{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,30]],"date-time":"2026-03-30T15:08:37Z","timestamp":1774883317740,"version":"3.50.1"},"reference-count":48,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2026,1,21]],"date-time":"2026-01-21T00:00:00Z","timestamp":1768953600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2026,1,21]],"date-time":"2026-01-21T00:00:00Z","timestamp":1768953600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"funder":[{"DOI":"10.13039\/501100004063","name":"Knut och Alice Wallenbergs Stiftelse","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100004063","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100000038","name":"Natural Sciences and Engineering Research Council of Canada","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100000038","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2026,5]]},"DOI":"10.1007\/s10664-025-10789-w","type":"journal-article","created":{"date-parts":[[2026,1,21]],"date-time":"2026-01-21T09:09:40Z","timestamp":1768986580000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["The design space of lockfiles across package managers"],"prefix":"10.1007","volume":"31","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-7537-4961","authenticated-orcid":false,"given":"Yogya","family":"Gamage","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0293-2592","authenticated-orcid":false,"given":"Deepika","family":"Tiwari","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3505-3383","authenticated-orcid":false,"given":"Martin","family":"Monperrus","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4015-4640","authenticated-orcid":false,"given":"Benoit","family":"Baudry","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2026,1,21]]},"reference":[{"key":"10789_CR1","doi-asserted-by":"publisher","unstructured":"Alfadel M, Costa DE, Shihab E, Mkhallalati M (2021) On the use of dependabot security pull requests. In: 2021 IEEE\/ACM 18th International conference on mining software repositories (MSR), pp 254\u2013265. https:\/\/doi.org\/10.1109\/MSR52588.2021.00037","DOI":"10.1109\/MSR52588.2021.00037"},{"key":"10789_CR2","doi-asserted-by":"crossref","unstructured":"Abate P, Di\u00a0Cosmo R, Gousios G, Zacchiroli S (2020) Dependency solving is still hard, but we are getting better at it. In: 2020 IEEE 27th International conference on software analysis, evolution and reengineering (SANER), IEEE, pp 547\u2013551","DOI":"10.1109\/SANER48275.2020.9054837"},{"key":"10789_CR3","doi-asserted-by":"crossref","unstructured":"A\u00efdasso H, Sayagh M, Bordeleau F (2025) Build Optimization: A Systematic Literature Review. arXiv:2501.11940","DOI":"10.1145\/3757912"},{"key":"10789_CR4","doi-asserted-by":"crossref","unstructured":"Bogart C, K\u00e4stner C, Herbsleb J, Thung F (2021) When and How to Make Breaking Changes: Policies and Practices in 18 Open Source Software Ecosystems. ACM Trans Softw Eng Methodol","DOI":"10.1145\/3447245"},{"key":"10789_CR5","doi-asserted-by":"publisher","unstructured":"Bifolco D, Nocera S, Romano S, Di\u00a0Penta M, Francese R, Scanniello G (2024) On the accuracy of github\u2019s dependency graph. In: Proceedings of the 28th international conference on evaluation and assessment in software engineering. EASE \u201924, Association for Computing Machinery, New York, NY, USA, pp 242\u2013251. https:\/\/doi.org\/10.1145\/3661167.3661175","DOI":"10.1145\/3661167.3661175"},{"key":"10789_CR6","unstructured":"Bos AM (2023) A review of attacks against language-based package managers. arXiv:2302.08959"},{"key":"10789_CR7","doi-asserted-by":"crossref","unstructured":"Bi T, Xia B, Xing Z, Lu Q, Zhu L (2024) On the way to sboms: Investigating design issues and solutions in practice. ACM Trans Softw Eng Methodol","DOI":"10.1145\/3654442"},{"key":"10789_CR8","unstructured":"Cass S (2024) The top programming languages 2024. https:\/\/spectrum.ieee.org\/top-programming-languages-2024"},{"key":"10789_CR9","doi-asserted-by":"publisher","unstructured":"Cleare