Score
Managing reproducible Python/R environments and packages using conda and conda-forge channels by creating and exporting environments, resolving binary dependencies, and packaging artifacts for local development and deployment across platforms.
Existing Python vulnerability scanners suffer from significant false positives and false negatives due to their neglect of security backports in packaged libraries and operating system distributions. This work proposes a provenance-aware approach that integrates content-hash matching, dynamic binary version extraction, and cross-ecosystem call graph construction to establish fine-grained mappings between native dependencies in the Python and OS ecosystems for the first time. By accurately identifying the upstream or system package versions corresponding to bundled libraries, the method enables precise assessment of vulnerability reachability. Evaluation on 100,000 PyPI packages and 10 CVEs reveals 39 directly affected packages—collectively downloaded over 47 million times per month—and 312 indirectly affected packages, reducing false positive rates by up to 97%.
Multilingual projects suffer from three core challenges: absence of cross-ecosystem dependency modeling, lack of versioning for external system/hardware dependencies, and poor interoperability among package managers. This paper introduces HyperRes—the first formal dependency resolution system that unifies multilingual and multisystem dependencies into a verifiable hypergraph model. Its contributions are threefold: (1) an environment-aware, versioned dependency model grounded in hypergraph theory, explicitly representing implicit system- and hardware-level dependencies; (2) a bidirectional metadata translation framework enabling zero-migration interoperability across dozens of package managers (e.g., npm, pip, apt); and (3) a hybrid solving strategy integrating constraint satisfaction problem (CSP) techniques with environment-specialized algorithms to achieve consistent, precise cross-ecosystem dependency resolution. Empirical evaluation demonstrates that HyperRes significantly improves reliability and reproducibility in multilingual environment construction.
Python projects commonly suffer from dependency bloat, increasing maintenance overhead and security risks. Existing tools can only detect unused dependencies but require manual intervention for removal. This paper introduces DepClean, an end-to-end automated dependency minimization framework. It features a modular architecture compatible with diverse static and dynamic analysis tools, and innovatively integrates static parsing—supporting `.py`, `requirements.txt`, `setup.py`, and related formats—with lightweight dynamic analysis, significantly improving recall. Evaluated on 37 real-world pull requests, DepClean achieves 98.3% precision. Applied to 971 open-source packages, it identified 39 redundant dependencies; 39 corresponding PRs were submitted, with 6 already merged. To the best of our knowledge, this is the first work enabling fully automated identification and removal of unused dependencies across both configuration files and source code.
This study addresses the widespread lack of computational reproducibility in R supplementary code deposited on the Open Science Framework (OSF). A systematic audit of 296 published R code packages revealed that 98.8% incompletely declare dependencies. To address this, we propose the first automated reproducibility auditing framework tailored to the R ecosystem. It combines static source-code analysis—leveraging regular expressions and abstract syntax trees (ASTs)—to accurately infer dependencies, with Docker-based containerized execution and failure diagnostics (e.g., path errors, OS-specific inconsistencies, missing packages) to enable end-to-end environment reconstruction and validation. Experiments successfully executed 25.87% of scripts, identifying undeclared dependencies, hardcoded file paths, and cross-platform compatibility issues as the three primary barriers to reproducibility. The framework enables large-scale, low-cost, and scalable quantitative assessment of computational reproducibility in scholarly research, providing a practical toolchain to enhance transparency and verifiability.
This work addresses the challenge of highly manual and non-generalizable environment configuration in repository-level software engineering tasks by introducing RAT, the first language-agnostic framework for fully automated repository setup. RAT establishes an end-to-end pipeline comprising semantic initialization, task planning, invocation of specialized tools, and robust sandbox construction. To evaluate such systems realistically, the authors also release RATBench, the first benchmark reflecting the true distribution and heterogeneity of real-world code repositories. Experimental results demonstrate that RAT significantly outperforms strong existing baselines on RATBench, achieving an average 29.6% improvement in Environment Setup Success Rate (ESSR). This advance overcomes prior limitations that relied on predefined artifacts or were confined to specific programming languages.
Addressing challenges in FAIR principle implementation—including fragmented data and code lifecycles, lack of executable environments, and high technical barriers—this study proposes a unified open-science platform. The platform uniquely integrates version control, containerized computational environments, and modular project scaffolding to support end-to-end reproducible research, from grant proposal to publication. It interoperates with mainstream scientific toolchains, supports deployment on both local workstations and institutional servers, and provides a lightweight graphical user interface. Empirical validation demonstrates successful re-execution of over a dozen interdisciplinary studies published more than ten years ago, confirming the platform’s robust long-term reproducibility, cross-platform compatibility, and seamless execution across diverse domains. By significantly lowering technical adoption barriers for researchers, the platform enables practical integration of FAIR principles and reproducibility practices into routine scientific workflows.
This study addresses the widespread presence of package replicas in the Python Package Index (PyPI), which not only mislead developers but also serve as blind spots for known vulnerabilities and vectors for malware. Through a large-scale analysis of approximately 200,000 PyPI packages, the work integrates static code analysis, metadata comparison, and similarity detection, cross-referenced with vulnerability and malware databases to systematically uncover the prevalence and dual security risks of such replication practices. The research identifies 1,361 replica packages mimicking popular projects, 256 replicas harboring previously unknown vulnerabilities, and seven novel malicious replicas. Notably, it confirms that 4.79% of known malicious packages employ typosquatting or imitation of popular packages to carry out attacks.
This work addresses the lack of effective mechanisms to verify the consistency between distributed software artifacts and their source code in large-scale software distribution. To this end, we propose Lila, the first decentralized, reproducible build monitoring framework tailored to functional package management models. By aggregating distributed build reports into a reproducibility database, Lila enables continuous monitoring of over 80,000 software packages and sustains a reproducible build rate exceeding 90%. Our system not only fills a critical gap in reproducibility monitoring within functional package ecosystems but also bridges academic research and real-world deployment needs by delivering a scalable, decentralized infrastructure.
This work addresses the challenge that existing large language models often generate multi-file code repositories that fail to install or execute in real environments due to unsatisfied dependencies or incorrect internal references. The authors formulate repository-level code generation as an environment alignment problem and propose EnvGraph, a framework that jointly models external dependencies and internal references through a two-layer environmental representation. EnvGraph incorporates execution-evidence-driven attribution analysis and dynamically refines generation targets within an iterative alignment loop. This approach is the first to formally cast repository executability as an environment alignment task, enabling end-to-end generation of executable repositories. Experiments demonstrate that EnvGraph significantly outperforms current methods across multiple repository-scale benchmarks, improving functional correctness by 5.72–5.87 percentage points and non-functional quality by 4.58–8.66 percentage points.
This work addresses the widespread irreproducibility of academic Jupyter Notebooks caused by environment drift, missing dependencies, and implicit execution assumptions. The authors propose the first web-oriented, automated reproducibility engineering pipeline that systematically reconstructs and evaluates repository-level execution environments for notebooks hosted on GitHub. By leveraging dependency inference, auto-generated Docker containers, and isolated execution, the pipeline enables large-scale assessment of reproducibility. A novel four-category execution outcome framework is introduced to quantify reproduction fidelity. Evaluation on 443 real-world notebooks shows that containerization resolves 66.7% of dependency-related failures; however, only 46.3% achieve high output fidelity, demonstrating that while containerization is necessary, it is insufficient for bit-for-bit reproducibility. These findings underscore the critical need for systematic reproducibility evaluation in computational research.