TLDR: it boils down to analysing dependencies at the level of the callgraph; but building those callgraphs isn't easy. The benefit in the security use case is ~3x increased accuracy when identifying vulnerable packages (by eliminating false positives).
Would not have thought that their relative usage is actually decreasing. Probably not for "serious projects" (now define what that means ...), though.
"While pull request usage is increasing overall, par-tially reflecting Github’s growth, the relative number of reposito-ries using the pull request model has decreased slightly."
This could easily be due to Alice's using GitHub for her own master's thesis and stuff ... :) Very unlikely to receive a pull request for these kinds of projects.
