ICSE ’18, May 27-June 3, 2018, Gothenburg, Sweden
Adding Sparkle to Social Coding: An Empirical Study of Repository Badges in the
npm Ecosystem
buildbuild passingpassing
code climatecode climate 4.04.0
code stylecode style standardstandardcoveragecoverage 53%53%
dependenciesdependencies up to dateup to dateember observerember observer 8 / 108 / 10
gittergitter join chatjoin chat
tipstips $3.64/week$3.64/week licenselicense BSDBSD
downloadsdownloads 654/month654/month DonateDonate
vulnerabilitiesvulnerabilities 00
bitHoundbitHound 9797 bowerbower v3.1.4v3.1.4buildbuild passingpassing
cdnjscdnjs v3.2.1v3.2.1 buildbuild passingpassingcodacycodacy AA coveragecoverage 94%94%
commitizencommitizen friendlyfriendly
ForksForks 847847 dependenciesdependencies out of dateout of date
releaserelease v2.1.1v2.1.1 versionversion 4.2.14.2.1tipstips $1.45/week$1.45/week
GreenkeeperGreenkeeper enabledenableddocsIRCIRC irc.freenode.net#unshiftirc.freenode.net#unshiftissue resolutionissue resolution 3 h3 h
code stylecode style standardstandard
npmnpm v1.1.0v1.1.0PatreonPatreonPRsPRs welcomewelcomesemantic-releasesemantic-release slackslack 6/1606/160
slackslack joinjoin
StarStar 4k4k
buildbuild passingpassing
FollowFollow 350350dependenciesdependencies insecureinsecure
slackslack 6/1606/160 codacycodacy AA
Asher Trockman, Shurui Zhou, Christian Kästner, Bogdan Vasilescu
licenselicense BSDBSD
GitHub Repository Badges
Enlarged to show detail.
Key features: Transparency & signaling
Users! Pull requests Issues Gist
"
#
$
%
&
776Followers
38Starred
15Following
ashley williamsashleygwilliams
npm, incridgewood, queens, [email protected]://ashleygwilliams.github.io/Joined on Oct 31, 2011
Organizations
' Contributions ( Repositories ) Public activity
Search GitHub * +
++ FollowFollow ,
Popular repositories
( breakfast-repoa collection of videos, recordings, and podcast…
208 ⋆
( x86-kernela simple x86 kernel, extended with Rust
48 ⋆
( ashleygwilliams.github.iohi, i'm ashley. nice to meet you.
37 ⋆
( jsconf-2015-deckdeck for jsconf2015 talk, "if you wish to learn e…
32 ⋆
( ratpacksinatra boilerplate using activerecord, sqlite, a…
32 ⋆
Repositories contributed to
( npm/docsThe place where all the npm docs live.
44 ⋆
( mozilla/publish.webmaker.orgThe teach.org publishing service for goggles a…
2 ⋆
( npm/marky-markdownnpm's markdown parser
104 ⋆
( artisan-tattoo/assistant-frontendember client for assistant-API
5 ⋆
( npm/npm-campa community conference for all things npm
1 ⋆
Summary of pull requests, issues opened, and commits. Learn how we count contributions. Less More
Public contributions
Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
M
W
F
Contributions in the last year
1,886 totalJan 24, 2015 – Jan 24, 2016
Longest streak
37 daysOctober 7 – November 12
Current streak
7 daysJanuary 18 – January 24
Projects
Key features: Transparency & signaling
Users! Pull requests Issues Gist
"
#
$
%
&
776Followers
38Starred
15Following
ashley williamsashleygwilliams
npm, incridgewood, queens, [email protected]://ashleygwilliams.github.io/Joined on Oct 31, 2011
Organizations
' Contributions ( Repositories ) Public activity
Search GitHub * +
++ FollowFollow ,
Popular repositories
( breakfast-repoa collection of videos, recordings, and podcast…
208 ⋆
( x86-kernela simple x86 kernel, extended with Rust
48 ⋆
( ashleygwilliams.github.iohi, i'm ashley. nice to meet you.
37 ⋆
( jsconf-2015-deckdeck for jsconf2015 talk, "if you wish to learn e…
32 ⋆
( ratpacksinatra boilerplate using activerecord, sqlite, a…
32 ⋆
Repositories contributed to
( npm/docsThe place where all the npm docs live.
