Library dependencies in software ecosystems play a crucial role in the development of software. As newer releases of these libraries are published, developers may opt to pin their dependencies to a particular version. While pinning may have benefits in ensuring reproducible builds and avoiding breaking changes, it bears larger risks in using outdated dependencies that may contain bugs and security vulnerabilities. To understand the frequency and consequences of dependency pinning, we first define the concepts of stale and fresh pins, which are distinguished based on how outdated the dependency is relative to the release date of the project. We conduct an empirical study to show that over 60% of consumers of popular Maven libraries contain stale pins to their dependencies, with some outdated versions over a year old. These pinned versions often miss out on security fixes; we find that 10% of all dependency upgrades in our dataset to the latest minor or patch version would reduce security vulnerabilities. We prototype an approach called Pin-Freshener that can encourage developers to freshen their pins by leveraging the insight that crowdsourced tests of peer projects can provide additional signal for the safety of an upgrade. Running Pin-Freshener on dependency upgrades shows that just 1-5 additional test suites can provide 35-100% more coverage of a dependency, compared to that of a single consumer test suite. Our evaluation on real-world pins to the top 500 popular libraries in Maven shows that Pin-Freshener can provide an additional signal of at least 5 passing crowdsourced test suites to over 3,000 consumers to safely perform an upgrade that reduces security vulnerabilities. Pin-Freshener can provide practical confidence to developers by offering additional signal beyond their own test suites, representing an improvement over current practices.

翻译：软件生态系统中的库依赖在软件开发过程中扮演着关键角色。随着这些库的新版本发布，开发者可能选择将其依赖固定于特定版本。虽然固定依赖有助于确保构建的可重现性并避免破坏性变更，但其也带来使用过时依赖的更大风险——这些依赖可能包含缺陷和安全漏洞。为理解依赖固定行为的频率与后果，我们首先定义了陈旧固定与新鲜固定的概念，其区别基于依赖相对于项目发布日期的过时程度。我们通过实证研究表明，超过60%的热门Maven库使用者对其依赖存在陈旧固定现象，部分过时版本甚至超过一年。这些固定版本往往错过安全补丁；我们发现数据集中若将所有依赖升级至最新次要版本或补丁版本，可减少10%的安全漏洞。我们开发了名为Pin-Freshener的原型方法，该方法利用同行项目的众包测试能为升级安全性提供额外信号的洞见，从而鼓励开发者更新其固定依赖。在依赖升级场景中运行Pin-Freshener表明，仅需增加1-5个测试套件即可为依赖提供比单个使用者测试套件多35-100%的覆盖率。通过对Maven前500个热门库的真实固定依赖进行评估，我们发现Pin-Freshener能为超过3000个使用者提供至少5个通过众包测试套件的额外信号，使其能安全执行可减少安全漏洞的升级。Pin-Freshener通过提供超越开发者自身测试套件的额外信号，为开发者提供实际可行的信心，这代表着对当前实践的重要改进。