Logo upgr advisor

upgr advisor

Upgradvisor, a fusion of “upgrade” and “advisor”, is a research project from Columbia University’s RCS lab. Using both static and dynamic analysis, you can rapidly and safely adopt the latest version of your dependencies.

Check out our GitHub app

Programming image

Upgrade your dependencies with confidence.

Fast-paced release schedules along with aging dependencies leave applications susceptible to security risks and unexpected breakage. We present UPGRADVISOR, a system that reduces developer effort in evaluating dependency updates and can, in many cases, automatically determine which updates are backward-compatible versus API-breaking.

UPGRADVISOR introduces a novel co-designed static analysis and dynamic tracing mechanism to gauge the scope and effect of dependency updates on an application. Static analysis prunes changes irrelevant to an application and clusters relevant ones into targets. Dynamic tracing needs to focus only on whether targets affect an application, making it fast and accurate. UPGRADVISOR handles dynamic interpreted languages while accounting for their lack of type information. A modified interpreter captures program execution while ignoring interpreter machinery.

We have implemented UPGRADVISOR for Python and evaluated it on 172 dependency updates previously blocked from being adopted in widely-used open-source software, including Django, aws-cli, tfx, and Celery. UPGRADVISOR automatically determined that 56% of dependencies were safe to update and reduced by >90% the changes that needed to be considered by dynamic tracing. UPGRADVISOR’s tracer incurred only 3% overhead on average, making it fast enough to deploy in practice. We submitted safe updates that were previously blocked as pull requests for nine projects, and their developers have already merged most of them.
See paperOSDI '22 logo

Analysis of aws-cli

This example shows an upgrade opportunity for aws-cli version 1.21.8. Initially, this project specified 'colorama>=0.2.5,<0.4.4' as one of its dependencies. At the time, version 0.4.4 already existed for colorama which was blocked from use by this condition, and instead, version 0.4.3 was the last version available for use.
Using upgradvisor, we performed a dedicated analysis of the difference between colorama versions 0.4.3 and 0.4.4, as used by aws-cli. This analysis indicated that the changes between 0.4.3 and 0.4.4 did not impact aws-cli. The graph below shows the dependency path of aws-cli relative to colorama.
Graph legend
Each node in the graph indicates a python method (with some exceptions). aws-cli code is shown in green, and the code calling colorama is shown in orange. Changes between version 0.4.3 and 0.4.4 are shown as starred.
Graph analysis
From the attached graph, we can see that aws-cli only calls colorama’s initialise method, which itself has no changes between 0.4.3 and 0.4.4. Based on the graph, we can see that the changes between 0.4.3 and 0.4.4 are restricted to the AnsiToWin32.py class, and, excluding a change to formally recognize \x07 as BEL, are changes to the OSC regex. The changes to the regex were made solely to prevent a catastrophic backtracking bug.
Try zooming in or moving a node!
Dependency Updates Evaluated


Want to help or know more? Feel free to reach out to Yaniv on Twitter at @YanivDa or through email at yaniv.david@columbia.edu.