Nufix: Escape From NuGet Dependency Maze
Description
With the rapid evolution of the .NET ecosystem, managing dependencies in .NET projects becomes a critical challenge. Due to the fragmentation of .NET ecosystem, developers often suffer from dependency maze (DM) issues, i.e., package dependency constraints are violated (e.g, constraints on package versions and target platforms) when updating a project’s platform or dependency versions. DM issues are serious, since they can block the package installations, causing build errors. Fixing a DM issue can be challenging. Multiple DM issues often occur in a project at the same time. For those projects with large dependency graphs, fixing such issues is a time-consuming and error-prone process that exercises a series of changes in dependency constraints in response to newly induced DM issues. More importantly, when deciding a fixing solution, developers often consider their desired properties of configuration (e.g., installing fewer packages, inducing fewer risky build warnings). However, it is difficult for developers to imagine all possible dependency graphs affected by dependency changes, to figure out an optimal solution that satisfies their preferences. To help .NET developers tackle DM issues, we developed a tool, NuFix (VS plugin)(Homepage: http://www.nufix-dependency-maze.com/), to automatically generate fixes. It is built on top of our comprehensive study of developers’ preferences in fixing DM issues. By encoding the empirical findings into a linear optimization model, NuFix seeks for the global optimal fixing solution. One interesting feature of NuFix is that, it allows developers to customize and iteratively refine the search scope of package versions based on their requirements. A video demo is available at: https://youtu.be/8NECIM0wjhw
Our evaluation shows that NuFix can generate fixes for a given .NET project within 12 seconds and achieves a 100% fixing ratio for 262 real DM issues. We invited ten experienced .NET experts working in MSRA to evaluate the quality our generated fixes. Their feedback indicates that the generated fixes meet the developers' desired properties for the build management. Encouragingly, 20 projects (including affected projects such as Dropbox) have approved and merged our generated fixes, and shown great interests in our technique (the merged PRs are available on NuFix's website).