Which Is Better For Reducing Outdated and Vulnerable Dependencies: Pinning or Floating?
A new study published on arXiv investigates the trade-offs between pinning and floating dependency versions in software development. Researchers analyzed trends in the npm, PyPI, and Cargo ecosystems to determine how different version constraint types affect the likelihood of dependencies becoming outdated or vulnerable. The findings indicate that while pinning can prevent supply chain attacks, it often leads to outdated dependencies. Floating-minor was found to be the most common constraint type for outdated and vulnerable dependencies, whereas floating-major was least likely to result in outdated dependencies. AI
IMPACT N/A