44 ⋆
( mozilla/publish.webmaker.orgThe teach.org publishing service for goggles a…
2 ⋆
( npm/marky-markdownnpm's markdown parser
104 ⋆
( artisan-tattoo/assistant-frontendember client for assistant-API
5 ⋆
( npm/npm-campa community conference for all things npm
1 ⋆
Summary of pull requests, issues opened, and commits. Learn how we count contributions. Less More
Public contributions
Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
M
W
F
Contributions in the last year
1,886 totalJan 24, 2015 – Jan 24, 2016
Longest streak
37 daysOctober 7 – November 12
Current streak
7 daysJanuary 18 – January 24
Projects
Key features: Transparency & signaling
Users! Pull requests Issues Gist
"
#
$
%
&
776Followers
38Starred
15Following
ashley williamsashleygwilliams
npm, incridgewood, queens, [email protected]://ashleygwilliams.github.io/Joined on Oct 31, 2011
Organizations
' Contributions ( Repositories ) Public activity
Search GitHub * +
++ FollowFollow ,
Popular repositories
( breakfast-repoa collection of videos, recordings, and podcast…
208 ⋆
( x86-kernela simple x86 kernel, extended with Rust
48 ⋆
( ashleygwilliams.github.iohi, i'm ashley. nice to meet you.
37 ⋆
( jsconf-2015-deckdeck for jsconf2015 talk, "if you wish to learn e…
32 ⋆
( ratpacksinatra boilerplate using activerecord, sqlite, a…
32 ⋆
Repositories contributed to
( npm/docsThe place where all the npm docs live.
44 ⋆
( mozilla/publish.webmaker.orgThe teach.org publishing service for goggles a…
2 ⋆
( npm/marky-markdownnpm's markdown parser
104 ⋆
( artisan-tattoo/assistant-frontendember client for assistant-API
5 ⋆
( npm/npm-campa community conference for all things npm
1 ⋆
Summary of pull requests, issues opened, and commits. Learn how we count contributions. Less More
Public contributions
Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
M
W
F
Contributions in the last year
1,886 totalJan 24, 2015 – Jan 24, 2016
Longest streak
37 daysOctober 7 – November 12
Current streak
7 daysJanuary 18 – January 24
Projects
buildbuild passingpassing
coveragecoverage 94%94%
dependenciesdependencies up to dateup to date
downloadsdownloads 654/month654/month
Badges are Reliable SignalsMostly
•
•
•
•
of the presence of tests
of up-to-date and secure dependencies
of the presence of tests in pull requests
of popularity
Mixed methods study
+
• 32 maintainers, 57 contributors • Maintainers:
• What do you intend to signal? • What effects do you expect?
• Contributors: • What do badges tell you?
• 294,941 npm packages • Mined badge adoptions/removals
from README files • Measured proxies for code quality,
test suite quality, popularity, dependency freshness, …
Survey Repository Mining
Popular Badges inbuildbuild passingpassing
coveragecoverage 94%94%
dependenciesdependencies up to dateup to date
releaserelease v2.1.1v2.1.1
downloadsdownloads 654/month654/month
licenselicense BSDBSD
code climatecode climate 4.04.0
code stylecode style standardstandard
gittergitter join chatjoin chat
10% 20% 30%
Percent of packages
Popular Badges inbuildbuild passingpassing
coveragecoverage 94%94%
dependenciesdependencies up to dateup to date
releaserelease v2.1.1v2.1.1
downloadsdownloads 654/month654/month
licenselicense BSDBSD
code climatecode climate 4.04.0
code stylecode style standardstandard
gittergitter join chatjoin chat
10% 20% 30%
Percent of packages
Popular Badges inbuildbuild passingpassing
coveragecoverage 94%94%
dependenciesdependencies up to dateup to date
releaserelease v2.1.1v2.1.1
downloadsdownloads 654/month654/month
licenselicense BSDBSD
code climatecode climate 4.04.0
code stylecode style standardstandard
gittergitter join chatjoin chat
10% 20% 30%
Percent of packages
Popular Badges inbuildbuild passingpassing
coveragecoverage 94%94%
dependenciesdependencies up to dateup to date
releaserelease v2.1.1v2.1.1
downloadsdownloads 654/month654/month
licenselicense BSDBSD
code climatecode climate 4.04.0
code stylecode style standardstandard
gittergitter join chatjoin chat
10% 20% 30%
Percent of packages
Popular Badges inbuildbuild passingpassing
coveragecoverage 94%94%
dependenciesdependencies up to dateup to date
releaserelease v2.1.1v2.1.1
downloadsdownloads 654/month654/month
licenselicense BSDBSD
code climatecode climate 4.04.0
code stylecode style standardstandard
gittergitter join chatjoin chat
10% 20% 30%
Percent of packages
Popular Badges inbuildbuild passingpassing
coveragecoverage 94%94%
dependenciesdependencies up to dateup to date
releaserelease v2.1.1v2.1.1
downloadsdownloads 654/month654/month
licenselicense BSDBSD
code climatecode climate 4.04.0
code stylecode style standardstandard
gittergitter join chatjoin chat
10% 20% 30%
Percent of packages
What do developers expect from badges?
• 32 Maintainers • What do you intend to signal? • What effects do you expect?
