Analysis of Dependency Networks of Package Managers Used in iOS Development

Using third-party libraries is common practice when writing software. Nevertheless, vulnerabilities can be found in even very popular and well-tested libraries. Once detected, these vulnerabilities are often fixed quickly in the library code. The easiest way to include these fixes in a dependent software application, is to update the used library version. Package managers provide automated solutions to updating library dependencies, which make this process easier. Using a package manager, it is easy to declare as many dependencies as needed. However, library dependencies can have dependencies to other libraries creating a dependency network with several levels of indirections. Assessing vulnerability risks induced by dependency networks is a non-trivial task for developers of software applications.

The library dependency network in the Swift ecosystem encompasses libraries from CocoaPods, Carthage and Swift Package Manager. These three package managers are used when developing, for example, iOS or Mac OS applications in Swift or Objective-C. Recently, we created a library dependency network dataset for the Swift ecosystem. In this article, we explain in full detail how we built this dataset.  We provide the first analysis of the library dependency network evolution in the Swift ecosystem and present one example of how the dataset can be used to analyze the spread of known vulnerabilities through the library dependency network. 

We found that, although CocoaPods is the package manager with the biggest set of libraries, the difference to other package managers is not as big as expected. The youngest package manager and official package manager for Swift, Swift PM, is becoming more and more popular, resulting in a gradual slow-down of the growth of the other two package managers. 

When analyzing direct and transitive dependencies, we found that the mean total number of dependencies is lower in the Swift compared to many other ecosystems. This results in less libraries being affected by vulnerable dependencies through transitive dependencies. We found that only 5.9% of connected libraries had a direct or transitive dependency to a vulnerable library.