{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,14]],"date-time":"2025-11-14T07:36:13Z","timestamp":1763105773936,"version":"3.37.3"},"reference-count":51,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2021,2,20]],"date-time":"2021-02-20T00:00:00Z","timestamp":1613779200000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2021,2,20]],"date-time":"2021-02-20T00:00:00Z","timestamp":1613779200000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"funder":[{"DOI":"10.13039\/501100002661","name":"Fonds De La Recherche Scientifique - FNRS","doi-asserted-by":"publisher","award":["30446992"],"award-info":[{"award-number":["30446992"]}],"id":[{"id":"10.13039\/501100002661","id-type":"DOI","asserted-by":"publisher"}]},{"name":"the Government of Spain","award":["RTI2018-101963-B-100"],"award-info":[{"award-number":["RTI2018-101963-B-100"]}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2021,3]]},"DOI":"10.1007\/s10664-020-09908-6","type":"journal-article","created":{"date-parts":[[2021,2,20]],"date-time":"2021-02-20T20:03:11Z","timestamp":1613851391000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":22,"title":["A multi-dimensional analysis of technical lag in Debian-based Docker images"],"prefix":"10.1007","volume":"26","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2676-3730","authenticated-orcid":false,"given":"Ahmed","family":"Zerouali","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3636-5020","authenticated-orcid":false,"given":"Tom","family":"Mens","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5824-5823","authenticated-orcid":false,"given":"Alexandre","family":"Decan","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9682-460X","authenticated-orcid":false,"given":"Jesus","family":"Gonzalez-Barahona","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1442-6761","authenticated-orcid":false,"given":"Gregorio","family":"Robles","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,2,20]]},"reference":[{"key":"9908_CR1","doi-asserted-by":"publisher","unstructured":"Abate P, Di Cosmo R, Boender J, Zacchiroli S (2009) Strong dependencies between software components. In: International symposium on empirical software engineering and measurement. https:\/\/doi.org\/10.1109\/ESEM.2009.5316017. IEEE Computer Society, pp 89\u201399","DOI":"10.1109\/ESEM.2009.5316017"},{"issue":"10","key":"9908_CR2","doi-asserted-by":"publisher","first-page":"2228","DOI":"10.1016\/j.jss.2012.02.018","volume":"85","author":"P Abate","year":"2012","unstructured":"Abate P, Di Cosmo R, Treinen R, Zacchiroli S (2012) Dependency solving: a separate concern in component evolution management. J Syst Softw 85 (10):2228\u20132240. https:\/\/doi.org\/10.1016\/j.jss.2012.02.018","journal-title":"J Syst Softw"},{"key":"9908_CR3","doi-asserted-by":"publisher","first-page":"93","DOI":"10.1016\/j.scico.2013.06.007","volume":"90","author":"P Abate","year":"2014","unstructured":"Abate P, Di Cosmo R, Treinen R, Zacchiroli S (2014) Learning from the future of component repositories. Sci Comput Program 90:93\u2013115. https:\/\/doi.org\/10.1016\/j.scico.2013.06.007","journal-title":"Sci Comput Program"},{"key":"9908_CR4","unstructured":"Anchore.io (2017) Snapshot of the container ecosystem. https:\/\/anchore.com\/wp-content\/uploads\/2017\/04\/Anchore-Container-Survey-5.pdf. Accessed: 01\/12\/2019"},{"key":"9908_CR5","doi-asserted-by":"publisher","unstructured":"Artho C, Suzaki K, Di Cosmo R, Treinen R, Zacchiroli S (2012) Why do software packages conflict?. In: Working conference mining software repositories. https:\/\/doi.org\/10.1109\/MSR.2012.6224274, pp 