- The paper presents the first large-scale empirical analysis of library usage in agent-authored pull requests, revealing high import diversity and robust versioning practices.
- It employs rigorous parsing techniques on over 26,000 PRs across four major languages to assess patterns in standard versus external library imports.
- The study finds that while agents diversify library imports, they rarely add new dependencies, thereby ensuring improved dependency hygiene and lower security risks.
Empirical Analysis of Library Usage in Agent-Authored Pull Requests
Introduction
This study presents a comprehensive empirical analysis of external library usage in code generated by LLM-based coding agents in real-world GitHub workflows. As LLMs transition from aiding developers via completions to acting as autonomous software agents capable of planning and raising pull requests, understanding their interaction with software ecosystems becomes critical. Prior studies have highlighted key weaknesses of LLMs in non-agentic settings—hallucination of package names, use of deprecated APIs, and poor dependency hygiene—but have left the effect of agentic workflows on library usage largely unexamined. By mining 26,760 pull requests from the "rise-ai-teammates" dataset, this paper elucidates the landscape of library imports, dependency management, and ecosystem diversity in agent-authored contributions.
Dataset and Methodology
The dataset comprises nearly 34K PRs from 1,832 repositories, restricted to four programming languages: TypeScript/JavaScript, Python, Go, and C#. The selection covers the dominant ecosystems in the dataset, with repositories curated for popularity (≥100 GitHub stars) to ensure practical relevance and code quality. Data extraction is performed via language- and manifest-specific parsers, focusing on imported libraries visible in file diffs and explicit additions to dependency management files. Libraries are categorized as standard or external, and statistics are compiled on import frequency, versioning, and library diversity.
The methodological approach employs robust heuristics: only new or added import statements are recognized as agentic actions, and versioning is parsed per language-ecosystem conventions. The parsers are supported by comprehensive tests, mitigating extraction validity threats in the absence of full AST context.
Findings
Library Import Patterns
Coding agents import libraries in 29.5% of PRs, with significant variance by language:
- TypeScript/JavaScript and C#: High library import rates (40.0% and 45.5% respectively) and a strong preference for external libraries (especially in TypeScript/JavaScript, where external imports outnumber standard library usage 3.4:1).
- Python and Go: Python agents show balanced reliance on standard and external libraries, while Go agents are highly conservative, with a library import rate of only 12.6%—and a marked bias toward built-in solutions.
Agents collectively import 3,988 unique external libraries, substantially exceeding the low-diversity import patterns previously observed in non-agentic LLM code generation [twist-arxiv-LLM-code-bias]. This elevated diversity is particularly pronounced in JavaScript, reflecting ecosystem fragmentation and the prevalence of micro-packages.
Dependency Addition and Versioning
Despite frequent library imports, agents rarely introduce new dependencies—only 1.3% of PRs add libraries to project manifests. This rarity is most notable in Go (<0.1%) and Python (2.8%), but higher in C# (6.1%). When dependencies are added, agents exhibit strong version hygiene: explicit version constraints are present in 75.0% of cases, outperforming direct LLM-generated suggestions where versioning is virtually absent (~9%) [rajRoleLibraryVersions2024a]. Moreover, 1,119 unique dependencies are introduced across 2,128 new entries, signaling a lack of bias toward a preferred set and a tendency to establish developer tooling and testing infrastructure rather than expand runtime dependency graphs.
Functional Roles of Imported and Added Libraries
The most-commonly imported and newly added libraries reflect ecosystem expectations:
- Testing/Tooling Libraries: Ubiquitous in both imported and added sets across all languages. Test frameworks (e.g., pytest, xunit, github.com/stretchr/testify) comprise a significant (though not dominant) fraction of imports, but dominate among explicit new dependencies.
- Language/Ecosystem-Specific Packages: In TypeScript/JavaScript, agents favor front-end/UI and state management libraries (react, next, lucide-react). Python imports emphasize AI and data science packages (crewai, openai, numpy), while Go and C# focus on infrastructure, cloud, and UI frameworks.
This distribution indicates that agents primarily facilitate developer workflows—setting up scaffolding, tests, and auxiliary infrastructure—rather than inflating critical runtime dependency graphs, a pattern that aligns with mature development practices.
Implications
These results demonstrate that agentic LLM workflows exhibit significantly different library usage characteristics from single-prompt LLM completions. The high diversity of imports suggests that agents leverage richer project context and avoid strong biases toward a small set of conventions. The rare addition of new dependencies, coupled with strong version constraints, points to a conservative and robust approach to external library management, perhaps reflecting current agent limitations in reliably handling package installation and ecosystem tooling [aroraSetupBenchAssessingSoftware2025]. This behavioral shift has potentially positive implications for security and maintainability, reducing the risk of obsolete or vulnerable dependencies entering critical paths.
Theoretically, these findings challenge the assumption that LLMs necessarily overfit to common packages or oversample from training-set biases once situated in full-project, agentic workflows. Practically, they present evidence that agent-based programming assistants may gradually acquire more discipline in dependency hygiene than previous non-agentic usage suggested.
Limitations and Future Directions
The study is constrained to established agents, popular ecosystems, and repositories of moderate complexity. Extraction via line-based diff parsing, while validated, may miss edge cases or subtle dependency modifications. Additional research is warranted on the functional correctness and long-term evolution of agent-managed dependency graphs, as well as nuanced failure modes—such as library hallucination and use of deprecated APIs [twistLibraryHallucinationsLLMs2025, wangLLMsMeetLibrary2025]. Future work should also examine agents' handling of language-specific vulnerabilities (e.g., supply-chain attacks) and strategies for scalable library selection as agent autonomy increases.
Conclusion
This paper provides the first large-scale, empirical analysis of library usage by LLM-based coding agents in real-world PRs. Agents exhibit frequent library imports and a remarkably diverse ecosystem footprint, rarely add new dependencies, and adhere to robust versioning practices. These behaviors mark a departure from those documented for non-agentic LLMs, implying meaningful changes in code generation dynamics as software agents mature. Deeper investigations into the qualitative outcomes of library usage and potential security/maintenance risks will be critical as agentic coding workflows become more deeply integrated into software development pipelines.