• 57 Contributors • What do badges tell you?
“indicator of product quality”
“welcoming contributions”
“expectations of contribution quality”
“dedicated to offering support”
“reduced chances of conflicting versions of dependencies”
Analysis
If all you saw was the badge, how much would that tell you?
CorrelationHow much more does the badge tell you, relative to
existing signals?
Regression AnalysisHow do things
change after adding the badge?
Time Series Analysis
Analysis
If all you saw was the badge, how much would that tell you?
CorrelationHow much more does the badge tell you, relative to
existing signals?
Regression AnalysisHow do things
change after adding the badge?
Time Series Analysis
Signals of fresh dependencies
Fres
hnes
s
Dep. Mgmt. Info
100
101
102
103
(−0.10) (−0.12)
dependenciesdependencies up to dateup to date npmnpm v1.1.0v1.1.0
• Based on survey: The adoption of dependency management badges correlates with fresher dependencies
• Freshness metric: lower is better • (More up-to-date deps.)
Step 1: Correlation
Result: Dep. badges correlate with fresher dependencies
Analysis
If all you saw was the badge, how much would that tell you?
CorrelationHow much more does the badge tell you, relative to
existing signals?
Regression AnalysisHow do things
change after adding the badge?
Time Series Analysis
An Empirical Study of Repository Badges in the npm Ecosystem Conference’17, July 2017, Washington, DC, USA
Table 2: Dependency freshness models.
Basic Model Full Model RDDresponse: freshness = 0 response: freshness = 0 response: log(freshness)
17.3% deviance explained 17.4% deviance explained R2m = 0.04, R2
c = 0.35
Coe�s (Err.) LR Chisq Coe�s (Err.) LR Chisq Coe�s (Err.) Sum sq.
(Interc.) 3.54 (0.03)⇤⇤⇤ 3.50 (0.03)⇤⇤⇤ 1.45 (0.09)⇤⇤⇤Dep. �1.78 (0.01)⇤⇤⇤ 32077.8⇤⇤⇤ �1.79 (0.01)⇤⇤⇤ 32292.8⇤⇤⇤ �0.04 (0.02) 3.01RDep. 0.22 (0.01)⇤⇤⇤ 610.3⇤⇤⇤ 0.21 (0.01)⇤⇤⇤ 560.6⇤⇤⇤ �0.01 (0.02) 0.11Stars �0.08 (0.00)⇤⇤⇤ 301.4⇤⇤⇤ �0.09 (0.00)⇤⇤⇤ 311.2⇤⇤⇤ 0.00 (0.01) 0.00Contr. �0.24 (0.01)⇤⇤⇤ 500.5⇤⇤⇤ �0.25 (0.01)⇤⇤⇤ 548.7⇤⇤⇤ �0.04 (0.02)⇤ 4.39⇤lastU �0.65 (0.01)⇤⇤⇤ 12080.9⇤⇤⇤ �0.64 (0.01)⇤⇤⇤ 11537.9⇤⇤⇤ 0.01 (0.02) 0.37hasDM 0.24 (0.03)⇤⇤⇤ 116.1⇤⇤⇤ 0.45 (0.08)⇤⇤⇤ 2.43hasInf 0.11 (0.02)⇤⇤⇤ 48.3⇤⇤⇤ 0.04 (0.05) 0.45hasDM:hasInf �0.05 (0.04) 1.9 �0.32 (0.10)⇤⇤hasOther 0.01 (0.01)time 0.03 (0.00)⇤⇤⇤ 82.99⇤⇤⇤intervention �0.93 (0.03)⇤⇤⇤ 1373.22⇤⇤⇤time_after_intervention 0.11 (0.00)⇤⇤⇤ 455.56⇤⇤⇤time_after_intervention:hasDM �0.10 (0.01)⇤⇤⇤ 230.36⇤⇤⇤time_after_intervention:hasInf �0.00 (0.01) 1.14time_after_intervention:hasDM:hasInf 0.03 (0.01)⇤⇤ 10.62⇤⇤
⇤⇤⇤p < 0.001, ⇤⇤p < 0.01, ⇤p < 0.05;Dep: dependencies; RDep: dependents; Contr.: contributors; lastU: time since last update;hasDM: has dependency-manager badge; hasInf: has information badge; hasOther: adopts
additional badges within 15 days
Typically, we cannot distinguish e�ects of practice adoptionfrom e�ects of badge adoption; hence, our results can only be inter-preted as exploring the reliability of the signal that a badge provides.Our analysis also does not consider the speci�c value shown on thebadge (e.g., current coverage); although, as discussed, we expect thatbadges are usually adopted to signal good practices, a badge high-lighting that a practice is not followed (e.g., low test coverage) mighthave a negative e�ect. We control for this indirectly in many mod-els, e.g., by controlling for popularity in our analysis of downloads(Sec. 4.3); a more detailed analysis is outside the scope of this paper.
