International Conference on Software Maintenance (ICSM), pages 70–79.
Mens, T. and Decan, A. (2024). An overview and catalogue of dependency challenges in open source software package registries. In Proceedings of the 23rd Belgium–Netherlands Software Evolution Workshop (BENEVOL24), CEUR Workshop Proceedings, Namur, Belgium.
Mirhosseini, S. and Parnin, C. (2017). Can automated pull requests encourage software developers to upgrade out-of-date dependencies? In 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE), pages 84–94. IEEE.
Mohayeji, H., Agaronian, A., Constantinou, E., Zannone, N., and Serebrenik, A. (2023). Investigating the resolution of vulnerable dependencies with dependabot security updates. In 20th International Conference on Mining Software Repositories (MSR), pages 234–246.
Prana, G. A. A., Sharma, A., Shar, L. K., Foo, D., Santosa, A. E., Sharma, A., and Lo, D. (2021). Out of sight, out of mind? how vulnerable dependencies affect open-source projects. Empirical Software Engineering, 26:1–34.
Rebatchi, H., Bissyandé, T. F., and Moha, N. (2024). Dependabot and security pull requests: large empirical study. Empirical Software Engineering, 29(5):128.
Robbes, R., Lungu, M., and Röthlisberger, D. (2012). How do developers react to API deprecation? the case of a Smalltalk ecosystem. In 20th International Symposium on the Foundations of Software Engineering (FSE), pages 56:1–56:11.
Silva, H. and Valente, M. T. (2018). What’s in a GitHub star? Understanding repository starring practices in a social coding platform. Journal of Systems and Software, 146:112–129.
Wu, W., Gueheneuc, Y.-G., Antoniol, G., and Kim, M. (2010). AURA: a hybrid approach to identify framework evolution. In 32nd International Conference on Software Engineering (ICSE), pages 325–334.
Xavier, L., Brito, A., Hora, A., and Valente, M. T. (2017). Historical and impact analysis of API breaking changes: A large scale study. In 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), pages 138–147.
Publicado
22/09/2025
Como Citar
ESTEVÃO, Gabriel; LOTT, Letícia; FLEURY, Luana; NALON, Yan; BRITO, Aline; SOUZA, Joana Gabriela; XAVIER, Laerte.
Gerenciamento Automatizado de Dependências: Um Estudo em Larga Escala sobre a Adoção do Dependabot. In: WORKSHOP DE VISUALIZAÇÃO, EVOLUÇÃO E MANUTENÇÃO DE SOFTWARE (VEM), 13. , 2025, Recife/PE.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 37-47.
DOI: https://doi.org/10.5753/vem.2025.14395.
