Developers consistently use version constraints to specify acceptable versions of the dependencies for their project. \emph{Pinning} dependencies can reduce the likelihood of breaking changes, but comes with a cost of manually managing the replacement of outdated and vulnerable dependencies. On the other hand, \emph{floating} can be used to automatically get bug fixes and security fixes, but comes with the risk of breaking changes. Security practitioners advocate \emph{pinning} dependencies to prevent against software supply chain attacks, e.g., malicious package updates. However, since \emph{pinning} is the tightest version constraint, \emph{pinning} is the most likely to result in outdated dependencies. Nevertheless, how the likelihood of becoming outdated or vulnerable dependencies changes across version constraint types is unknown. The goal of this study is to aid developers in making an informed dependency version constraint choice by empirically evaluating the likelihood of dependencies becoming outdated or vulnerable across version constraint types at scale. In this study, we first identify the trends in dependency version constraint usage and the patterns of version constraint type changes made by developers in the npm, PyPI, and Cargo ecosystems. We then modeled the dependency state transitions using survival analysis and estimated how the likelihood of becoming outdated or vulnerable changes when using \emph{pinning} as opposed to the rest of the version constraint types. We observe that among outdated and vulnerable dependencies, the most commonly used version constraint type is \emph{floating-minor}, with \emph{pinning} being the next most common. We also find that \emph{floating-major} is the least likely to result in outdated and \emph{floating-minor} is the least likely to result in vulnerable dependencies.

翻译：开发者通常使用版本约束来指定其项目可接受的依赖项版本。\emph{固定}依赖项可以降低破坏性变更的可能性，但需要付出手动管理过时和易受攻击依赖项替换的代价。另一方面，\emph{浮动}版本可用于自动获取错误修复和安全补丁，但存在引入破坏性变更的风险。安全从业者提倡\emph{固定}依赖项以防范软件供应链攻击，例如恶意软件包更新。然而，由于\emph{固定}是最严格的版本约束，它最有可能导致依赖项过时。尽管如此，不同版本约束类型导致依赖项过时或易受攻击的可能性变化尚不明确。本研究旨在通过大规模实证评估不同版本约束类型下依赖项变得过时或易受攻击的可能性，帮助开发者做出明智的依赖项版本约束选择。在本研究中，我们首先识别了npm、PyPI和Cargo生态系统中依赖项版本约束的使用趋势以及开发者进行版本约束类型变更的模式。随后，我们使用生存分析对依赖项状态转换进行建模，并估计了使用\emph{固定}版本约束（与其他版本约束类型相比）时依赖项变得过时或易受攻击的可能性变化。我们观察到，在过时和易受攻击的依赖项中，最常用的版本约束类型是\emph{浮动次要版本}，其次为\emph{固定版本}。我们还发现，\emph{浮动主版本}最不容易导致依赖项过时，而\emph{浮动次要版本}最不容易导致依赖项易受攻击。