141\u2013150","DOI":"10.1109\/MSR.2012.6224274"},{"issue":"3","key":"9908_CR6","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1109\/MCC.2014.51","volume":"1","author":"D Bernstein","year":"2014","unstructured":"Bernstein D (2014) Containers and cloud: from LXC to Docker to Kubernetes. IEEE Cloud Comput 1(3):81\u201384. https:\/\/doi.org\/10.1109\/MCC.2014.51","journal-title":"IEEE Cloud Comput"},{"key":"9908_CR7","unstructured":"Bettini A (2015) Vulnerability exploitation in docker container environments. In: FlawCheck, Black Hat Europe"},{"issue":"1","key":"9908_CR8","doi-asserted-by":"publisher","first-page":"71","DOI":"10.1145\/2723872.2723882","volume":"49","author":"C Boettiger","year":"2015","unstructured":"Boettiger C (2015) An introduction to Docker for reproducible research. ACM SIGOPS Oper Syst Rev 49(1):71\u201379. https:\/\/doi.org\/10.1145\/2723872.2723882","journal-title":"ACM SIGOPS Oper Syst Rev"},{"key":"9908_CR9","doi-asserted-by":"publisher","unstructured":"Cito J, Schermann G, Wittern JE, Leitner P, Zumberi S, Gall HC (2017) An empirical analysis of the Docker container ecosystem on GitHub. In: International conference on mining software repositories. https:\/\/doi.org\/10.1109\/MSR.2017.67. IEEE Press, pp 323\u2013333","DOI":"10.1109\/MSR.2017.67"},{"key":"9908_CR10","doi-asserted-by":"publisher","unstructured":"Claes M, Mens T, Di Cosmo R, Vouillon J (2015) A historical analysis of Debian package incompatibilities. In: Working conference mining software repositories. https:\/\/doi.org\/10.1109\/MSR.2015.27, pp 212\u2013223","DOI":"10.1109\/MSR.2015.27"},{"key":"9908_CR11","doi-asserted-by":"publisher","unstructured":"Cogo F R, Oliva G A, Hassan A E (2019) An empirical study of dependency downgrades in the npm ecosystem. IEEE Trans Softw Eng. https:\/\/doi.org\/10.1109\/TSE.2019.2952130","DOI":"10.1109\/TSE.2019.2952130"},{"issue":"5","key":"9908_CR12","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1109\/MCC.2016.100","volume":"3","author":"T Combe","year":"2016","unstructured":"Combe T, Martin A, Di Pietro R (2016) To Docker or not to Docker: a security perspective. IEEE Cloud Comput 3(5):54\u201362. https:\/\/doi.org\/10.1109\/MCC.2016.100","journal-title":"IEEE Cloud Comput"},{"key":"9908_CR13","doi-asserted-by":"publisher","unstructured":"Cox J, Bouwers E, van Eekelen M, Visser J (2015) Measuring dependency freshness in software systems. In: International conference on software engineering. https:\/\/doi.org\/10.1109\/ICSE.2015.140. IEEE Press, pp 109\u2013118","DOI":"10.1109\/ICSE.2015.140"},{"key":"9908_CR14","unstructured":"de Visser M (2017) A look at how often Docker images are updated. https:\/\/anchore.com\/look-often-docker-images-updated\/. Accessed: 20 August 2020"},{"key":"9908_CR15","doi-asserted-by":"publisher","unstructured":"Decan A, Mens T, Constantinou E (2018a) On the evolution of technical lag in the npm package dependency network. In: International conference software maintenance and evolution. https:\/\/doi.org\/10.1109\/ICSME.2018.00050. IEEE, pp 404\u2013414","DOI":"10.1109\/ICSME.2018.00050"},{"key":"9908_CR16","doi-asserted-by":"publisher","unstructured":"Decan A, Mens T, Constantinou E (2018b) On the impact of security vulnerabilities in the npm package dependency network. In: International conference on mining software repositories. https:\/\/doi.org\/10.1145\/3196398.3196401","DOI":"10.1145\/3196398.3196401"},{"issue":"1","key":"9908_CR17","doi-asserted-by":"publisher","first-page":"381","DOI":"10.1007\/s10664-017-9589-y","volume":"24","author":"A Decan","year":"2019","unstructured":"Decan A, Mens T, Grosjean P (2019) An empirical comparison of dependency network evolution in seven software packaging ecosystems. Empir Softw Eng 24(1):381\u2013416. ISSN 