This study investigates how dependency version constraint strategies—fixed versus floating versions—affect dependency staleness and vulnerability exposure. Through large-scale empirical analysis across the npm, PyPI, and Cargo ecosystems, it introduces survival analysis to model dependency state transitions, quantifying the probabilities of staleness or compromise under distinct constraint types (e.g., floating-minor, floating-major). Results show that floating-major constraints yield the lowest staleness probability, while floating-minor constraints minimize vulnerability risk; yet floating-minor is the most widely adopted in practice, failing to achieve optimal security–stability trade-offs. The work proposes the first cross-ecosystem empirical evaluation framework for dependency constraint strategies, enabling data-driven version management decisions. It advances software supply chain security by promoting fine-grained, evidence-based dependency governance practices.

Developers consistently use version constraints to specify acceptable versions of the dependencies for their project. emph{Pinning} dependencies can reduce the likelihood of breaking changes, but comes with a cost of manually managing the replacement of outdated and vulnerable dependencies. On the other hand, emph{floating} can be used to automatically get bug fixes and security fixes, but comes with the risk of breaking changes. Security practitioners advocate emph{pinning} dependencies to prevent against software supply chain attacks, e.g., malicious package updates. However, since emph{pinning} is the tightest version constraint, emph{pinning} is the most likely to result in outdated dependencies. Nevertheless, how the likelihood of becoming outdated or vulnerable dependencies changes across version constraint types is unknown. The goal of this study is to aid developers in making an informed dependency version constraint choice by empirically evaluating the likelihood of dependencies becoming outdated or vulnerable across version constraint types at scale. In this study, we first identify the trends in dependency version constraint usage and the patterns of version constraint type changes made by developers in the npm, PyPI, and Cargo ecosystems. We then modeled the dependency state transitions using survival analysis and estimated how the likelihood of becoming outdated or vulnerable changes when using emph{pinning} as opposed to the rest of the version constraint types. We observe that among outdated and vulnerable dependencies, the most commonly used version constraint type is emph{floating-minor}, with emph{pinning} being the next most common. We also find that emph{floating-major} is the least likely to result in outdated and emph{floating-minor} is the least likely to result in vulnerable dependencies.