{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,10]],"date-time":"2026-02-10T13:24:10Z","timestamp":1770729850593,"version":"3.49.0"},"reference-count":74,"publisher":"Association for Computing Machinery (ACM)","issue":"FSE","license":[{"start":{"date-parts":[[2024,7,12]],"date-time":"2024-07-12T00:00:00Z","timestamp":1720742400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Proc. ACM Softw. Eng."],"published-print":{"date-parts":[[2024,7,12]]},"abstract":"<jats:p>Modern software systems are increasingly dependent upon code from external packages (i.e., dependencies). Building upon external packages allows software reuse to span across projects seamlessly. Package maintainers regularly release updated versions to provide new features, fix defects, and address security vulnerabilities. Due to the potential for regression, managing dependencies is not just a trivial matter of selecting the latest versions. Since it is perceived to be less risky to retain a dependency than remove it, as projects evolve, they tend to accrue dependencies, exacerbating the difficulty of dependency management. It is not uncommon for a considerable proportion of external packages to be unused by the projects that list them as a dependency. Although such unused dependencies are not required to build and run the project, updates to their dependency specifications will still trigger Continuous Integration (CI) builds. The CI builds that are initiated by updates to unused dependencies are fundamentally wasteful. Considering that CI build time is a finite resource that is directly associated with project development and service operational costs, understanding the consequences of unused dependencies within this CI context is of practical importance.<\/jats:p>\n                  <jats:p>\n                    In this paper, we study the CI waste that is generated by updates to unused dependencies. We collect a dataset of 20,743 commits that are solely updating dependency specifications (i.e., the\n                    <jats:monospace>package.json<\/jats:monospace>\n                    file), spanning 1,487 projects that adopt\n                    <jats:monospace>npm<\/jats:monospace>\n                    for managing their dependencies. Our findings illustrate that 55.88% of the CI build time that is associated with dependency updates is only triggered by unused dependencies. At the project level, the median project spends 56.09% of its dependency-related CI build time on updates to unused dependencies. For projects that exceed the budget of free build minutes, we find that the median percentage of billable CI build time that is wasted due to unused-dependency commits is 85.50%. Moreover, we find that automated bots are the primary producers of dependency-induced CI waste, contributing 92.93% of the CI build time that is spent on unused dependencies. The popular\n                    <jats:monospace>Dependabot<\/jats:monospace>\n                    is responsible for updates to unused dependencies that account for 74.52% of that waste. To mitigate the impact of unused dependencies on CI resources, we introduce D\n                    <jats:sc>ep-s<\/jats:sc>\n                    CI\n                    <jats:sc>mitar<\/jats:sc>\n                    <jats:inline-graphic xmlns:xlink=\"http:\/\/www.w3.org\/1999\/xlink\" xlink:href=\"3660823_uf01.svg\"\/>\n                    , an approach to cut down wasted CI time by identifying and skipping CI builds that are triggered due to unused-dependency commits. A retrospective evaluation of the 20,743 studied commits shows that D\n                    <jats:sc>ep-s<\/jats:sc>\n                    CI\n                    <jats:sc>mitar<\/jats:sc>\n                    <jats:inline-graphic xmlns:xlink=\"http:\/\/www.w3.org\/1999\/xlink\" xlink:href=\"3660823_uf01.svg\"\/>\n                    reduces wasted CI build time by 68.34% by skipping wasteful builds with a precision of 94%.\n                  <\/jats:p>","DOI":"10.1145\/3660823","type":"journal-article","created":{"date-parts":[[2024,7,12]],"date-time":"2024-07-12T10:22:09Z","timestamp":1720779729000},"page":"2632-2655","source":"Crossref","is-referenced-by-count":6,"title":["Dependency-Induced Waste in Continuous Integration: An Empirical Study of Unused Dependencies in the npm Ecosystem"],"prefix":"10.1145","volume":"1","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-6550-4181","authenticated-orcid":false,"given":"Nimmi Rashinika","family":"Weeraddana","sequence":"first","affiliation":[{"name":"University of Waterloo, Waterloo, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2621-6104","authenticated-orcid":false,"given":"Mahmoud","family":"Alfadel","sequence":"additional","affiliation":[{"name":"University