Flexible and Optimal Dependency Management via Max-SMT

Dependency management is unfortunately not as simple as just installing the dependencies you want: part of software engineering now involves careful selection of dependency versions, to make sure that: you get newer versions, you avoid security vulnerabilities, you successfully unify dependencies on the same package into a single version, and so on. These goals are often at odds, and are not handled well by existing package managers’ baked-in heuristics.

To solve this, we built MaxNPM, a fork of the NPM CLI which lets users customize dependency solving goals, so that software developers can guide the tooling appriopriately for their situation. We evaluated MaxNPM with a large sample of packages from the NPM ecosystem and show that it can reduce vulnerabilities in dependencies, choose newer dependencies than NPM can, and can choose fewer dependencies than NPM.