Build automation tools and package managers have a profound influence on software development. They facilitate the reuse of third-party libraries, support a clear separation between the application’s code and its external dependencies, and automate several software development tasks. However, the wide adoption of these tools introduces new challenges related to dependency management. In this paper, we propose an original study of one such challenge: the emergence of bloated dependencies. Bloated dependencies are libraries that are packaged with the application’s compiled code but that are actually not necessary to build and run the application. They artificially grow the size of the built binary and increase maintenance effort. We propose DepClean, a tool to determine the presence of bloated dependencies in Maven artifacts. We analyze 9,639 Java artifacts hosted on Maven Central, which include a total of 723,444 dependency relationships. Our key result is as follows: 2.7% of the dependencies directly declared are bloated, 15.4% of the inherited dependencies are bloated, and 57% of the transitive dependencies of the studied artifacts are bloated. In other words, it is feasible to reduce the number of dependencies of Maven artifacts to 1/4 of its current count. Our qualitative assessment with 30 notable open-source projects indicates that developers pay attention to their dependencies when they are notified of the problem. They are willing to remove bloated dependencies: 21/26 answered pull requests were accepted and merged by developers, removing 140 dependencies in total: 75 direct and 65 transitive.

构建自动化工具和程序包管理器对软件开发产生深远影响。它们促进了第三方库的重用，支持在应用程序的代码与其外部依赖关系之间实现清晰的分离，并使多个软件开发任务自动化。但是，这些工具的广泛采用带来了与依赖项管理相关的新挑战。在本文中，我们提出了一项有关此类挑战的原始研究：:肿依赖性的出现。膨胀的依赖项是与应用程序的已编译代码打包在一起的库，但实际上并不是构建和运行应用程序所必需的。他们人为地增加了所生成二进制文件的大小，并增加了维护工作量。我们建议DepClean，一种用于确定Maven工件中是否存在dependencies肿的依赖关系的工具。我们分析了Maven Central上托管的9,639个Java工件，其中包括总共723,444个依赖关系。我们的主要结果如下：直接声明的2.7％的依赖项是肿的，继承的依赖项的15.4％是肿的，研究工件的传递依赖项的57％是肿的。换句话说，将Maven工件的依赖关系数量减少到当前数量的1/4是可行的。我们对30个著名的开源项目的定性评估表明，开发人员在收到问题通知时会注意他们的依赖关系。他们愿意删除肿的依赖关系：开发人员接受并合并了21/26回答的请求请求，总共删除了140个依赖关系：