1573-7616. https:\/\/doi.org\/10.1007\/s10664-017-9589-y","journal-title":"Empir Softw Eng"},{"key":"9908_CR18","unstructured":"DeHamer B (2020) Docker hub top 10. https:\/\/www.ctl.io\/developers\/blog\/post\/docker-hub-top-10\/. Accessed: 20 August 2020"},{"key":"9908_CR19","unstructured":"Docker Inc. (2020a) Docker registry HTTP API V2. https:\/\/docs.docker.com\/registry\/spec\/api\/. Accessed: 20 Aug 2020"},{"key":"9908_CR20","unstructured":"Docker Inc. (2020b) Dockerfile reference. https:\/\/docs.docker.com\/engine\/reference\/builder\/. Accessed: 20 August 2020"},{"issue":"3","key":"9908_CR21","doi-asserted-by":"publisher","first-page":"262","DOI":"10.1007\/s10664-008-9100-x","volume":"14","author":"JM Gonzalez-Barahona","year":"2009","unstructured":"Gonzalez-Barahona JM, Robles G, Michlmayr M, Amor JJ, German DM (2009) Macro-level software evolution: a case study of a large software compilation. Empir Softw Eng 14(3):262\u2013285. https:\/\/doi.org\/10.1007\/s10664-008-9100-x","journal-title":"Empir Softw Eng"},{"key":"9908_CR22","doi-asserted-by":"publisher","unstructured":"Gonzalez-Barahona JM, Sherwood P, Robles G, Izquierdo D (2017) Technical lag in software compilations: measuring how outdated a software deployment is. In: IFIP international conference on open source systems. https:\/\/doi.org\/10.1007\/978-3-319-57735-7_17. Springer, pp 182\u2013192","DOI":"10.1007\/978-3-319-57735-7_17"},{"key":"9908_CR23","doi-asserted-by":"crossref","unstructured":"Henkel J, Bird C, Lahiri SK, Reps T (2020) Learning from, understanding, and supporting DevOps artifacts for Docker. In: International conference on software engineering","DOI":"10.1145\/3377811.3380406"},{"key":"9908_CR24","doi-asserted-by":"publisher","unstructured":"Kula R G, German D M, Ishio T, Inoue K (2015) Trusting a library: a study of the latency to adopt the latest Maven release. In: International conference on software analysis, evolution, and reengineering. https:\/\/doi.org\/10.1109\/SANER.2015.7081869, pp 520\u2013524","DOI":"10.1109\/SANER.2015.7081869"},{"issue":"1","key":"9908_CR25","doi-asserted-by":"publisher","first-page":"384","DOI":"10.1007\/s10664-017-9521-5","volume":"23","author":"RG Kula","year":"2017","unstructured":"Kula RG, German DM, Ouni A, Ishio T, Inoue K (2017) Do developers update their library dependencies? Empir Softw Eng 23(1):384\u2013417. https:\/\/doi.org\/10.1007\/s10664-017-9521-5. ISSN 1573-7616","journal-title":"Empir Softw Eng"},{"key":"9908_CR26","doi-asserted-by":"publisher","unstructured":"Kwon S, Lee J-H (2020) Divds: Docker image vulnerability diagnostic system. IEEE Access. https:\/\/doi.org\/10.1109\/ACCESS.2020.2976874","DOI":"10.1109\/ACCESS.2020.2976874"},{"key":"9908_CR27","doi-asserted-by":"crossref","unstructured":"Legay D, Decan A, Mens T (2020) On package freshness in Linux distributions. In: International conference software maintenance and evolution\u2014NIER Track","DOI":"10.1109\/ICSME46990.2020.00072"},{"key":"9908_CR28","doi-asserted-by":"publisher","unstructured":"Lu Z, Xu J, Wu Y, Wang T, Huang T (2019) An empirical case study on the temporary file smell in Dockerfiles. IEEE Access. https:\/\/doi.org\/10.1109\/ACCESS.2019.2905424","DOI":"10.1109\/ACCESS.2019.2905424"},{"issue":"239","key":"9908_CR29","first-page":"2","volume":"2014","author":"D Merkel","year":"2014","unstructured":"Merkel D (2014) Docker: lightweight Linux containers for consistent development and deployment. Linux J 2014(239):2","journal-title":"Linux J"},{"key":"9908_CR30","doi-asserted-by":"publisher","unstructured":"Mezzetti G, M\u00f8ller A, Torp MT (2018) Type regression testing to detect breaking changes in Node. js libraries. In: European conference