Regarding generalization beyond npm, the same limitations ap-ply as discussed in Sec 3.1.
4.2 Signals of Updated Dependencies (H4, H5)We explore our hypotheses grouped by response variable and startwith a discussion of dependency freshness, as it clearly illustratesour 3-step analysis.We expect that dependencymanagement badgescorrelate with more up-to-date and secure dependencies (H4), op-erationalized with our freshness metric (see Sec. 4.1), and at most amarginal e�ect from information-related badges (H5).Correlation. In the most recent snapshot we analyze, 37 % of allpackages with any dependencies had all up-to-date dependencies(freshness = 0). Supporting H4 and, surprisingly, contradicting H5,Fig. 2a reveals a small, but statistically signi�cant di�erence: pack-ages with a dependency-manager badge or an information badgetend to have overall fresher dependencies than packages without.We also �nd that dependency-manager badges are overproportion-ally adopted for packages with more dependencies.Additional information. To test if the presence of badges asso-ciates with deeper-level indicators of freshness beyond other readilyavailable signals, we �t a hurdle regression: a logistic regressionto model the likelihood of freshness = 0 and a linear regression tomodel levels of freshness for packages with outdated dependencies.This hybrid modeling approach is necessary due to the bimodalityof the data (Fig. 2a). As described in Sec. 4.1, the base models ex-plain freshness given readily-available signals (stars, dependents,dependencies, contributors) and a control for time since package
was last updated; the full models additionally model the presenceof dependency-manager badges and information badges and theirinteraction, with controls for other badges adopted within 15 days.
We show the base and full logistic regression model (predictingwhether a package has any outdated dependencies) in Table 2. Thebase model explains 17.3 % of the deviance; the full model explains17.4 %. The di�erence is small but statistically signi�cant (DeLong’stest for correlated ROC curves p < 0.001). The number of dependen-cies and the time since the last update explain the majority of thedeviance, but dependency-manager badges add explanatory power:the odds of having fresh dependencies increase by 27% (e0.24) forpackages with dependency-manager badges (H4). Surprisingly, theeffect of information badges is comparable: a 17 % increase in odds(H5). For the linear regression (predicting the severity of outdateddependencies for packages with outdated dependencies), we see asimilar small but signi�cant di�erence between base (22.1 %) andfull models (22.8 %), and similar behavior of the badge predictors.Longitudinal analysis.We collect a sample of 3,604 packages thatsatisfy the RDD requirements (9 months before/after the adoptionof their �rst dependency-manager badge) and had dependencies,and keep 1,763 that had at least one month with freshness , 0 duringthe +/- 9 (to avoid issues with the bimodality of the data). A trend isalready visible from the longitudinal freshness data plotted for thosepackages in Fig. 3a, but a corresponding RDD model controlling forconfounds (column RDD3 in Table 2) con�rms that: The adoptionof (any) badges correlates to a strong improvement in freshness(see the intervention term in the model), by about a factor 2.5 onaverage,4 after which freshness slightly decays again over time (theinterpretation derives from the sum of the coe�cients for time andtime after intervention in the model, cf. RDD [65], which expressesthe slope of the post-intervention trend). As hypothesized, the adop-tion of a dependency-manager badge is associated with a longer-lasting effect on freshness than other badges (see the interactiontime after intervention * hasDM in the model; ' 80% slower decay).The interaction e�ect of information badges is negligible.Discussion. Overall, results from all three steps con�rm H4 thatdependency-manager badges are a signal for practices that leadto fresher dependencies. However, the e�ect is not exclusive todependency-manager badges; we speculate that any maintenancetask involving README updates with more badges might involveother project cleanup, but the e�ect of dependency-manager badgesis stronger and longer lived. The results are stable for di�erentoperationalizations of freshness and even for a vulnerability scorethat counts known vulnerabilities in a package’s dependencies asthe Snyk and nsp services do (not shown due to space restrictions).
4.3 Signals of Popularity (H2, H5, H6, H8)We expect that adopting quality-assurance and popularity badgescorrelates with increases in downloads (H2, H6), and at most amarginal e�ect from information-related badges (H5).We follow thesame three steps, analyzing monthly download counts as response.
3Note that all packages modeled in the RDD adopted some badge during the alignmentmonth, hence the control hasOther is subsumed by experimental design.4e0.93 factor decrease in freshness score; note the log-transformed response, hencethe exponentiation here.
An Empirical Study of Repository Badges in the npm Ecosystem Conference’17, July 2017, Washington, DC, USA
Table 2: Dependency freshness models.