of Waterloo, Waterloo, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0193-3975","authenticated-orcid":false,"given":"Shane","family":"McIntosh","sequence":"additional","affiliation":[{"name":"University of Waterloo, Waterloo, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,7,12]]},"reference":[{"key":"e_1_3_1_2_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2020.2967380"},{"key":"e_1_3_1_3_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2897300"},{"key":"e_1_3_1_4_2","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.2009.09019"},{"key":"e_1_3_1_5_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-022-10278-4"},{"key":"e_1_3_1_6_2","doi-asserted-by":"publisher","DOI":"10.1145\/3571848"},{"key":"e_1_3_1_7_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSR52588.2021.00037"},{"key":"e_1_3_1_8_2","doi-asserted-by":"publisher","DOI":"10.1145\/236156.236184"},{"key":"e_1_3_1_9_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-014-9325-9"},{"key":"e_1_3_1_10_2","unstructured":"Arka Bhattacharya . 2014. Impact of continuous integration on software quality and productivity. Ph. D. Dissertation. The Ohio State University."},{"key":"e_1_3_1_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASEW.2015.21"},{"key":"e_1_3_1_12_2","doi-asserted-by":"publisher","DOI":"10.1145\/3447245"},{"key":"e_1_3_1_13_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSM.2012.6405295"},{"key":"e_1_3_1_14_2","doi-asserted-by":"publisher","DOI":"10.1145\/3324884.3416616"},{"key":"e_1_3_1_15_2","doi-asserted-by":"publisher","DOI":"10.1109\/SCAM55253.2022.00017"},{"key":"e_1_3_1_16_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2952130"},{"key":"e_1_3_1_17_2","doi-asserted-by":"publisher","DOI":"10.1145\/3347446"},{"key":"e_1_3_1_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSR52588.2021.00074"},{"key":"e_1_3_1_19_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2018.00050"},{"key":"e_1_3_1_20_2","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196401"},{"key":"e_1_3_1_21_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2023.111827"},{"key":"e_1_3_1_22_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9589-y"},{"key":"e_1_3_1_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/3379597.3387478"},{"key":"e_1_3_1_24_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2019.00061"},{"key":"e_1_3_1_25_2","doi-asserted-by":"publisher","DOI":"10.1145\/3379597.3387460"},{"key":"e_1_3_1_26_2","unstructured":"Paul M Duvall Steve Matyas and Andrew Glover. 2007. Continuous integration: improving software quality and reducing risk."},{"key":"e_1_3_1_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/ESEM.2019.8870152"},{"key":"e_1_3_1_28_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00121"},{"key":"e_1_3_1_29_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2020.3048335"},{"key":"e_1_3_1_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510211"},{"key":"e_1_3_1_31_2","doi-asserted-by":"publisher","unstructured":"Keheliya Gallaba Christian Macho Martin Pinzger and Shane McIntosh. 2018. Noise and heterogeneity in historical build data: an empirical study of travisci. In Proceedings of the 33rd International Conference on Automated Software Engineering. https:\/\/doi.org\/10.1145\/3238147.3238171 10.1145\/3238147.3238171","DOI":"10.1145\/3238147.3238171"},{"key":"e_1_3_1_32_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-019-09695-9"},{"key":"e_1_3_1_33_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2941880"},{"key":"e_1_3_1_34_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-22888-0_13"},{"key":"e_1_3_1_35_2","doi-asserted-by":"publisher","unstructured":"Mehdi Golzadeh Alexandre Decan and Tom Mens. 2022. On the rise and fall of CI services in GitHub. In 2022 IEEE International Conference on Software Analysis Evolution and Reengineering (SANER). https:\/\/doi.org\/10.1109\/SANER53432.2022.00084 10.1109\/SANER53432.2022.00084","DOI":"10.1109\/SANER53432.2022.00084"},{"key":"e_1_3_1_36_2","doi-asserted-by":"publisher","DOI":"10.1109\/ESEM.2017.23"},{"key":"e_1_3_1_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2023.3278129"},{"key":"e_1_3_1_38_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2021.111097"},{"key":"e_1_3_1_39_2","unstructured":"Michael Hilton Nicholas Nelson Danny Dig Timothy Tunnell Darko Marinov et al. 2016. Continuous integration (CI) needs and wishes for developers of proprietary code. (2016)."},{"key":"e_1_3_1_40_2","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106270"},{"key":"e_1_3_1_41_2","doi-asserted-by":"publisher","DOI":"10.1145\/2970276.2970358"},{"key":"e_1_3_1_42_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2021.3106247"},{"key":"e_1_3_1_43_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2019.00055"},{"key":"e_1_3_1_44_2","doi-asserted-by":"publisher","unstructured":"Xianhao Jin and Francisco Servant. 