{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T10:50:52Z","timestamp":1778151052886,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":45,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,5,21]],"date-time":"2022-05-21T00:00:00Z","timestamp":1653091200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,5,21]]},"DOI":"10.1145\/3510003.3510168","type":"proceedings-article","created":{"date-parts":[[2022,7,5]],"date-time":"2022-07-05T22:42:59Z","timestamp":1657060979000},"page":"2415-2426","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":10,"title":["What the fork?"],"prefix":"10.1145","author":[{"given":"Elizabeth","family":"Wyss","sequence":"first","affiliation":[{"name":"University of Kansas"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Lorenzo","family":"De Carli","sequence":"additional","affiliation":[{"name":"Worcester Polytechnic Institute"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Drew","family":"Davidson","sequence":"additional","affiliation":[{"name":"University of Kansas"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2022,7,5]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2021. Executive Order on Improving the Nation's Cybersecurity. https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/."},{"key":"e_1_3_2_1_2_1","unstructured":"2021. Fork a Repo. https:\/\/docs.github.com\/en\/get-started\/quickstart\/fork-a-repo"},{"key":"e_1_3_2_1_3_1","unstructured":"2021. Grafeas Kritis. https:\/\/github.com\/grafeas\/kritis"},{"key":"e_1_3_2_1_4_1","unstructured":"2021. OSSF Package Feeds. https:\/\/github.com\/ossf\/package-feeds"},{"key":"e_1_3_2_1_5_1","unstructured":"2022. Open Science Framework. https:\/\/osf.io"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106267"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"crossref","unstructured":"Saed Alrabaee Paria Shirani Lingyu Wang Mourad Debbabi and Aiman Hanna. 2018. On Leveraging Coding Habits for Effective Binary Authorship Attribution. In ESORICS.","DOI":"10.1007\/978-3-319-99073-6_2"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2007.70725"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"crossref","unstructured":"Steven Burrows Alexandra L. Uitdenbogerd and Andrew Turpin. 2009. Application of Information Retrieval Techniques for Source Code Authorship Attribution. In DASFAA.","DOI":"10.1007\/978-3-642-00887-0_61"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"crossref","unstructured":"Mircea Cadariu Eric Bouwers Joost Visser and Arie van Deursen. 2015. Tracking known security vulnerabilities in proprietary software systems. In SANER.","DOI":"10.1109\/SANER.2015.7081868"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"crossref","unstructured":"Aylin Caliskan Fabian Yamaguchi Edwin Dauber Richard Harang Konrad Rieck Rachel Greenstadt and Arvind Narayanan. 2018. When Coding Style Survives Compilation: De-Anonymizing Programmers from Executable Binaries. In NDSS.","DOI":"10.14722\/ndss.2018.23304"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455841"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196465"},{"key":"e_1_3_2_1_15_1","unstructured":"Erik DeBill. 2021. Modulecounts. http:\/\/www.modulecounts.com\/"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196401"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.23055"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-NIER.2019.00012"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"crossref","unstructured":"Daniel M German Bram Adams and Ahmed E Hassan. 2013. The evolution of the R software ecosystem. In CSMR.","DOI":"10.1109\/CSMR.2013.33"},{"key":"e_1_3_2_1_20_1","unstructured":"Joseph Hejderup. 2015. In Dependencies We Trust: How vulnerable are dependencies in software modules? Master's thesis. Delft University of Technology."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2017.19"},{"key":"e_1_3_2_1_22_1","volume-title":"DECKARD: Scalable and Accurate Tree-Based Detection of Code Clones. In ICSE. 96--105.","author":"Jiang Lingxiao","year":"2007","unstructured":"Lingxiao Jiang, Ghassan Misherghi, Zhendong Su, and Stephane Glondu. 2007. DECKARD: Scalable and Accurate Tree-Based Detection of Code Clones. In ICSE. 96--105."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3292577"},{"key":"e_1_3_2_1_24_1","unstructured":"Dulanka Karunasena. 2021. How I Analyzed All NPM Dependency Licenses in One Go. https:\/\/blog.bitsrc.io\/how-i-analyzed-all-npm-dependency-licenses-in-one-go-18de0f7244bc"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/1081706.1081737"},{"key":"e_1_3_2_1_26_1","volume-title":"23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020","author":"Koishybayev Igibek","year":"2020","unstructured":"Igibek Koishybayev and Alexandros Kapravelos. 2020. Mininode: Reducing the Attack Surface of Node.js Applications. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020). USENIX Association, San Sebastian, 121--134. https:\/\/www.usenix.org\/conference\/raid2020\/presentation\/koishybayev"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"crossref","unstructured":"R. G. Kula C. D. Roover D. German T. Ishio and K. Inoue. 2014. Visualizing the Evolution of Systems and Their Library Dependencies. In IEEE VISSOFT.","DOI":"10.1109\/VISSOFT.2014.29"},{"key":"e_1_3_2_1_28_1","volume-title":"Diplomat: Using delegations to protect community repositories. In 13th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 16). 