Dependency management bots automatically open pull requests to update software dependencies on behalf of developers. Early research shows that developers are suspicious of updates performed by dependency management bots and feel tired of overwhelming notifications from these bots. Despite this, dependency management bots are becoming increasingly popular. Such contrast motivates us to investigate Dependabot, currently the most visible bot on GitHub, to reveal the effectiveness and limitations of state-of-art dependency management bots. We use exploratory data analysis and a developer survey to evaluate the effectiveness of Dependabot in keeping dependencies up-to-date, reducing update suspicion, and reducing notification fatigue. We obtain mixed findings. On the positive side, Dependabot is effective in reducing technical lag and developers are highly receptive to its pull requests. On the negative side, its compatibility scores are too scarce to be effective in reducing update suspicion; developers tend to configure Dependabot toward reducing the number of notifications; and 11.3% of projects have deprecated Dependabot in favor of other alternatives. The survey confirms our findings and provides insights about developers' most wanted features for dependency management bots. Based on our findings, we derive and summarize the key characteristics of an ideal dependency management bot which can be grouped into four dimensions: configurability, autonomy, transparency, and self-adaptability.
翻译:早期研究显示,开发商对依赖管理机器人进行的最新更新感到怀疑,对来自这些机器人的压倒性通知感到厌倦。尽管如此,依赖管理机器人越来越受欢迎。这种对比促使我们调查目前GitHub上最可见的附属机器人Deptabot, 以揭示最新依赖性管理机器人的有效性和局限性。我们利用探索性数据分析和开发商调查来评价依赖性设计公司在不断更新依赖性、减少更新怀疑和减少通知疲劳方面的有效性。我们得到的结果好坏参半。在正面方面,依赖性管理机器人在减少技术滞后方面是有效的,开发商非常愿意接受其拉动要求。在负面方面,其兼容性分数太少,无法有效减少新的怀疑;开发商倾向于配置依赖性设计软件以减少通知数量;11.3%的项目在保持依赖性兼容性以保持更新性以适应其他替代方法方面的有效性。调查证实了我们的调查结果,并提供了我们最需要的自主性,关于我们最需要的自主性管理特点的关键结论。