on object-oriented programming. https:\/\/doi.org\/10.4230\/LIPIcs.ECOOP.2018.7","DOI":"10.4230\/LIPIcs.ECOOP.2018.7"},{"key":"9908_CR31","doi-asserted-by":"publisher","unstructured":"M\u00f8ller A, Torp M T (2019) Model-based testing of breaking changes in Node.js libraries. In: Joint meeting on European software engineering conference and symposium on the foundations of software engineering. https:\/\/doi.org\/10.1145\/3338906.3338940. ACM, pp 409\u2013419","DOI":"10.1145\/3338906.3338940"},{"key":"9908_CR32","unstructured":"Mouat A (2015) Using docker: developing and deploying software with containers. O\u2019Reilly Media, Inc."},{"key":"9908_CR33","doi-asserted-by":"publisher","unstructured":"Nussbaum L, Zacchiroli S (2010) The ultimate Debian database: consolidating bazaar metadata for quality assurance and data mining. In: Working conference on mining software repositories. https:\/\/doi.org\/10.1109\/MSR.2010.5463277, pp 52\u201361","DOI":"10.1109\/MSR.2010.5463277"},{"key":"9908_CR34","unstructured":"Romano J, Kromrey JD, Coraggio J, Skowronek J, Devine L (2006) Exploring methods for evaluating group differences on the NSSE and other surveys: are the t-test and Cohen\u2019s d indices the most appropriate choices?. In: Annual meeting of the southern association for institutional research"},{"key":"9908_CR35","doi-asserted-by":"publisher","first-page":"2341","DOI":"10.1007\/s10664-019-09754-1","volume":"25","author":"P Salza","year":"2020","unstructured":"Salza P, Palomba F, Di Nucci D, De Lucia A, Ferrucci F (2020) Third-party libraries in mobile apps: when, how, and why developers update them. Empir Softw Eng 25:2341\u20132377. https:\/\/doi.org\/10.1007\/s10664-019-09754-1","journal-title":"Empir Softw Eng"},{"key":"9908_CR36","doi-asserted-by":"publisher","unstructured":"Shu R, Gu X, Enck W (2017) A study of security vulnerabilities on Docker Hub. In: International conference on data and application security and privacy. https:\/\/doi.org\/10.1145\/3029806.3029832. ACM, pp 269\u2013280","DOI":"10.1145\/3029806.3029832"},{"key":"9908_CR37","unstructured":"Socchi E, Luu J (2019) A deep dive into Docker Hub\u2019s security landscape\u2014a story of inheritance? Master\u2019s thesis University of Oslo"},{"key":"9908_CR38","unstructured":"The Debian GNU\/Linux FAQ (2019) The Debian package management tools. https:\/\/www.debian.org\/doc\/manuals\/debian-faq\/pkgtools.en.html. Accessed: 20 Aug 2020"},{"key":"9908_CR39","unstructured":"Turnbull J (2014) The Docker book: containerization is the new virtualization. James Turnbull"},{"key":"9908_CR40","unstructured":"Vermeer B, Henry W (2019) Shifting Docker security left. https:\/\/snyk.io\/blog\/shifting-docker-security-left\/. Accessed: 02\/11\/2019"},{"key":"9908_CR41","doi-asserted-by":"publisher","unstructured":"Vouillon J, Di Cosmo R (2011) On software component co-installability. In: Joint European software engineering conference and ACM SIGSOFT international symposium on foundations of software engineering. https:\/\/doi.org\/10.1145\/2025113.2025149","DOI":"10.1145\/2025113.2025149"},{"key":"9908_CR42","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4615-4625-2","volume-title":"Experimentation in software engineering\u2014an introduction","author":"C Wohlin","year":"2000","unstructured":"Wohlin C, Runeson P, Host M, Ohlsson MC, Regnell B, Wesslen A (2000) Experimentation in software engineering\u2014an introduction. Kluwer, Boston. https:\/\/doi.org\/10.1007\/978-1-4615-4625-2"},{"key":"9908_CR43","doi-asserted-by":"publisher","unstructured":"Zapata RE, Kula RG, Chinthanet B, Ishio T, Matsumoto K, Ihara A (2018) Towards smoother library migrations: a look at vulnerable