{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,7,28]],"date-time":"2025-07-28T21:54:14Z","timestamp":1753739654467,"version":"3.40.4"},"reference-count":47,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2025,1,18]],"date-time":"2025-01-18T00:00:00Z","timestamp":1737158400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0"},{"start":{"date-parts":[[2025,1,18]],"date-time":"2025-01-18T00:00:00Z","timestamp":1737158400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0"}],"funder":[{"DOI":"10.13039\/501100009036","name":"Strategic International Collaborative Research Program","doi-asserted-by":"publisher","award":["JPMJSC2206"],"award-info":[{"award-number":["JPMJSC2206"]}],"id":[{"id":"10.13039\/501100009036","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001691","name":"Japan Society for the Promotion of Science","doi-asserted-by":"publisher","award":["JP23K16864"],"award-info":[{"award-number":["JP23K16864"]}],"id":[{"id":"10.13039\/501100001691","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100002241","name":"Japan Science and Technology Agency","doi-asserted-by":"publisher","award":["JPMJBS2423"],"award-info":[{"award-number":["JPMJBS2423"]}],"id":[{"id":"10.13039\/501100002241","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2025,3]]},"DOI":"10.1007\/s10664-024-10599-6","type":"journal-article","created":{"date-parts":[[2025,1,18]],"date-time":"2025-01-18T07:43:05Z","timestamp":1737186185000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Developer reactions to protestware in open source software: the cases of color.js and es5.ext"],"prefix":"10.1007","volume":"30","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9372-2966","authenticated-orcid":false,"given":"Youmei","family":"Fan","sequence":"first","affiliation":[]},{"given":"Dong","family":"Wang","sequence":"additional","affiliation":[]},{"given":"Supatsara","family":"Wattanakriengkrai","sequence":"additional","affiliation":[]},{"given":"Hathaichanok","family":"Damrongsiri","sequence":"additional","affiliation":[]},{"given":"Christoph","family":"Treude","sequence":"additional","affiliation":[]},{"given":"Hideaki","family":"Hata","sequence":"additional","affiliation":[]},{"given":"Raula Gaikovina","family":"Kula","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,1,18]]},"reference":[{"key":"10599_CR1","doi-asserted-by":"crossref","unstructured":"Aniche M, Treude C, Steinmacher I, Wiese I, Pinto G, Storey MA, Gerosa MA (2018) How modern news aggregators help development communities shape and share knowledge. In: Proceedings of the 40th international conference on software engineering, pp 499\u2013510","DOI":"10.1145\/3180155.3180180"},{"issue":"02","key":"10599_CR2","doi-asserted-by":"publisher","first-page":"107","DOI":"10.1109\/MSEC.2022.3142464","volume":"20","author":"SM Bellovin","year":"2022","unstructured":"Bellovin SM (2022) Open source and trust. IEEE Secur Priv 20(02):107\u2013108","journal-title":"IEEE Secur Priv"},{"key":"10599_CR3","doi-asserted-by":"crossref","unstructured":"Borges H, Hora A, Valente MT (2016) Understanding the factors that impact the popularity of github repositories. In: 2016 IEEE international conference on software maintenance and evolution (ICSME), IEEE, pp 334\u2013344","DOI":"10.1109\/ICSME.2016.31"},{"key":"10599_CR4","doi-asserted-by":"crossref","unstructured":"Cheong M, Kula RG, Treude C (2023) Ethical considerations towards protestware. arXiv:2306.10019","DOI":"10.1109\/MS.2023.3344778"},{"key":"10599_CR5","unstructured":"Chinthanet B, Reid B, Treude C, Wagner M, Kula RG, Ishio T, Matsumoto K (2021) What makes a good node. JS package? investigating users, contributors, and runnability. arXiv:2106.12239"},{"key":"10599_CR6","unstructured":"Cogo FR, Oliva GA, Hassan AE (2019) An empirical study of dependency downgrades in the npm ecosystem. IEEE Trans Softw Eng 1\u20131"},{"key":"10599_CR7","doi-asserted-by":"crossref","unstructured":"Decan A, Mens T, Claes M (2017) An empirical comparison of dependency issues in OSS packaging ecosystems. In: 2017 IEEE 24th International conference on software analysis, evolution and reengineering (SANER), pp 2\u201312","DOI":"10.1109\/SANER.2017.7884604"},{"key":"10599_CR8","doi-asserted-by":"publisher","unstructured":"Ferrario MA, Simm W, Newman P, Forshaw S, Whittle J (2014) Software engineering for \u2019social good\u2019: integrating action research, participatory design, and agile development. In: Companion Proceedings of the 36th international conference on software engineering, Association for Computing Machinery, New York, NY, USA, ICSE Companion 2014, p 520\u2013523, https:\/\/doi.org\/10.1145\/2591062.2591121,","DOI":"10.1145\/2591062.2591121"},{"key":"10599_CR9","doi-asserted-by":"publisher","unstructured":"Ferrario MA, Simm W, Newman P, Forshaw S, Whittle J (2014) Software engineering for \u2019social good\u2019: integrating action research, participatory design, and agile development. In: Companion Proceedings of the 36th international conference on software engineering, Association for Computing Machinery, New York, NY, USA, ICSE Companion 2014, pp 520\u2013523. https:\/\/doi.org\/10.1145\/2591062.2591121","DOI":"10.1145\/2591062.2591121"},{"key":"10599_CR10","unstructured":"Finifter M, Akhawe D, Wagner D (2013) An empirical study of vulnerability rewards programs. In: 22nd USENIX security symposium (USENIX Security 13), pp 273\u2013288"},{"key":"10599_CR11","doi-asserted-by":"crossref","unstructured":"Ghofrani J, Heravi P, Babaei KA, Soorati MD (2022) Trust challenges in reusing open source software: an interview-based initial study. In: Proceedings of the 26th ACM international systems and software product line conference-volume B, pp 110\u2013116","DOI":"10.1145\/3503229.3547061"},{"key":"10599_CR12","unstructured":"GitHub Cross-Reference (2023). https:\/\/docs.github.com\/en\/webhooks-and-events\/events\/issue-event-types#cross-referenced"},{"key":"10599_CR13","unstructured":"GitHub Reference (2023). https:\/\/docs.github.com\/en\/webhooks-and-events\/events\/issue-event-types#referenced"},{"key":"10599_CR14","doi-asserted-by":"crossref","unstructured":"Gonzalez D, Zimmermann T, Godefroid P, Sch\u00e4fer M (2021) Anomalicious: automated detection of anomalous and potentially malicious commits on github. In: 2021 IEEE\/ACM 43rd international conference on software engineering: software engineering in practice (ICSE-SEIP), IEEE, pp 258\u2013267","DOI":"10.1109\/ICSE-SEIP52600.2021.00035"},{"key":"10599_CR15","doi-asserted-by":"crossref","unstructured":"Hata H, Guo M, Babar MA (2017) Understanding the heterogeneity of contributors in bug bounty programs. In: 2017 ACM\/IEEE international symposium on empirical software engineering and measurement (ESEM), IEEE, pp 223\u2013228","DOI":"10.1109\/ESEM.2017.34"},{"key":"10599_CR16","doi-asserted-by":"crossref","unstructured":"Hata H, Treude C, Kula RG, Ishio T (2019) 9.6 Million links in source code comments: purpose, evolution, and decay. In: 2019 IEEE\/ACM 41st international conference on software engineering (ICSE), IEEE, pp 1211\u20131221","DOI":"10.1109\/ICSE.2019.00123"},{"key":"10599_CR17","doi-asserted-by":"crossref","unstructured":"He H, Xu Y, Ma Y, Xu Y, Liang G, Zhou M (2021) A multi-metric ranking approach for library migration recommendations. 