567--581.","author":"Kuppusamy Trishank Karthik","year":"2016","unstructured":"Trishank Karthik Kuppusamy, Santiago Torres-Arias, Vladimir Diaz, and Justin Cappos. 2016. Diplomat: Using delegations to protect community repositories. In 13th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 16). 567--581."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468564"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196438"},{"key":"e_1_3_2_1_31_1","unstructured":"NPM Blog Archive 2020. Npm Blog Archive: A Day in the Life of Npm Security. https:\/\/blog.npmjs.org\/post\/190665497245\/a-day-in-the-life-of-npm-security.html"},{"key":"e_1_3_2_1_32_1","unstructured":"npm-registry-fetch-advisory npmjs.com. [n. d.]. npm advisory 1544. https:\/\/www.npmjs.com\/advisories\/1544."},{"key":"e_1_3_2_1_33_1","unstructured":"npm-download-count npmjs.org. [n. d.]. numeric precision matters: how npm download counts work (accessed 02\/2021). https:\/\/blog.npmjs.org\/post\/92574016600\/numeric-precision-matters-how-npm-download-counts-work."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"crossref","unstructured":"Brian Pfretzschner and Lotfi ben Othmane. 2017. Identification of Dependency-based Attacks on Node.Js. In ARES.","DOI":"10.1145\/3098954.3120928"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"crossref","unstructured":"H. Plate S. E. Ponta and A. Sabetta. 2015. Impact assessment for vulnerabilities in open-source software libraries. In ICSME.","DOI":"10.1109\/ICSM.2015.7332492"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"crossref","unstructured":"Steven Raemaekers Arie van Deursen and Joost Visser. 2013. The maven repository dataset of metrics changes and dependencies. In MSR.","DOI":"10.1109\/MSR.2013.6624031"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/872757.872770"},{"key":"e_1_3_2_1_38_1","unstructured":"Randy Smith and Susan Horwitz. 2009. Detecting and Measuring Similarity in Code Clones. In IWSC. 7."},{"key":"e_1_3_2_1_39_1","volume-title":"Defending Against Package Typosquatting. In International Conference on Network and System Security. Springer, 112--131","author":"Taylor Matthew","year":"2020","unstructured":"Matthew Taylor, Ruturaj Vaidya, Drew Davidson, Lorenzo De Carli, and Vaibhav Rastogi. 2020. Defending Against Package Typosquatting. In International Conference on Network and System Security. Springer, 112--131."},{"key":"e_1_3_2_1_40_1","volume-title":"Dependencies: No Software is an Island. Master's thesis","author":"Tellnes J\u00f8rgen","year":"2013","unstructured":"J\u00f8rgen Tellnes. 2013. Dependencies: No Software is an Island. Master's thesis. The University of Bergen."},{"key":"e_1_3_2_1_41_1","volume-title":"Drew Davidson, and Vaibhav Rastogi.","author":"Vaidya Ruturaj K.","year":"2019","unstructured":"Ruturaj K. Vaidya, Lorenzo De Carli, Drew Davidson, and Vaibhav Rastogi. 2019. Security Issues in Language-based Sofware Ecosystems. CoRR abs\/1903.02613 (2019). arXiv:1903.02613 http:\/\/arxiv.org\/abs\/1903.02613"},{"key":"e_1_3_2_1_42_1","volume-title":"Detecting Code Clones with Graph Neural Network and Flow-Augmented Abstract Syntax Tree","author":"Wang Wenhan","unstructured":"Wenhan Wang, Ge Li, Bo Ma, Xin Xia, and Zhi Jin. 2020. Detecting Code Clones with Graph Neural Network and Flow-Augmented Abstract Syntax Tree. In IEEE SANER. 261--271."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"crossref","unstructured":"Erik Wittern Philippe Suter and Shriram Rajagopalan. 2016. A look at the dynamics of the JavaScript package ecosystem. In MSR.","DOI":"10.1145\/2901739.2901743"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"crossref","unstructured":"A. A. Younis Y. K. Malaiya and I. Ray. 2014. Using Attack Surface Entry Points and Reachability Analysis to Assess the Risk of Software Vulnerability Exploitability. In HASE.","DOI":"10.1109\/HASE.2014.10"},{"key":"e_1_3_2_1_45_1","volume-title":"Neural Detection of Semantic Code Clones Via Tree-Based Convolution","author":"Yu Hao","unstructured":"Hao Yu, Wing Lam, Long Chen, Ge Li, Tao Xie, and Qianxiang Wang. 2019. Neural Detection of Semantic Code Clones Via Tree-Based Convolution. In IEEE\/ACM ICPC. 70--80."},{"key":"e_1_3_2_1_46_1","volume-title":"28th {USENIX} Security Symposium ({USENIX} Security 19). 995--1010.","author":"Zimmermann Markus","unstructured":"Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small world with high risks: A study of security threats in the npm ecosystem. In 28th {USENIX} Security Symposium ({USENIX} Security 19). 995--1010."}],"event":{"name":"ICSE '22: 44th International Conference on Software Engineering","location":"Pittsburgh Pennsylvania","acronym":"ICSE '22","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering","IEEE CS"]},"container-title":["Proceedings of the 44th International Conference on Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3510003.3510168","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3510003.3510168","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T18:10:25Z","timestamp":1750183825000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3510003.3510168"}},"subtitle":["finding hidden code clones in npm"],"short-title":[],"issued":{"date-parts":[[2022,5,21]]},"references-count":45,"alternative-id":["10.1145\/3510003.3510168","10.1145\/3510003"],"URL":"https:\/\/doi.org\/10.1145\/3510003.3510168","relation":{},"subject":[],"published":{"date-parts":[[2022,5,21]]},"assertion":[{"value":"2022-07-05","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}