J, Iacob C (2018) Gemchecker: Reporting on the status of gems in ruby on rails projects. In: 2018 IEEE International conference on software maintenance and evolution (ICSME), pp 700\u2013704. https:\/\/doi.org\/10.1109\/ICSME.2018.00080","DOI":"10.1109\/ICSME.2018.00080"},{"issue":"2","key":"10789_CR10","doi-asserted-by":"publisher","first-page":"24","DOI":"10.1145\/3329781.3344149","volume":"17","author":"R Cox","year":"2019","unstructured":"Cox R (2019) Surviving software dependencies: Software reuse is finally here but comes with risks. Queue 17(2):24\u201347. https:\/\/doi.org\/10.1145\/3329781.3344149","journal-title":"Queue"},{"key":"10789_CR11","doi-asserted-by":"publisher","unstructured":"Decan A, Mens T, Constantinou E (2018) On the impact of security vulnerabilities in the npm package dependency network. In: Proceedings of the 15th international conference on mining software repositories. MSR \u201918, Association for Computing Machinery, New York, NY, USA, pp 181\u2013191. https:\/\/doi.org\/10.1145\/3196398.3196401","DOI":"10.1145\/3196398.3196401"},{"key":"10789_CR12","doi-asserted-by":"publisher","unstructured":"Goswami P, Gupta S, Li Z, Meng N, Yao D (2020) Investigating the reproducibility of npm packages. In: 2020 IEEE International conference on software maintenance and evolution (ICSME), pp 677\u2013681. https:\/\/doi.org\/10.1109\/ICSME46990.2020.00071","DOI":"10.1109\/ICSME46990.2020.00071"},{"key":"10789_CR13","doi-asserted-by":"crossref","unstructured":"Gu Y, Ying L, Pu Y, Hu X, Chai H, Wang R, Gao X, Duan H (2023) Investigating package related security threats in software registries. In: 2023 IEEE Symposium on security and privacy (SP), IEEE, pp 1578\u20131595","DOI":"10.1109\/SP46215.2023.10179332"},{"key":"10789_CR14","doi-asserted-by":"crossref","unstructured":"He H, Vasilescu B, K\u00e4stner C (2025) Pinning is futile: You need more than local dependency versioning to defend against supply chain attacks. arXiv:2502.06662","DOI":"10.1145\/3715728"},{"key":"10789_CR15","doi-asserted-by":"publisher","unstructured":"Kalliamvakou E, Gousios G, Blincoe K, Singer L, German DM, Damian D (2014) The promises and perils of mining github. In: Proceedings of the 11th working conference on mining software repositories. MSR 2014, Association for Computing Machinery, New York, NY, USA, pp 92\u2013101. https:\/\/doi.org\/10.1145\/2597073.2597074","DOI":"10.1145\/2597073.2597074"},{"issue":"2","key":"10789_CR16","doi-asserted-by":"publisher","first-page":"131","DOI":"10.1145\/130844.130856","volume":"24","author":"CW Krueger","year":"1992","unstructured":"Krueger CW (1992) Software Reuse ACM Comput Surveys 24(2):131\u2013183","journal-title":"Software Reuse ACM Comput Surveys"},{"key":"10789_CR17","unstructured":"Kalu KG, Singla T, Okafor C, Torres-Arias S, Davis JC (2024) An industry interview study of software signing for supply chain security. arXiv:2406.08198"},{"key":"10789_CR18","doi-asserted-by":"publisher","unstructured":"Kabir MMA, Wang Y, Yao D, Meng N (2022) How do developers follow security-relevant best practices when using npm packages? In: 2022 IEEE Secure development conference (SecDev), pp 77\u201383. https:\/\/doi.org\/10.1109\/SecDev53368.2022.00027","DOI":"10.1109\/SecDev53368.2022.00027"},{"issue":"1","key":"10789_CR19","doi-asserted-by":"publisher","first-page":"437","DOI":"10.1109\/TSE.2022.3152148","volume":"49","author":"H Li","year":"2023","unstructured":"Li H, C\u00f4go FR, Bezemer C (2023) An empirical study of yanked releases in the rust package registry. IEEE Trans Software Eng 49(1):437\u2013449","journal-title":"IEEE Trans Software Eng"},{"key":"10789_CR20","doi-asserted-by":"publisher","unstructured":"Liu C, Chen S, Fan L, Chen B, Liu Y, Peng X (2022) Demystifying the vulnerability propagation and its evolution via dependency trees in the npm ecosystem. In: Proceedings of the 44th international conference on