Nufix: Escape From NuGet Dependency Maze

.NET is an open-source development platform for building projects and sharing packages among them. As of August 2021, there are nine actively used and updated .NET platform variations available in 220 versions. A .NET package is often designed to assume a set of dependencies, which correspond to specific versions of .NET platforms and additional depended packages. These dependencies change as the .NET platforms and packages evolve, inducing compatibility issues. We call such issues dependency maze (DM) issues. We observe that multiple types of DM issues often occur in building a .NET project. Fixing a DM issue tends to introduce new DM issues. As a result, many fixes involve a set of changes made to a project’s dependencies. Identifying these changes is challenging due to the large search space of finding possible dependency combinations.

To help .NET developers tackle the DM issues, we empirically studied a set of real DM issues, learning their common fixing strategies and developers’ preferences in adopting these strategies. Based on these findings, we developed NuFix, an automated technique to repair DM issues. NuFix formulates the repair task as a binary integer linear optimization problem to effectively derive an optimal fix in line with the learnt developers’ preferences. The evaluation results show that NuFix can generate fixes for all the DM issues with 262 popular .NET projects. Most generated fixes are highly similar to the real documented ones. We invited ten .NET experts to manually validate NuFix‘s generated fixes. Their feedback indicates that the fixes meet developers’ desired properties for the build management of .NET projects. In addition, we further reported our generated fixes to the corresponding .NET project developers for conformation. Encouragingly, 20 project developers have replaced their real fixes with the ones derived by NuFix. Most of our fixes have been adopted by the affected projects, such as Dropbox.