2021 IEEE International Conference on Software Analysis. Evolution and Reengineering (SANER), IEEE, pp 72\u201383","DOI":"10.1109\/SANER50967.2021.00016"},{"issue":"1","key":"10599_CR18","doi-asserted-by":"publisher","first-page":"8","DOI":"10.1007\/s10664-022-10238-y","volume":"28","author":"F Hou","year":"2023","unstructured":"Hou F, Jansen S (2023) A systematic literature review on trust in the software ecosystem. Empir Softw Eng 28(1):8","journal-title":"Empir Softw Eng"},{"key":"10599_CR19","doi-asserted-by":"publisher","unstructured":"Huang Y, Ford D, Zimmermann T (2021) Leaving my fingerprints: motivations and challenges of contributing to oss for social good. In: 2021 IEEE\/ACM 43rd international conference on software engineering (ICSE), pp 1020\u20131032. https:\/\/doi.org\/10.1109\/ICSE43902.2021.00096","DOI":"10.1109\/ICSE43902.2021.00096"},{"issue":"6","key":"10599_CR20","doi-asserted-by":"publisher","first-page":"89","DOI":"10.1177\/0022242918805411","volume":"82","author":"VK Kanuri","year":"2018","unstructured":"Kanuri VK, Chen Y, Sridhar S (2018) Scheduling content on social media: theory, evidence, and application. J Market 82(6):89\u2013108","journal-title":"J Market"},{"key":"10599_CR21","doi-asserted-by":"crossref","unstructured":"Krishnamurthy S, Tripathi AK (2006) Bounty programs in free\/libre\/open source software. In: The economics of open source software development, Elsevier, pp 165\u2013183","DOI":"10.1016\/B978-044452769-1\/50008-1"},{"key":"10599_CR22","doi-asserted-by":"crossref","unstructured":"Kula RG, Treude C (2022) In war and peace: the impact of world politics on software ecosystems. In: Proceedings of the 30th ACM joint European software engineering conference and symposium on the foundations of software engineering, pp 1600\u20131604","DOI":"10.1145\/3540250.3560882"},{"key":"10599_CR23","doi-asserted-by":"publisher","first-page":"384","DOI":"10.1007\/s10664-017-9521-5","volume":"23","author":"RG Kula","year":"2018","unstructured":"Kula RG, German DM, Ouni A, Ishio T, Inoue K (2018) Do developers update their library dependencies? an empirical study on the impact of security advisories on library migration. Empir Softw Eng 23:384\u2013417","journal-title":"Empir Softw Eng"},{"issue":"2","key":"10599_CR24","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1093\/cybsec\/tyx008","volume":"3","author":"T Maillart","year":"2017","unstructured":"Maillart T, Zhao M, Grossklags J, Chuang J (2017) Given enough eyeballs, all bugs are shallow? revisiting eric raymond with bug bounty programs. J Cybersecur 3(2):81\u201390","journal-title":"J Cybersecur"},{"issue":"5","key":"10599_CR25","doi-asserted-by":"publisher","first-page":"16","DOI":"10.1109\/MSEC.2022.3185845","volume":"20","author":"F Massacci","year":"2022","unstructured":"Massacci F, Sabetta A, Mirkovic J, Murray T, Okhravi H, Mannan M, Rocha A, Bodden E, Geer DE (2022) \u201cFree\" as in freedom to protest? IEEE Secur Priv 20(5):16\u201321","journal-title":"IEEE Secur Priv"},{"key":"10599_CR26","doi-asserted-by":"crossref","unstructured":"Miller C, Cohen S, Klug D, Vasilescu B, KaUstner C (2022) \u201c Did you miss my comment or what?\u201d understanding toxicity in open source discussions. In: Proceedings of the 44th international conference on software engineering, pp 710\u2013722","DOI":"10.1145\/3510003.3510111"},{"key":"10599_CR27","doi-asserted-by":"crossref","unstructured":"Ohm M, Plate H, Sykosch A, Meier M (2020a) Backstabber\u2019s knife collection: a review of open source software supply chain attacks. In: Detection of intrusions and malware, and vulnerability assessment: 17th international conference, DIMVA 2020, Lisbon, Portugal, June 24\u201326, 2020, Proceedings 17, Springer, pp 23\u201343","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"10599_CR28","doi-asserted-by":"crossref","unstructured":"Ohm M, Sykosch A, Meier M (2020b) Towards detection of software supply chain attacks by forensic artifacts. In: Proceedings of the 15th international