Library dependencies in software ecosystems play a crucial role in the development of software. As newer releases of these libraries are published, developers may opt to pin their dependencies to a particular version. While pinning may have benefits in ensuring reproducible builds and avoiding breaking changes, it bears larger risks in using outdated dependencies that may contain bugs and security vulnerabilities. To understand the frequency and consequences of dependency pinning, we first define the concepts of stale and fresh pins, which are distinguished based on how outdated the dependency is relative to the release date of the project. We conduct an empirical study to show that over 60% of consumers of popular Maven libraries contain stale pins to their dependencies, with some outdated versions over a year old. These pinned versions often miss out on security fixes; we find that 10% of all dependency upgrades in our dataset to the latest minor or patch version would reduce security vulnerabilities. We prototype an approach called Pin-Freshener that can encourage developers to freshen their pins by leveraging the insight that crowdsourced tests of peer projects can provide additional signal for the safety of an upgrade. Running Pin-Freshener on dependency upgrades shows that just 1-5 additional test suites can provide 35-100% more coverage of a dependency, compared to that of a single consumer test suite. Our evaluation on real-world pins to the top 500 popular libraries in Maven shows that Pin-Freshener can provide an additional signal of at least 5 passing crowdsourced test suites to over 3,000 consumers to safely perform an upgrade that reduces security vulnerabilities. Pin-Freshener can provide practical confidence to developers by offering additional signal beyond their own test suites, representing an improvement over current practices.

翻译：软件生态系统中库依赖在软件开发过程中扮演着关键角色。随着这些库的新版本发布，开发者可能选择将其依赖固定至特定版本。虽然固定依赖能确保构建可重现性并避免破坏性变更，但使用可能包含缺陷与安全漏洞的过时依赖会带来更大风险。为理解依赖固定现象的普遍性与后果，我们首先定义了陈旧固定与新鲜固定的概念——其区分依据是依赖版本相对于项目发布日期的时间滞后程度。实证研究表明，超过60%的主流Maven库使用者存在对其依赖的陈旧固定现象，部分过时版本甚至超过一年。这些固定版本常缺失安全补丁；我们发现数据集中若将所有依赖升级至最新次要版本或补丁版本，可减少10%的安全漏洞。我们构建了名为Pin-Freshener的原型方法，该方法通过利用同行项目的众包测试能为升级安全性提供额外信号的洞见，激励开发者更新其固定依赖。在依赖升级场景中运行Pin-Freshener显示，仅需增加1-5个测试套件即可为依赖提供比单一使用者测试套件多35-100%的覆盖率。针对Maven前500个流行库的真实固定依赖评估表明，Pin-Freshener能为超过3000个使用者提供至少5个通过验证的众包测试套件作为额外信号，使其能安全执行可降低安全漏洞的升级操作。Pin-Freshener通过提供超越自身测试套件的额外信号，为开发者提供实际可信度，这代表着对当前实践的重要改进。