{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,4]],"date-time":"2026-05-04T13:01:43Z","timestamp":1777899703548,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":46,"publisher":"ACM","license":[{"start":{"date-parts":[[2020,10,30]],"date-time":"2020-10-30T00:00:00Z","timestamp":1604016000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100007601","name":"Horizon 2020","doi-asserted-by":"publisher","award":["675320, 830929"],"award-info":[{"award-number":["675320, 830929"]}],"id":[{"id":"10.13039\/501100007601","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2020,10,30]]},"DOI":"10.1145\/3372297.3417232","type":"proceedings-article","created":{"date-parts":[[2021,3,4]],"date-time":"2021-03-04T16:21:21Z","timestamp":1614874881000},"page":"1513-1531","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":75,"title":["A Qualitative Study of Dependency Management and Its Security Implications"],"prefix":"10.1145","author":[{"given":"Ivan","family":"Pashchenko","sequence":"first","affiliation":[{"name":"University of Trento, Trento, Italy"}]},{"given":"Duc-Ly","family":"Vu","sequence":"additional","affiliation":[{"name":"University of Trento, Trento, Italy"}]},{"given":"Fabio","family":"Massacci","sequence":"additional","affiliation":[{"name":"University of Trento & Vrije Universiteit Amsterdam, Trento, Italy"}]}],"member":"320","published-online":{"date-parts":[[2020,11,2]]},"reference":[{"key":"e_1_3_2_2_1_1","volume-title":"Developers of popular software projects are overloaded by the requests from academic researchers. (2018). Suggested during a personal communication with the authors at ESEM'2018","author":"Adams B.","unstructured":"B. Adams . 2018. Developers of popular software projects are overloaded by the requests from academic researchers. (2018). Suggested during a personal communication with the authors at ESEM'2018 . B. Adams. 2018. Developers of popular software projects are overloaded by the requests from academic researchers. (2018). Suggested during a personal communication with the authors at ESEM'2018."},{"key":"e_1_3_2_2_2_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.scico.2016.01.005"},{"key":"e_1_3_2_2_3_1","volume-title":"Proc. of CHI'19","author":"Assal Hala","year":"2019","unstructured":"Hala Assal and Sonia Chiasson . 2019 . ' Think secure from the beginning' A Survey with Software Developers . In Proc. of CHI'19 . 1--13. Hala Assal and Sonia Chiasson. 2019. 'Think secure from the beginning' A Survey with Software Developers. In Proc. of CHI'19. 1--13."},{"key":"e_1_3_2_2_4_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-28872-2_22"},{"key":"e_1_3_2_2_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/1806799.1806821"},{"key":"e_1_3_2_2_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASEW.2015.21"},{"key":"e_1_3_2_2_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2950290.2950325"},{"key":"e_1_3_2_2_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2015.7081868"},{"key":"e_1_3_2_2_9_1","volume-title":"Proc. of ICSE'15 (ICSE '15)","author":"Cox Jo\u00ebl","year":"1900","unstructured":"Jo\u00ebl Cox , Eric Bouwers , Marko van Eekelen , and Joost Visser . 2015. Measuring Dependency Freshness in Software Systems . In Proc. of ICSE'15 (ICSE '15) . IEEE Press , Piscataway, NJ, USA , 109--118. http:\/\/dl.acm.org\/citation.cfm?id=28 1900 9.2819027 Jo\u00ebl Cox, Eric Bouwers, Marko van Eekelen, and Joost Visser. 2015. Measuring Dependency Freshness in Software Systems. In Proc. of ICSE'15 (ICSE '15). IEEE Press, Piscataway, NJ, USA, 109--118. http:\/\/dl.acm.org\/citation.cfm?id=2819009.2819027"},{"key":"e_1_3_2_2_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/1368088.1368122"},{"key":"e_1_3_2_2_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134059"},{"key":"e_1_3_2_2_12_1","volume-title":"Snowball sampling. AOMS","author":"Goodman Leo A","year":"1961","unstructured":"Leo A Goodman . 1961. Snowball sampling. AOMS ( 1961 ), 148--170. Leo A Goodman. 1961. Snowball sampling. AOMS (1961), 148--170."},{"key":"e_1_3_2_2_13_1","doi-asserted-by":"publisher","DOI":"10.1287\/isre.2014.0554"},{"key":"e_1_3_2_2_14_1","volume-title":"Applied thematic analysis","author":"Guest Greg","unstructured":"Greg Guest , Kathleen M MacQueen , and Emily E Namey . 2011. Applied thematic analysis . Sage . Greg Guest, Kathleen M MacQueen, and Emily E Namey. 2011. Applied thematic analysis .Sage."},{"key":"e_1_3_2_2_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238197"},{"key":"e_1_3_2_2_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/2501585.2501586"},{"key":"e_1_3_2_2_17_1","doi-asserted-by":"publisher","DOI":"10.4301\/S1807-17752012000100002"},{"key":"e_1_3_2_2_18_1","doi-asserted-by":"publisher","DOI":"10.1002\/smr.1863"},{"key":"e_1_3_2_2_19_1","unstructured":"JI Hejderup. 2015. In dependencies we trust: How vulnerable are dependencies in software modules? (2015).  JI Hejderup. 2015. In dependencies we trust: How vulnerable are dependencies in software modules? (2015)."},{"key":"e_1_3_2_2_20_1","volume-title":"Proc. of EuroS&P'19","author":"Huang J.","unstructured":"J. Huang , N. Borges , S. Bugiel , and M. Backes . 2019. Up-To-Crash: Evaluating Third-Party Library Updatability on Android . In Proc. of EuroS&P'19 . 15--30. J. Huang, N. Borges, S. Bugiel, and M. Backes. 2019. Up-To-Crash: Evaluating Third-Party Library Updatability on Android. In Proc. of EuroS&P'19. 15--30."