Basic Model Full Model RDDresponse: freshness = 0 response: freshness = 0 response: log(freshness)
17.3% deviance explained 17.4% deviance explained R2m = 0.04, R2
c = 0.35
Coe�s (Err.) LR Chisq Coe�s (Err.) LR Chisq Coe�s (Err.) Sum sq.
(Interc.) 3.54 (0.03)⇤⇤⇤ 3.50 (0.03)⇤⇤⇤ 1.45 (0.09)⇤⇤⇤Dep. �1.78 (0.01)⇤⇤⇤ 32077.8⇤⇤⇤ �1.79 (0.01)⇤⇤⇤ 32292.8⇤⇤⇤ �0.04 (0.02) 3.01RDep. 0.22 (0.01)⇤⇤⇤ 610.3⇤⇤⇤ 0.21 (0.01)⇤⇤⇤ 560.6⇤⇤⇤ �0.01 (0.02) 0.11Stars �0.08 (0.00)⇤⇤⇤ 301.4⇤⇤⇤ �0.09 (0.00)⇤⇤⇤ 311.2⇤⇤⇤ 0.00 (0.01) 0.00Contr. �0.24 (0.01)⇤⇤⇤ 500.5⇤⇤⇤ �0.25 (0.01)⇤⇤⇤ 548.7⇤⇤⇤ �0.04 (0.02)⇤ 4.39⇤lastU �0.65 (0.01)⇤⇤⇤ 12080.9⇤⇤⇤ �0.64 (0.01)⇤⇤⇤ 11537.9⇤⇤⇤ 0.01 (0.02) 0.37hasDM 0.24 (0.03)⇤⇤⇤ 116.1⇤⇤⇤ 0.45 (0.08)⇤⇤⇤ 2.43hasInf 0.11 (0.02)⇤⇤⇤ 48.3⇤⇤⇤ 0.04 (0.05) 0.45hasDM:hasInf �0.05 (0.04) 1.9 �0.32 (0.10)⇤⇤hasOther 0.01 (0.01)time 0.03 (0.00)⇤⇤⇤ 82.99⇤⇤⇤intervention �0.93 (0.03)⇤⇤⇤ 1373.22⇤⇤⇤time_after_intervention 0.11 (0.00)⇤⇤⇤ 455.56⇤⇤⇤time_after_intervention:hasDM �0.10 (0.01)⇤⇤⇤ 230.36⇤⇤⇤time_after_intervention:hasInf �0.00 (0.01) 1.14time_after_intervention:hasDM:hasInf 0.03 (0.01)⇤⇤ 10.62⇤⇤
⇤⇤⇤p < 0.001, ⇤⇤p < 0.01, ⇤p < 0.05;Dep: dependencies; RDep: dependents; Contr.: contributors; lastU: time since last update;hasDM: has dependency-manager badge; hasInf: has information badge; hasOther: adopts
additional badges within 15 days
Typically, we cannot distinguish e�ects of practice adoptionfrom e�ects of badge adoption; hence, our results can only be inter-preted as exploring the reliability of the signal that a badge provides.Our analysis also does not consider the speci�c value shown on thebadge (e.g., current coverage); although, as discussed, we expect thatbadges are usually adopted to signal good practices, a badge high-lighting that a practice is not followed (e.g., low test coverage) mighthave a negative e�ect. We control for this indirectly in many mod-els, e.g., by controlling for popularity in our analysis of downloads(Sec. 4.3); a more detailed analysis is outside the scope of this paper.
Regarding generalization beyond npm, the same limitations ap-ply as discussed in Sec 3.1.
4.2 Signals of Updated Dependencies (H4, H5)We explore our hypotheses grouped by response variable and startwith a discussion of dependency freshness, as it clearly illustratesour 3-step analysis.We expect that dependencymanagement badgescorrelate with more up-to-date and secure dependencies (H4), op-erationalized with our freshness metric (see Sec. 4.1), and at most amarginal e�ect from information-related badges (H5).Correlation. In the most recent snapshot we analyze, 37 % of allpackages with any dependencies had all up-to-date dependencies(freshness = 0). Supporting H4 and, surprisingly, contradicting H5,Fig. 2a reveals a small, but statistically signi�cant di�erence: pack-ages with a dependency-manager badge or an information badgetend to have overall fresher dependencies than packages without.We also �nd that dependency-manager badges are overproportion-ally adopted for packages with more dependencies.Additional information. To test if the presence of badges asso-ciates with deeper-level indicators of freshness beyond other readilyavailable signals, we �t a hurdle regression: a logistic regressionto model the likelihood of freshness = 0 and a linear regression tomodel levels of freshness for packages with outdated dependencies.This hybrid modeling approach is necessary due to the bimodalityof the data (Fig. 2a). As described in Sec. 4.1, the base models ex-plain freshness given readily-available signals (stars, dependents,dependencies, contributors) and a control for time since package
was last updated; the full models additionally model the presenceof dependency-manager badges and information badges and theirinteraction, with controls for other badges adopted within 15 days.
