GOTO Aarhus 2022

Thursday Jun 16
14:10 –
Anker 2

How to Prevent Failures Caused by Breaking Changes in JavaScript Libraries


When developing JavaScript applications, keeping npm dependencies up-to-date is a laborious and often neglected task. The fear of having to spend hours dealing with breaking changes in dependencies leads developers to ignore many dependency updates. But, as has been demonstrated countless times, using outdated dependencies is a major security concern. So what can be done to avoid this malpractice where systems use severely outdated dependencies?

We present JSFIX, a tool developed at Aarhus University that automates the process of adapting JavaScript code to breaking changes. With JSFIX, npm package changelogs are formally described using a domain-specific semantic patch language. Provided with such a precise description of the breaking changes, JSFIX uses modern program analysis techniques to identify source locations affected by breaking changes. Once these source locations have been identified, JSFIX automatically transforms the program code to be compatible with the updated dependencies.