software engineering. ICSE \u201922, Association for Computing Machinery, New York, NY, USA, pp 672\u2013684. https:\/\/doi.org\/10.1145\/3510003.3510142","DOI":"10.1145\/3510003.3510142"},{"key":"10789_CR21","doi-asserted-by":"crossref","unstructured":"Ladisa P, Plate H, Martinez M, Barais O (2023) Sok: Taxonomy of attacks on open-source software supply chains. In: 2023 IEEE Symposium on security and privacy (SP), IEEE, pp 1509\u20131526","DOI":"10.1109\/SP46215.2023.10179304"},{"issue":"2","key":"10789_CR22","doi-asserted-by":"publisher","first-page":"62","DOI":"10.1109\/MS.2021.3073045","volume":"39","author":"C Lamb","year":"2022","unstructured":"Lamb C, Zacchiroli S (2022) Reproducible builds: Increasing the integrity of software supply chains. IEEE Softw 39(2):62\u201370","journal-title":"IEEE Softw"},{"key":"10789_CR23","doi-asserted-by":"publisher","unstructured":"Mohayeji H, Agaronian A, Constantinou E, Zannone N, Serebrenik A (2023) Investigating the resolution of vulnerable dependencies with dependabot security updates. In: 2023 IEEE\/ACM 20th International conference on mining software repositories (MSR), pp 234\u2013246. https:\/\/doi.org\/10.1109\/MSR59073.2023.00042","DOI":"10.1109\/MSR59073.2023.00042"},{"key":"10789_CR24","doi-asserted-by":"publisher","unstructured":"Mohayeji H, Agaronian A, Constantinou E, Zannone N, Serebrenik A (2025) Securing dependencies: A comprehensive study of dependabot\u2019s impact on vulnerability mitigation. Empirical Softw Eng 30(3). https:\/\/doi.org\/10.1007\/s10664-025-10638-w","DOI":"10.1007\/s10664-025-10638-w"},{"key":"10789_CR25","doi-asserted-by":"publisher","first-page":"471","DOI":"10.1007\/s10664-007-9040-x","volume":"12","author":"P Mohagheghi","year":"2007","unstructured":"Mohagheghi P, Conradi R (2007) Quality, productivity and economic benefits of software reuse: a review of industrial studies. Empirical Softw Eng 12:471\u2013516","journal-title":"Empirical Softw Eng"},{"issue":"13","key":"10789_CR26","doi-asserted-by":"publisher","first-page":"1753","DOI":"10.1177\/1049732315617444","volume":"26","author":"K Malterud","year":"2016","unstructured":"Malterud K, Siersma VD, Guassora AD (2016) Sample size in qualitative interview studies: Guided by information power. Qualitative Health Res 26(13):1753\u20131760. https:\/\/doi.org\/10.1177\/1049732315617444","journal-title":"Qualitative Health Res"},{"key":"10789_CR27","doi-asserted-by":"publisher","unstructured":"Ochoa L, Degueule T, Falleri J-R, Vinju J (2022) Breaking bad? semantic versioning and impact of breaking changes in maven central: An external and differentiated replication study. Empirical Softw Engg 27(3). https:\/\/doi.org\/10.1007\/s10664-021-10052-y","DOI":"10.1007\/s10664-021-10052-y"},{"key":"10789_CR28","doi-asserted-by":"publisher","unstructured":"Pinckney D, Cassano F, Guha A, Bell J, Culpo M, Gamblin T (2023) Flexible and optimal dependency management via max-smt. In: 2023 IEEE\/ACM 45th International conference on software engineering (ICSE), pp 1418\u20131429. https:\/\/doi.org\/10.1109\/ICSE48619.2023.00124","DOI":"10.1109\/ICSE48619.2023.00124"},{"key":"10789_CR29","doi-asserted-by":"publisher","unstructured":"Patra J, Dixit PN, Pradel M (2018) Conflictjs: Finding and understanding conflicts between javascript libraries. In: 2018 IEEE\/ACM 40th International conference on software engineering (ICSE), pp 741\u2013751. https:\/\/doi.org\/10.1145\/3180155.3180184","DOI":"10.1145\/3180155.3180184"},{"key":"10789_CR30","doi-asserted-by":"publisher","unstructured":"Reyes F, Baudry B, Monperrus M (2024) Breaking-Good: Explaining Breaking Dependency Updates with Build Analysis . In: 2024 IEEE International conference on source code analysis and manipulation (SCAM), IEEE Computer Society, Los Alamitos, CA, USA, pp 36\u201346. https:\/\/doi.org\/10.1109\/SCAM63643.2024.00014","DOI":"10.1109\/SCAM63643.2024.00014"},{"key":"10789_CR31","doi-asserted-by":"crossref","unstructured":"Rombaut