Präzi: From Package-based to Call-based Dependency Networks

Researchers can construct dependency networks by inferring relationships between packages through readily-available manifests in package repositories. They answer questions such as "How many use the vulnerable package event-stream?" and "What are the most used packages in a repository?" through network analysis. An overlooked aspect of such networks is that manifest-inferred relationships describe declarations on external packages--not necessarily how or whether they make use of them. To better model dependencies between packages, we devise Pr\"azi, an approach combining manifests and call graphs of packages to construct a fine-grained dependency network at the function-level granularity. We implement Pr\"azi for Rust and replicate a recent evolution study to characterize its package repository, crates.io, from a function call perspective. Our results identify new key characteristics and developments of crates.io: i) 49% of all calls in crates.io target a function in a dependency, suggesting prevalent reuse of dependencies, ii) packages call 40% of their resolved transitive dependencies, iii) package maintainers make nearly 7 new calls to their dependencies biannually, and iv) packages have two to three times more indirect callers than direct callers of their APIs. These results show that current analyses of meta-information of package relationships are not sufficient alone to understand how packages use each other. By pegging network representations on the function level of packages, Pr\"azi is a step towards understanding the dynamics of package repositories and reuse through program analysis.