The Impact and Limitations of Automating Software Component Quality Management

Abstract

Security vulnerabilities in external software components that provide pre-built functionality (i.e., dependencies) represent a major threat to software quality. When a vulnerable dependency is exploited, the resulting breach can cascade to all downstream software products that rely on it, causing widespread operational disruption. Consequently, developers must promptly remediate vulnerable dependencies. Automation has emerged as a promising approach to accelerating this process. We study whether adopting an automated dependency management tool, Dependabot, improves the speed at which vulnerable dependencies are resolved. Using data from open-source JavaScript packages, we identify instances of vulnerable dependencies. Our analysis shows that packages adopting Dependabot exhibit a 60% reduction in resolution time. However, automation is not a panacea. Even among adopters, vulnerabilities are not addressed immediately: the median resolution time is 82 days. We investigate the sources of these delays and find that, although Dependabot reduces attention-related frictions by re-engaging developers with inactive or low-maintenance packages, resolution is still constrained by human-driven factors, such as slow processing of automated code changes and the difficulty of verifying compatibility with other components.