dependency migrations at function level for npm JavaScript packages. In: International conference on software maintenance and evolution. https:\/\/doi.org\/10.1109\/ICSME.2018.00067. IEEE, pp 559\u2013563","DOI":"10.1109\/ICSME.2018.00067"},{"key":"9908_CR44","unstructured":"Zerouali A (2019) A measurement framework for analyzing technical lag in open-source software ecosystems. PhD thesis, University of Mons"},{"key":"9908_CR45","doi-asserted-by":"publisher","unstructured":"Zerouali A (2020) Replication package for Debian-based Docker images. https:\/\/doi.org\/10.5281\/zenodo.3765315","DOI":"10.5281\/zenodo.3765315"},{"key":"9908_CR46","doi-asserted-by":"publisher","unstructured":"Zerouali A, Constantinou E, Mens T, Robles G, Gonz\u00e1lez-Barahona J (2018) An empirical analysis of technical lag in npm package dependencies. In: International conference on software reuse. https:\/\/doi.org\/10.1007\/978-3-319-90421-4_6. Springer, pp 95\u2013110","DOI":"10.1007\/978-3-319-90421-4_6"},{"key":"9908_CR47","doi-asserted-by":"publisher","unstructured":"Zerouali A, Cosentino V, Robles G, Gonzalez-Barahona JM, Mens T (2019a) Conpan: a tool to analyze packages in software containers. In: Proceedings of the 16th international conference on mining software repositories. https:\/\/doi.org\/10.1109\/MSR.2019.00089. IEEE Press, pp 592\u2013596","DOI":"10.1109\/MSR.2019.00089"},{"key":"9908_CR48","doi-asserted-by":"publisher","unstructured":"Zerouali A, Mens T, Gonzalez-Barahona J, Decan A, Constantinou E, Robles G (2019b) A formal framework for measuring technical lag in component repositories\u2014and its application to npm. J Softw: Evol Process. https:\/\/doi.org\/10.1002\/smr.2157","DOI":"10.1002\/smr.2157"},{"key":"9908_CR49","doi-asserted-by":"publisher","unstructured":"Zerouali A, Mens T, Robles G, Gonzalez-Barahona JM (2019c) On the relation between outdated Docker containers, severity vulnerabilities, and bugs. In: International conference on software analysis, evolution and reengineering. https:\/\/doi.org\/10.1109\/SANER.2019.8668013. IEEE, pp 491\u2013501","DOI":"10.1109\/SANER.2019.8668013"},{"key":"9908_CR50","doi-asserted-by":"publisher","unstructured":"Zhou J, Chen W, Wu G, Wei J (2019) SemiTagRec: a semi-supervised learning based tag recommendation approach for Docker repositories. In: International conference on software and systems reuse. https:\/\/doi.org\/10.1007\/978-3-030-22888-0_10. Springer, pp 132\u2013148","DOI":"10.1007\/978-3-030-22888-0_10"},{"key":"9908_CR51","unstructured":"Zimmermann M, Staicu C-A, Tenny C, Pradel M (2019) Small world with high risks: a study of security threats in the npm ecosystem. In: USENIX security symposium, pp 1\u201316"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-020-09908-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s10664-020-09908-6\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-020-09908-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,3,26]],"date-time":"2021-03-26T19:15:31Z","timestamp":1616786131000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s10664-020-09908-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,2,20]]},"references-count":51,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2021,3]]}},"alternative-id":["9908"],"URL":"https:\/\/doi.org\/10.1007\/s10664-020-09908-6","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"type":"print","value":"1382-3256"},{"type":"electronic","value":"1573-7616"}],"subject":[],"published":{"date-parts":[[2021,2,20]]},"assertion":[{"value":"23 September 2020","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"20 February 2021","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}],"article-number":"19"}}