Präzi: From Package-based to Call-based Dependency Networks

Software reuse has emerged as one of the most crucial elements of modern software development. The standard way to study the dependency networks caused by reuse is to infer relationships between software packages through manifests in the packages' repositories. Such networks can help answer important questions like "How many packages have dependencies to packages with known security issues?" or "What are the most used packages?". However, an important overlooked aspect of current networks is that manifest-inferred relationships do not necessarily describe how or whether these dependencies are actually used in the code. To better model dependencies between packages, we devise Pr\"azi, an approach combining manifests and call graphs of packages. Pr\"azi constructs a fine-grained dependency network at the more fine-grained function-level, instead of at the manifest-level. For this paper, we provide a prototypical Pr\"azi implementation for the popular system programming language Rust. Using it, we replicate a recent evolution study characterizing Rust's package repository, Crates.io, on the function-level. Our results identify new key characteristics and developments of Crates.io: i) 49% of all function calls in Crates.io target a function in a dependency, suggesting prevalent reuse of dependencies, ii) packages call 40% of their resolved transitive dependencies, iii) package maintainers make nearly 7 new calls to their dependencies biannually, and iv) packages have two to three times more indirect callers than direct callers of their APIs. These results show that current analyses of manifest-level dependency networks are not sufficient to understand how packages use each other.