},{"key":"e_1_3_2_2_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2013.6606613"},{"key":"e_1_3_2_2_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2017.55"},{"key":"e_1_3_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2007.45"},{"key":"e_1_3_2_2_24_1","volume-title":"Analyzing grammar: An introduction","author":"Kroeger Paul R","unstructured":"Paul R Kroeger . 2005. Analyzing grammar: An introduction . Cambridge University Press . Paul R Kroeger. 2005. Analyzing grammar: An introduction .Cambridge University Press."},{"key":"e_1_3_2_2_25_1","volume-title":"Do developers update their library dependencies? Emp. Soft. Eng. Journ. (11","author":"Kula Raula Gaikovina","year":"2017","unstructured":"Raula Gaikovina Kula , Daniel M. German , Ali Ouni , Takashi Ishio , and Katsuro Inoue . 2017. Do developers update their library dependencies? Emp. Soft. Eng. Journ. (11 May 2017 ). https:\/\/doi.org\/10.1007\/s10664-017--9521--5 10.1007\/s10664-017--9521--5 Raula Gaikovina Kula, Daniel M. German, Ali Ouni, Takashi Ishio, and Katsuro Inoue. 2017. Do developers update their library dependencies? Emp. Soft. Eng. Journ. (11 May 2017). https:\/\/doi.org\/10.1007\/s10664-017--9521--5"},{"key":"e_1_3_2_2_26_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23414"},{"key":"e_1_3_2_2_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/ESEM.2013.43"},{"key":"e_1_3_2_2_28_1","unstructured":"SS Jeremy Long. 2015. Owasp dependency check.  SS Jeremy Long. 2015. Owasp dependency check."},{"key":"e_1_3_2_2_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.42"},{"key":"e_1_3_2_2_30_1","volume-title":"Forum qualitative Sozialforschung\/Forum: qualitative social research","author":"Mason Mark","unstructured":"Mark Mason . 2010. Sample size and saturation in PhD studies using qualitative interviews . In Forum qualitative Sozialforschung\/Forum: qualitative social research , Vol. 11 . Mark Mason. 2010. Sample size and saturation in PhD studies using qualitative interviews. In Forum qualitative Sozialforschung\/Forum: qualitative social research, Vol. 11."},{"key":"e_1_3_2_2_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2017.8115621"},{"key":"e_1_3_2_2_32_1","volume-title":"Factors and actors leading to the adoption of a JavaScript framework. Empirical Software Engineering","author":"Pano Amantia","year":"2018","unstructured":"Amantia Pano , Daniel Graziotin , and Pekka Abrahamsson . 2018. Factors and actors leading to the adoption of a JavaScript framework. Empirical Software Engineering ( 2018 ), 1--32. Amantia Pano, Daniel Graziotin, and Pekka Abrahamsson. 2018. Factors and actors leading to the adoption of a JavaScript framework. Empirical Software Engineering (2018), 1--32."},{"key":"e_1_3_2_2_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3239235.3268920"},{"key":"e_1_3_2_2_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/2145204.2145408"},{"key":"e_1_3_2_2_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSM.2015.7332492"},{"key":"e_1_3_2_2_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2018.00054"},{"key":"e_1_3_2_2_37_1","volume-title":"The coding manual for qualitative researchers","author":"Johnny Salda","unstructured":"Johnny Salda na. 2015. The coding manual for qualitative researchers . Sage . Johnny Salda na. 2015. The coding manual for qualitative researchers .Sage."},{"key":"e_1_3_2_2_38_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2014.09.003"},{"key":"e_1_3_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2008.26"},{"key":"e_1_3_2_2_40_1","volume-title":"Basics of qualitative research","author":"Strauss Anselm","unstructured":"Anselm Strauss and Juliet Corbin . 1990. Basics of qualitative research . Sage . Anselm Strauss and Juliet Corbin. 1990. Basics of qualitative research .Sage."},{"key":"e_1_3_2_2_41_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2010.06.043"},{"key":"e_1_3_2_2_42_1","volume-title":"Security Rationale. In Proc. of ICSE'20","author":"van der Linden Dirk","year":"2020","unstructured":"Dirk van der Linden , Mark Levine , and John Towse . 2020 . Schr\u00f6dinger's Security: Opening the Box on App Developers? Security Rationale. In Proc. of ICSE'20 . IEEE. Dirk van der Linden, Mark Levine, and John Towse. 2020. Schr\u00f6dinger's Security: Opening the Box on App Developers? Security Rationale. In Proc. of ICSE'20. IEEE."},{"key":"e_1_3_2_2_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2018.8330195"},{"key":"e_1_3_2_2_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/2901739.2901743"},{"key":"e_1_3_2_2_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSM.2012.6405287"},{"key":"e_1_3_2_2_46_1","volume-title":"Qualitative research from start to finish","author":"Yin Robert K","unstructured":"Robert K Yin . 2015. Qualitative research from start to finish . Guilford Publications . Robert K Yin. 2015. Qualitative research from start to finish. Guilford Publications."}],"event":{"name":"CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security","location":"Virtual Event USA","acronym":"CCS '20","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3372297.3417232","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3372297.3417232","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:33:25Z","timestamp":1750199605000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3372297.3417232"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,10,30]]},"references-count":46,"alternative-id":["10.1145\/3372297.3417232","10.1145\/3372297"],"URL":"https:\/\/doi.org\/10.1145\/3372297.3417232","relation":{},"subject":[],"published":{"date-parts":[[2020,10,30]]},"assertion":[{"value":"2020-11-02","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}