We show the base and full logistic regression model (predictingwhether a package has any outdated dependencies) in Table 2. Thebase model explains 17.3 % of the deviance; the full model explains17.4 %. The di�erence is small but statistically signi�cant (DeLong’stest for correlated ROC curves p < 0.001). The number of dependen-cies and the time since the last update explain the majority of thedeviance, but dependency-manager badges add explanatory power:the odds of having fresh dependencies increase by 27% (e0.24) forpackages with dependency-manager badges (H4). Surprisingly, theeffect of information badges is comparable: a 17 % increase in odds(H5). For the linear regression (predicting the severity of outdateddependencies for packages with outdated dependencies), we see asimilar small but signi�cant di�erence between base (22.1 %) andfull models (22.8 %), and similar behavior of the badge predictors.Longitudinal analysis.We collect a sample of 3,604 packages thatsatisfy the RDD requirements (9 months before/after the adoptionof their �rst dependency-manager badge) and had dependencies,and keep 1,763 that had at least one month with freshness , 0 duringthe +/- 9 (to avoid issues with the bimodality of the data). A trend isalready visible from the longitudinal freshness data plotted for thosepackages in Fig. 3a, but a corresponding RDD model controlling forconfounds (column RDD3 in Table 2) con�rms that: The adoptionof (any) badges correlates to a strong improvement in freshness(see the intervention term in the model), by about a factor 2.5 onaverage,4 after which freshness slightly decays again over time (theinterpretation derives from the sum of the coe�cients for time andtime after intervention in the model, cf. RDD [65], which expressesthe slope of the post-intervention trend). As hypothesized, the adop-tion of a dependency-manager badge is associated with a longer-lasting effect on freshness than other badges (see the interactiontime after intervention * hasDM in the model; ' 80% slower decay).The interaction e�ect of information badges is negligible.Discussion. Overall, results from all three steps con�rm H4 thatdependency-manager badges are a signal for practices that leadto fresher dependencies. However, the e�ect is not exclusive todependency-manager badges; we speculate that any maintenancetask involving README updates with more badges might involveother project cleanup, but the e�ect of dependency-manager badgesis stronger and longer lived. The results are stable for di�erentoperationalizations of freshness and even for a vulnerability scorethat counts known vulnerabilities in a package’s dependencies asthe Snyk and nsp services do (not shown due to space restrictions).
4.3 Signals of Popularity (H2, H5, H6, H8)We expect that adopting quality-assurance and popularity badgescorrelates with increases in downloads (H2, H6), and at most amarginal e�ect from information-related badges (H5).We follow thesame three steps, analyzing monthly download counts as response.
3Note that all packages modeled in the RDD adopted some badge during the alignmentmonth, hence the control hasOther is subsumed by experimental design.4e0.93 factor decrease in freshness score; note the log-transformed response, hencethe exponentiation here.
dependenciesdependencies up to dateup to date
npmnpm v1.1.0v1.1.0
dependenciesdependencies up to dateup to date npmnpm v1.1.0v1.1.0:
Signals of fresh dependenciesStep 2: Regression Analysis
• Based on survey: The adoption of dependency management badges correlates with fresher dependencies
• Freshness metric: lower is better • (More up-to-date deps.)
Result: Dep. badges are the best signals of fresh dependencies
Analysis
If all you saw was the badge, how much would that tell you?
CorrelationHow much more does the badge tell you, relative to
existing signals?
Regression AnalysisHow do things
change after adding the badge?
Time Series Analysis
Signals of fresh dependenciesStep 2: Time Series Analysis
101
102
−8 −6 −4 −2 0 2 4 6 8Month index relative to badge
Fres
hnes
sdependenciesdependencies up to dateup to date
Time
Badge Adoption
Month
Before Badge After Badge
101
102
−8 −6 −4 −2 0 2 4 6 8Month index relative to badge
Fres
hnes
s
Signals of fresh dependenciesStep 2: Time Series Analysis
dependenciesdependencies up to dateup to date
Time
Before Badge After BadgeBadge Adoption
Month
101
102
−8 −6 −4 −2 0 2 4 6 8Month index relative to badge
Fres
hnes
s
Signals of fresh dependenciesStep 2: Time Series Analysis
dependenciesdependencies up to dateup to date
Badge Adoption
Month
Time
Before Badge After Badge
101
102
−8 −6 −4 −2 0 2 4 6 8Month index relative to badge
Fres
hnes
s
Signals of fresh dependenciesStep 2: Time Series Analysis
dependenciesdependencies up to dateup to date
Time
}}Decrease in Level Decrease
in Slope
Before Badge After Badge
101
102
103
104
−8 −6 −4 −2 0 2 4 6 8Month index relative to badge
Dow
nloa
ds
hasInfo: FALSE
hasDepMgmt: TRUE
hasInfo: TRUE
hasDepMgmt: FALSE
−8 −6 −4 −2 0 2 4 6 8 −8 −6 −4 −2 0 2 4 6 8
101
102
Month index relative to badge
Fres
hnes
s
dependenciesdependencies up to dateup to date
• Based on survey: The adoption of dependency management badges correlates with fresher dependencies
• Freshness metric: lower is better • (More up-to-date deps.)