2020. A cost-efficient approach to building in continuous integration. In Proceedings of the 42nd International Conference on Software Engineering. https:\/\/doi.org\/10.1145\/3377811.3380437 10.1145\/3377811.3380437","DOI":"10.1145\/3377811.3380437"},{"key":"e_1_3_1_45_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2022.111292"},{"key":"e_1_3_1_46_2","doi-asserted-by":"publisher","DOI":"10.1145\/3576038"},{"key":"e_1_3_1_47_2","doi-asserted-by":"publisher","DOI":"10.1109\/SecDev53368.2022.00027"},{"key":"e_1_3_1_48_2","doi-asserted-by":"publisher","DOI":"10.1145\/2597073.2597074"},{"key":"e_1_3_1_49_2","unstructured":"Igibek Koishybayev and Alexandros Kapravelos. 2020. Mininode: Reducing the Attack Surface of Node. js Applications. In RAID."},{"key":"e_1_3_1_50_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9521-5"},{"key":"e_1_3_1_51_2","doi-asserted-by":"publisher","DOI":"10.1145\/3551349.3556896"},{"key":"e_1_3_1_52_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00030"},{"key":"e_1_3_1_53_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2017.8115621"},{"key":"e_1_3_1_54_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSR59073.2023.00042"},{"key":"e_1_3_1_55_2","doi-asserted-by":"publisher","DOI":"10.1109\/MTD.2012.6225994"},{"key":"e_1_3_1_56_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9512-6"},{"key":"e_1_3_1_57_2","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2023.3243858"},{"key":"e_1_3_1_58_2","doi-asserted-by":"publisher","DOI":"10.1145\/3239235.3268920"},{"key":"e_1_3_1_59_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417232"},{"key":"e_1_3_1_60_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME52107.2021.00056"},{"key":"e_1_3_1_61_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2020.106392"},{"key":"e_1_3_1_62_2","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338925"},{"key":"e_1_3_1_63_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2019.00059"},{"key":"e_1_3_1_64_2","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468589"},{"key":"e_1_3_1_65_2","doi-asserted-by":"publisher","unstructured":"C\u00e9sar Soto-Valero Nicolas Harrand Martin Monperrus and Benoit Baudry. 2021. A comprehensive study of bloated dependencies in the maven ecosystem. Empirical Software Engineering 26 (2021). https:\/\/doi.org\/10.1007\/s10664-020-09914-8 10.1007\/s10664-020-09914-8","DOI":"10.1007\/s10664-020-09914-8"},{"key":"e_1_3_1_66_2","doi-asserted-by":"publisher","unstructured":"Mohsen Vakilian Raluca Sauciuc J David Morgenthaler and Vahab Mirrokni. 2015. Automated decomposition of build targets. In 2015IEEE\/ACM 37th IEEE International Conference on Software Engineering Vol. 1. IEEE 123-133. https:\/\/doi.org\/10.1109\/ICSE.2015.34 10.1109\/ICSE.2015.34","DOI":"10.1109\/ICSE.2015.34"},{"key":"e_1_3_1_67_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2015.77"},{"key":"e_1_3_1_68_2","doi-asserted-by":"publisher","DOI":"10.1145\/2786805.2786850"},{"key":"e_1_3_1_69_2","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.2205.15086"},{"key":"e_1_3_1_70_2","doi-asserted-by":"publisher","DOI":"10.1109\/MTD.2013.6608678"},{"key":"e_1_3_1_71_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2024.3387840"},{"key":"e_1_3_1_72_2","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338922"},{"key":"e_1_3_1_73_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2009.5070503"},{"key":"e_1_3_1_74_2","doi-asserted-by":"publisher","DOI":"10.1002\/smr.2157"},{"key":"e_1_3_1_75_2","article-title":"Small World with High Risks: A Study of Security Threats in the npm Ecosystem","volume":"17","author":"Zimmermann Markus","year":"2019","unstructured":"Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small World with High Risks: A Study of Security Threats in the npm Ecosystem. In USENIX security symposium, Vol. 17.","journal-title":"USENIX security symposium"}],"container-title":["Proceedings of the ACM on Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3660823","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3660823","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,4]],"date-time":"2026-02-04T07:57:22Z","timestamp":1770191842000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3660823"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,7,12]]},"references-count":74,"journal-issue":{"issue":"FSE","published-print":{"date-parts":[[2024,7,12]]}},"alternative-id":["10.1145\/3660823"],"URL":"https:\/\/doi.org\/10.1145\/3660823","relation":{},"ISSN":["2994-970X"],"issn-type":[{"value":"2994-970X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,7,12]]}}}