Managing Software Component Quality with Automation: Evidence from Dependabot
Abstract
Problem definition: For software products, a significant quality concern is security vulnerabilities in external software components that offer pre-built functionalities (i.e., dependencies). If a dependency with a vulnerability (i.e., vulnerable dependency) is exploited by hackers, it can compromise and cause operational disruptions for all downstream software products relying on it. To ensure the quality and security of their software products, developers must promptly resolve each vulnerable dependency that their software uses (e.g., by updating the vulnerable version to a safe version). One promising strategy to expedite this process is automation. We investigate how the adoption of an automated dependency management tool called Dependabot improves the resolution speed of vulnerable dependencies. Methodology/results: Through the analysis of 1,963,957 JavaScript open-source software packages, we identified 476,738 instances of vulnerable dependencies. Our findings from survival analysis models reveal that packages adopting Dependabot exhibit a 2.499 times higher resolution hazard and, thus, are 60% faster at resolving vulnerable dependencies. However, automation may not be a panacea for addressing defective software components. Surprisingly, even among Dependabot adopters, vulnerable dependencies are not addressed immediately, with the median resolution time being 82 days. We unpack why automation's benefits are bounded in this context and show that, while Dependabot mitigates attention-related constraints by re-engaging developers with stale or inactive packages, delays can persist due to human-driven constraints, such as slow processing of proposed code modifications and complexity of verifying compatibility with other components. Managerial implications: Our results shed light on how automation can be harnessed to better safeguard the quality of external components in software products and provide guidance for overcoming technical and human impediments that limit its impact.