B, Cogo FR, Adams B, Hassan AE (2023) There\u2019s no such thing as a free lunch: Lessons learned from exploring the overhead introduced by the greenkeeper dependency bot in npm. ACM Trans Softw Eng Methodol","DOI":"10.1145\/3522587"},{"key":"10789_CR32","doi-asserted-by":"publisher","unstructured":"Reyes F, Gamage Y, Skoglund G, Baudry B, Monperrus M (2024) Bump: A benchmark of reproducible breaking dependency updates. In: 2024 IEEE International conference on software analysis, evolution and reengineering (SANER), pp 159\u2013170. https:\/\/doi.org\/10.1109\/SANER60148.2024.00024","DOI":"10.1109\/SANER60148.2024.00024"},{"key":"10789_CR33","doi-asserted-by":"crossref","unstructured":"Rausch T, Hummer W, Leitner P, Schulte S (2017) An empirical analysis of build failures in the continuous integration workflows of java-based open-source software. In: 2017 IEEE\/ACM 14th International conference on mining software repositories (MSR), IEEE, pp 345\u2013355","DOI":"10.1109\/MSR.2017.54"},{"key":"10789_CR34","unstructured":"Radford A, Kim J.W, Xu T, Brockman G, McLeavey C, Sutskever I (2023) Robust speech recognition via large-scale weak supervision. In: Proceedings of the 40th international conference on machine learning. ICML\u201923"},{"key":"10789_CR35","doi-asserted-by":"crossref","unstructured":"Rahman I, Marley J, Enck W, Williams L (2025) Which Is Better For Reducing Outdated and Vulnerable Dependencies: Pinning or Floating? arXiv:2510.08609","DOI":"10.1109\/ASE63991.2025.00229"},{"key":"10789_CR36","unstructured":"Rahman I, Paramitha R, Zahan N, Magill S, Enck W, Williams L (2025) No Vulnerability Data, No Problem: Towards Predicting Mean Time To Remediate In Open Source Software Dependencies. arXiv:2403.17382"},{"key":"10789_CR37","doi-asserted-by":"publisher","unstructured":"Schorlemmer TR, Kalu KG, Chigges L, Ko KM, Ishgair EA, Bagchi S, Torres-Arias S, Davis JC (2024) Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors . In: 2024 IEEE Symposium on security and privacy (SP), IEEE Computer Society, Los Alamitos, CA, USA, pp 1160\u20131178. https:\/\/doi.org\/10.1109\/SP54263.2024.00215","DOI":"10.1109\/SP54263.2024.00215"},{"issue":"2","key":"10789_CR38","doi-asserted-by":"publisher","first-page":"84","DOI":"10.1109\/MS.2012.38","volume":"29","author":"D Spinellis","year":"2012","unstructured":"Spinellis D (2012) Package management systems. IEEE Softw 29(2):84\u201386","journal-title":"IEEE Softw"},{"issue":"1","key":"10789_CR39","doi-asserted-by":"publisher","first-page":"703","DOI":"10.1038\/s41597-022-01819-z","volume":"9","author":"W Schueller","year":"2022","unstructured":"Schueller W, Wachs J, Servedio VDP, Thurner S, Loreto V (2022) Evolving collaboration, dependencies, and use in the rust open source software ecosystem. Scientific Data 9(1):703. https:\/\/doi.org\/10.1038\/s41597-022-01819-z","journal-title":"Scientific Data"},{"key":"10789_CR40","unstructured":"Vaidya RK, Carli LD, Davidson D, Rastogi V (2021) Security issues in language-based software ecosystems. arXiv:1903.02613"},{"key":"10789_CR41","doi-asserted-by":"crossref","unstructured":"Venturini D, Cogo FR, Polato I, Gerosa MA, Wiese IS (2023) I depended on you and you broke me: An empirical study of manifesting breaking changes in client packages. ACM Trans Softw Eng Methodol","DOI":"10.1145\/3576037"},{"key":"10789_CR42","doi-asserted-by":"crossref","unstructured":"Williams L, Benedetti G, Hamer S, Paramitha R, Rahman I, Tamanna M, Tystahl G, Zahan N, Morrison P, Acar Y, Cukier M, K\u00e4stner C, Kapravelos A, Wermke D, Enck W (2025) Research directions in software supply chain security. ACM Trans Softw Eng Methodol","DOI":"10.1145\/3714464"},{"key":"10789_CR43","doi-asserted-by":"publisher","unstructured":"Wang Y, Qiao L, Xu C, Liu Y, Cheung S-C, Meng N, Yu H, Zhu Z (2021) Hero: On the chaos when path meets modules. In: Proceedings of the 43rd international conference on software engineering. ICSE \u201921, pp 