Result: Dep. badges indicate improved dep. management practices
Signals of fresh dependenciesStep 2: Time Series Analysis
Signals of popularityD
ownl
oads
QA Popularity Info
100
102
104
106
Badge: FALSE TRUE
(0.18) (0.25) (0.12)downloadsdownloads 654/month654/month npmnpm v1.1.0v1.1.0buildbuild passingpassing
coveragecoverage 94%94%
101
102
103
104
−8 −6 −4 −2 0 2 4 6 8Month index relative to badge
Dow
nloa
ds
downloadsdownloads 654/month654/month
buildbuild passingpassingcoveragecoverage 94%94%
Result: Dep. badges are mostly reliable signals of popularity
Signals of popularityD
ownl
oads
QA Popularity Info
100
102
104
106
Badge: FALSE TRUE
(0.18) (0.25) (0.12)downloadsdownloads 654/month654/month npmnpm v1.1.0v1.1.0buildbuild passingpassing
coveragecoverage 94%94%
101
102
103
104
−8 −6 −4 −2 0 2 4 6 8Month index relative to badge
Dow
nloa
ds
downloadsdownloads 654/month654/month
buildbuild passingpassingcoveragecoverage 94%94%
Result: Dep. badges are mostly reliable signals of popularity
Signals of popularityD
ownl
oads
QA Popularity Info
100
102
104
106
Badge: FALSE TRUE
(0.18) (0.25) (0.12)downloadsdownloads 654/month654/month npmnpm v1.1.0v1.1.0buildbuild passingpassing
coveragecoverage 94%94%
101
102
103
104
−8 −6 −4 −2 0 2 4 6 8Month index relative to badge
Dow
nloa
ds
downloadsdownloads 654/month654/month
buildbuild passingpassingcoveragecoverage 94%94%
Result: Dep. badges are mostly reliable signals of popularity
Signals of test suite quality
0.0
0.1
0.2
0.3
0.4
0.5
−8 −6 −4 −2 0 2 4 6 8Month index relative to badge
Test
sui
te s
ize /
Proj
ect s
ize
buildbuild passingpassingcoveragecoverage 94%94%
buildbuild passingpassing npmnpm v1.1.0v1.1.0coveragecoverage 94%94%
Test
Fol
der (
Byte
s)
QA Info
100
102
104
106
(0.55) (0.30)
Result: Build status/code coverage badges indicate a test suite
Signals of test suite quality
0.0
0.1
0.2
0.3
0.4
0.5
−8 −6 −4 −2 0 2 4 6 8Month index relative to badge
Test
sui
te s
ize /
Proj
ect s
ize
buildbuild passingpassingcoveragecoverage 94%94%
buildbuild passingpassing npmnpm v1.1.0v1.1.0coveragecoverage 94%94%
Test
Fol
der (
Byte
s)
QA Info
100
102
104
106
(0.55) (0.30)
Result: Build status/code coverage badges indicate a test suite
Signals of test suite quality
0.0
0.1
0.2
0.3
0.4
0.5
−8 −6 −4 −2 0 2 4 6 8Month index relative to badge
Test
sui
te s
ize /
Proj
ect s
ize
buildbuild passingpassingcoveragecoverage 94%94%
buildbuild passingpassing npmnpm v1.1.0v1.1.0coveragecoverage 94%94%
Test
Fol
der (
Byte
s)
QA Info
100
102
104
106
(0.55) (0.30)
Result: Build status/code coverage badges indicate a test suite
Signals of PR quality
0.0
0.1
0.2
0.3
0.4
0.5
−8 −6 −4 −2 0 2 4 6 8Month index relative to badge
Frac
tion
PRs
with
test
s
buildbuild passingpassingcoveragecoverage 94%94%
Frac
tion
PRs
with
test
s
0%
25%
coveragecoverage 94%94% buildbuild passingpassing buildbuild passingpassing
coveragecoverage 94%94%
Result: Build status+code coverage badges indicate more tests in PRs
Signals of PR quality
0.0
0.1
0.2
0.3
0.4
0.5
−8 −6 −4 −2 0 2 4 6 8Month index relative to badge
Frac
tion
PRs
with
test
s
buildbuild passingpassingcoveragecoverage 94%94%
Frac
tion
PRs
with
test
s
0%
25%
coveragecoverage 94%94% buildbuild passingpassing buildbuild passingpassing
coveragecoverage 94%94%
Result: Build status+code coverage badges indicate more tests in PRs
Signals of PR quality
0.0
0.1
0.2
0.3
0.4
0.5
−8 −6 −4 −2 0 2 4 6 8Month index relative to badge
Frac
tion
PRs
with
test
s
buildbuild passingpassingcoveragecoverage 94%94%
Frac
tion
PRs
with
test
s
0%
25%
coveragecoverage 94%94% buildbuild passingpassing buildbuild passingpassing
coveragecoverage 94%94%
