Docker allows for the packaging of applications and dependencies, and its instructions are described in Dockerfiles. Nowadays, version pinning is recommended to avoid unexpected changes in the latest version of a package. However, version pinning in Dockerfiles is not yet fully realized (only 17k of the 141k Dockerfiles we analyzed), because of the difficulties caused by version pinning. To maintain Dockerfiles with version-pinned packages, it is important to update package versions, not only for improved functionality, but also for software supply chain security, as packages are changed to address vulnerabilities and bug fixes. However, when updating multiple version-pinned packages, it is necessary to understand the dependencies between packages and ensure version compatibility, which is not easy. To address this issue, we explore the applicability of the meta-maintenance approach, which aims to distribute the successful updates in a part of a group that independently maintains a common artifact. We conduct an exploratory analysis of 7,914 repositories on GitHub that hold Dockerfiles, which retrieve packages on GitHub by URLs. There were 385 repository groups with the same multiple package combinations, and 208 groups had Dockerfiles with newer version combinations compared to others, which are considered meta-maintenance applicable. Our findings support the potential of meta-maintenance for updating multiple version-pinned packages and also reveal future challenges.

翻译：Docker支持应用程序及其依赖项的打包，其指令通过Dockerfile描述。当前业界推荐使用版本锁定以避免最新版本包中的意外变更。然而，由于版本锁定带来的困难，Dockerfile中的版本锁定尚未完全实现（在分析的141k个Dockerfile中仅有17k个）。对于包含版本锁定包的Dockerfile，更新包版本至关重要——这不仅是为了增强功能，更是为了保障软件供应链安全，因为包的变更需要修复漏洞和程序缺陷。但更新多个版本锁定包时，必须理解包间依赖关系并确保版本兼容性，这并非易事。针对该问题，我们探索了元维护方法的适用性，该方法旨在将成功更新分发至独立维护公共工件的群体子集。我们对GitHub上存储的7,914个包含Dockerfile的仓库进行了探索性分析（这些仓库通过URL获取GitHub包）。研究发现存在385个包含相同多包组合的仓库群组，其中208个群组的Dockerfile存在比同类更新的版本组合，可应用元维护方法。研究结果证实了元维护在更新多个版本锁定包方面的潜力，并揭示了未来面临的挑战。