conference on availability, reliability and security, pp 1\u20136","DOI":"10.1145\/3407023.3409183"},{"key":"10599_CR29","first-page":"1320","volume":"10","author":"A Pak","year":"2010","unstructured":"Pak A, Paroubek P et al (2010) Twitter as a corpus for sentiment analysis and opinion mining. LREc 10:1320\u20131326","journal-title":"LREc"},{"key":"10599_CR30","doi-asserted-by":"crossref","unstructured":"Pearson K (1900) X. on the criterion that a given system of deviations from the probable in the case of a correlated system of variables is such that it can be reasonably supposed to have arisen from random sampling. The London, Edinburgh, and Dublin Philosophical Magazine and Journal of Science 50(302):157\u2013175","DOI":"10.1080\/14786440009463897"},{"key":"10599_CR31","unstructured":"Sachs J, the Faker\u00a0Team (2022) An update from the Faker team | Faker \u2014 fakerjs.dev. https:\/\/fakerjs.dev\/about\/announcements\/2022-01-14.html. Accessed 20-Jul-2023"},{"key":"10599_CR32","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1186\/s40537-020-00318-5","volume":"7","author":"IH Sarker","year":"2020","unstructured":"Sarker IH, Kayes A, Badsha S, Alqahtani H, Watters P, Ng A (2020) Cybersecurity data science: an overview from machine learning perspective. J Big data 7:1\u201329","journal-title":"J Big data"},{"key":"10599_CR33","doi-asserted-by":"crossref","unstructured":"Scalco S, Paramitha R, Vu DL, Massacci F (2022) On the feasibility of detecting injections in malicious npm packages. In: Proceedings of the 17th international conference on availability, reliability and security, pp 1\u20138","DOI":"10.1145\/3538969.3543815"},{"key":"10599_CR34","doi-asserted-by":"crossref","unstructured":"Sejfia A, Sch\u00e4fer M (2022) Practical automated detection of malicious NPM packages. In: Proceedings of the 44th international conference on software engineering, pp 1681\u20131692","DOI":"10.1145\/3510003.3510104"},{"key":"10599_CR35","doi-asserted-by":"crossref","unstructured":"Shimada N, Xiao T, Hata H, Treude C, Matsumoto K (2022) Github sponsors: exploring a new way to contribute to open source. In: Proceedings of the 44th international conference on software engineering, pp 1058\u20131069","DOI":"10.1145\/3510003.3510116"},{"key":"10599_CR36","unstructured":"SSonatype (2021) State of the software supply chain report. https:\/\/www.sonatype.com\/resources\/state-of-the-software-supply-chain-2021"},{"key":"10599_CR37","first-page":"360","volume":"37","author":"AJ Viera","year":"2005","unstructured":"Viera AJ, Garrett JM (2005) Understanding interobserver agreement: the kappa statistic. Fam Med 37:360\u2013363","journal-title":"Fam Med"},{"key":"10599_CR38","doi-asserted-by":"crossref","unstructured":"Vu DL, Pashchenko I, Massacci F, Plate H, Sabetta A (2020) Towards using source code repositories to identify software supply chain attacks. In: Proceedings of the 2020 ACM SIGSAC conference on computer and communications security, pp 2093\u20132095","DOI":"10.1145\/3372297.3420015"},{"key":"10599_CR39","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10664-021-09997-x","volume":"26","author":"D Wang","year":"2021","unstructured":"Wang D, Xiao T, Thongtanunam P, Kula RG, Matsumoto K (2021) Understanding shared links and their intentions to meet information needs in modern code review: a case study of the openstack and qt projects. Empir Softw Eng 26:1\u201332","journal-title":"Empir Softw Eng"},{"issue":"5","key":"10599_CR40","doi-asserted-by":"publisher","first-page":"123","DOI":"10.1007\/s10664-023-10336-5","volume":"28","author":"D Wang","year":"2023","unstructured":"Wang D, Xiao T, Son T, Kula RG, Ishio T, Kamei Y, Matsumoto K (2023) More than react: investigating the role of emoji reaction in github pull requests. Empir