Result: Build status+code coverage badges indicate more tests in PRs
buildbuild passingpassing codacycodacy AA
code climatecode climate 4.04.0 issue resolutionissue resolution 3 h3 h
dependenciesdependencies out of dateout of date
docscoveragecoverage 94%94%
vulnerabilitiesvulnerabilities 00
Badges with underlying analyses:
cdnjscdnjs v3.2.1v3.2.1 licenselicense BSDBSD
commitizencommitizen friendlyfriendly
gittergitter join chatjoin chatcode stylecode style standardstandard
PatreonPatreon code stylecode style standardstandard
PRsPRs welcomewelcome
are stronger predictors than badges that merelystate intentions or provide links:
Take-aways
}
}conventionalsignals
assessmentsignals
Take-aways
slackslack 6/1606/160 slackslack joinjoin>assessment
signalconventional
signal
When possible,design or choose the badge that takes the most work:
Take-aways
slackslack 6/1606/160 slackslack joinjoin>assessment
signalconventional
signal
When possible,design or choose the badge that takes the most work:
Adding Sparkle to Social Coding:
licenselicense BSDBSD cdnjscdnjs v3.2.1v3.2.1 buildbuild passingpassingcodacycodacy AA coveragecoverage 94%94%
ForksForks 847847 dependenciesdependencies out of dateout of date
releaserelease v2.1.1v2.1.1 versionversion 4.2.14.2.1tipstips $1.45/week$1.45/weekcode stylecode style standardstandard
npmnpm v1.1.0v1.1.0PatreonPatreonPRsPRs welcomewelcomesemantic-releasesemantic-release slackslack 6/1606/160
https://cmustrudel.github.io
Key features: Transparency & signaling
Users! Pull requests Issues Gist
"
#
$
%
&
776Followers
38Starred
15Following
ashley williamsashleygwilliams
npm, incridgewood, queens, [email protected]://ashleygwilliams.github.io/Joined on Oct 31, 2011
Organizations
' Contributions ( Repositories ) Public activity
Search GitHub * +
++ FollowFollow ,
Popular repositories
( breakfast-repoa collection of videos, recordings, and podcast…
208 ⋆
( x86-kernela simple x86 kernel, extended with Rust
48 ⋆
( ashleygwilliams.github.iohi, i'm ashley. nice to meet you.
37 ⋆
( jsconf-2015-deckdeck for jsconf2015 talk, "if you wish to learn e…
32 ⋆
( ratpacksinatra boilerplate using activerecord, sqlite, a…
32 ⋆
Repositories contributed to
( npm/docsThe place where all the npm docs live.
44 ⋆
( mozilla/publish.webmaker.orgThe teach.org publishing service for goggles a…
2 ⋆
( npm/marky-markdownnpm's markdown parser
104 ⋆
( artisan-tattoo/assistant-frontendember client for assistant-API
5 ⋆
( npm/npm-campa community conference for all things npm
1 ⋆
Summary of pull requests, issues opened, and commits. Learn how we count contributions. Less More
Public contributions
Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
M
W
F
Contributions in the last year
1,886 totalJan 24, 2015 – Jan 24, 2016
Longest streak
37 daysOctober 7 – November 12
Current streak
7 daysJanuary 18 – January 24
Projects
Mixed methods study
+
• 32 maintainers, 57 contributors • Maintainers:
• What do you intend to signal? • What effects do you expect?
• Contributors: • What do badges tell you?
• 294,941 npm packages • Mined badge adoptions/removals
from README files • Measured proxies for code quality,
test suite quality, popularity, dependency freshness, …
Survey Repository Mining
Take-aways
slackslack 6/1606/160 slackslack joinjoin>assessment
signalconventional
signal
When possible,design or choose the badge that takes the most work:
An Empirical Study of Repository Badges in the npm Ecosystem
101
102
−8 −6 −4 −2 0 2 4 6 8Month index relative to badge
Fres
hnes
s
Signals of fresh dependenciesStep 2: Time Series Analysis
dependenciesdependencies up to dateup to date
Time
}}Decrease in Level Decrease
in Slope
Before Badge After Badge