99\u2013111. https:\/\/doi.org\/10.1109\/ICSE43902.2021.00022","DOI":"10.1109\/ICSE43902.2021.00022"},{"key":"10789_CR44","doi-asserted-by":"publisher","unstructured":"Wang Y, Wen M, Liu Y, Wang Y, Li Z, Wang C, Yu H, Cheung S-C, Xu C, Zhu Z (2020) Watchman: Monitoring dependency conflicts for python library ecosystem. In: 2020 IEEE\/ACM 42nd International conference on software engineering (ICSE), pp 125\u2013135. https:\/\/doi.org\/10.1145\/3377811.3380426","DOI":"10.1145\/3377811.3380426"},{"key":"10789_CR45","doi-asserted-by":"publisher","unstructured":"Wang C, Wu R, Song H, Shu J, Li G (2023) smartpip: A smart approach to resolving python dependency conflict issues. In: Proceedings of the 37th IEEE\/ACM International conference on automated software engineering. ASE \u201922. Association for Computing Machinery, New York, NY, USA. https:\/\/doi.org\/10.1145\/3551349.3560437","DOI":"10.1145\/3551349.3560437"},{"key":"10789_CR46","doi-asserted-by":"publisher","unstructured":"Wang X, Wang M, Shen W, Chang R, (2025) Understanding and Detecting Peer Dependency Resolving Loop in npm Ecosystem. In, (2025) IEEE\/ACM 47th International conference on software engineering (ICSE), pp 591\u2013591. IEEE Computer Society Los Alamitos CA USA. https:\/\/doi.org\/10.1109\/ICSE55347.2025.00054","DOI":"10.1109\/ICSE55347.2025.00054"},{"key":"10789_CR47","doi-asserted-by":"publisher","unstructured":"Wang Y, Wen M, Wu R, Liu Z, Tan SH, Zhu Z, Yu H, Cheung S-C (2019) Could i have a stack trace to examine the dependency conflict issue? In: 2019 IEEE\/ACM 41st International conference on software engineering (ICSE), pp 572\u2013583. https:\/\/doi.org\/10.1109\/ICSE.2019.00068","DOI":"10.1109\/ICSE.2019.00068"},{"key":"10789_CR48","doi-asserted-by":"publisher","unstructured":"Yu S, Song W, Hu X, Yin H (2024) On the correctness of metadata-based sbom generation: A differential analysis approach. In: 2024 54th Annual IEEE\/IFIP International conference on dependable systems and networks (DSN), pp 29\u201336. https:\/\/doi.org\/10.1109\/DSN58291.2024.00018","DOI":"10.1109\/DSN58291.2024.00018"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-025-10789-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-025-10789-w","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-025-10789-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,30]],"date-time":"2026-03-30T14:37:17Z","timestamp":1774881437000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-025-10789-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,21]]},"references-count":48,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2026,5]]}},"alternative-id":["10789"],"URL":"https:\/\/doi.org\/10.1007\/s10664-025-10789-w","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,21]]},"assertion":[{"value":"25 July 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"2 December 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"21 January 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"None","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of Interest"}},{"value":"This paper includes minimal-risk data collected from developers during interviews. Participation in the study was entirely voluntary. All data collected from participants were anonymized and were handled in accordance with the\n                      \n                      . Prior to the study, we obtained approval from our organization\u2019s Research Ethics Board (REB).","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical Considerations"}},{"value":"Generative AI was not used for the generation of any part of the content in this paper or for data analysis. Grammarly, a tool that uses AI, was used for spell checking, grammar correction, and improving writing clarity.","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Generative AI"}},{"value":"Not applicable","order":5,"name":"Ethics","group":{"name":"EthicsHeading","label":"Clinical Trial Number"}}],"article-number":"63"}}