Softw Eng 28(5):123","journal-title":"Empir Softw Eng"},{"key":"10599_CR41","doi-asserted-by":"publisher","unstructured":"Wattanakriengkrai S, Wang D, Kula RG, Treude C, Thongtanunam P, Ishio T, Matsumoto K (2022) Giving back: contributions congruent to library dependency changes in a software ecosystem. IEEE Trans Softw Eng 1\u201313. https:\/\/doi.org\/10.1109\/TSE.2022.3225197","DOI":"10.1109\/TSE.2022.3225197"},{"key":"10599_CR42","doi-asserted-by":"crossref","unstructured":"Wittern E, Suter P, Rajagopalan S (2016) A look at the dynamics of the javascript package ecosystem. In: Proceedings of the 13th international conference on mining software repositories, pp 351\u2013361","DOI":"10.1145\/2901739.2901743"},{"key":"10599_CR43","doi-asserted-by":"crossref","unstructured":"Zahan N, Zimmermann T, Godefroid P, Murphy B, Maddila C, Williams L (2022) What are weak links in the NPM supply chain? In: Proceedings of the 44th international conference on software engineering: software engineering in practice, pp 331\u2013340","DOI":"10.1145\/3510457.3513044"},{"key":"10599_CR44","doi-asserted-by":"publisher","first-page":"139","DOI":"10.1007\/s10664-019-09744-3","volume":"25","author":"J Zhou","year":"2020","unstructured":"Zhou J, Wang S, Bezemer CP, Hassan AE (2020) Bounties on technical q &a sites: a case study of stack overflow bounties. Empir Softw Eng 25:139\u2013177","journal-title":"Empir Softw Eng"},{"issue":"12","key":"10599_CR45","doi-asserted-by":"publisher","first-page":"2919","DOI":"10.1109\/TSE.2020.2974469","volume":"47","author":"J Zhou","year":"2020","unstructured":"Zhou J, Wang S, Bezemer CP, Zou Y, Hassan AE (2020) Studying the association between bountysource bounties and the issue-addressing likelihood of github issue reports. IEEE Trans Softw Eng 47(12):2919\u20132933","journal-title":"IEEE Trans Softw Eng"},{"key":"10599_CR46","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10664-021-10060-y","volume":"27","author":"J Zhou","year":"2022","unstructured":"Zhou J, Wang S, Kamei Y, Hassan AE, Ubayashi N (2022) Studying donations and their expenses in open source projects: a case study of github projects collecting donations through open collectives. Empir Softw Eng 27:1\u201338","journal-title":"Empir Softw Eng"},{"key":"10599_CR47","unstructured":"Zimmermann M, Staicu CA, Tenny C, Pradel M (2019) Small world with high risks: a study of security threats in the npm ecosystem. In: 28th USENIX security symposium (USENIX Security 19), pp 995\u20131010"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-024-10599-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-024-10599-6\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-024-10599-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,5,2]],"date-time":"2025-05-02T13:45:42Z","timestamp":1746193542000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-024-10599-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,1,18]]},"references-count":47,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2025,3]]}},"alternative-id":["10599"],"URL":"https:\/\/doi.org\/10.1007\/s10664-024-10599-6","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"type":"print","value":"1382-3256"},{"type":"electronic","value":"1573-7616"}],"subject":[],"published":{"date-parts":[[2025,1,18]]},"assertion":[{"value":"26 November 2024","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"18 January 2025","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that Raula Gaikovina Kula, Hideaki Hata, and Christoph Treude are members of the EMSE Editorial Board. All co-authors have seen and agree with the contents of the manuscript and there is no financial interest to report.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of Interest"}}],"article-number":"56"}}