{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,9]],"date-time":"2026-07-09T11:24:16Z","timestamp":1783596256465,"version":"3.55.0"},"publisher-location":"New York, NY, USA","reference-count":42,"publisher":"ACM","license":[{"start":{"date-parts":[[2026,4,12]],"date-time":"2026-04-12T00:00:00Z","timestamp":1775952000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2026,4,12]]},"DOI":"10.1145\/3794860.3794908","type":"proceedings-article","created":{"date-parts":[[2026,7,9]],"date-time":"2026-07-09T10:48:58Z","timestamp":1783594138000},"page":"272-282","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Understanding npm Developers\u2019 Practices, Challenges, and Recommendations for Secure Package Development"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2585-657X","authenticated-orcid":false,"given":"Anthony","family":"Peruma","sequence":"first","affiliation":[{"name":"University of Hawai\u2018i at M\u0101noa, Honolulu, Hawaii, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-6336-7873","authenticated-orcid":false,"given":"Truman","family":"Choy","sequence":"additional","affiliation":[{"name":"University of Hawai\u2018i at M\u0101noa, Honolulu, Hawaii, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-4569-3950","authenticated-orcid":false,"given":"Gerald","family":"Lee","sequence":"additional","affiliation":[{"name":"University of Hawai\u2018i at M\u0101noa, Honolulu, Hawaii, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7545-6104","authenticated-orcid":false,"given":"Italo De Oliveira","family":"Santos","sequence":"additional","affiliation":[{"name":"University of Hawai\u2018i at M\u0101noa, Honolulu, Hawaii, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2026,7,9]]},"reference":[{"key":"e_1_3_3_2_2_2","unstructured":"2024. Regulation - 2024\/2847 - EN - EUR-Lex. https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=CELEX:32024R2847"},{"key":"e_1_3_3_2_3_2","unstructured":"2026. Artifact Package. https:\/\/doi.org\/10.6084\/m9.figshare.30433060."},{"key":"e_1_3_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106267"},{"key":"e_1_3_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1109\/saner50967.2021.00048"},{"key":"e_1_3_3_2_6_2","doi-asserted-by":"publisher","unstructured":"David Armstrong Ann Gosling John Weinman and Theresa Marteau. 1997. The Place of Inter-Rater Reliability in Qualitative Research: An Empirical Study. Sociology 31 3 (Aug. 1997) 597\u2013606. 10.1177\/0038038597031003015","DOI":"10.1177\/0038038597031003015"},{"key":"e_1_3_3_2_7_2","doi-asserted-by":"publisher","unstructured":"Hala Assal Srivathsan\u00a0G Morkonda Muhammad\u00a0Zaid Arif and Sonia Chiasson. 2025. Software security in practice: knowledge and motivation. Journal of Cybersecurity 11 1 (2025). 10.1093\/cybsec\/tyaf005","DOI":"10.1093\/cybsec\/tyaf005"},{"key":"e_1_3_3_2_8_2","doi-asserted-by":"publisher","unstructured":"Sebastian Baltes and Paul Ralph. 2022. Sampling in software engineering research: a critical review and guidelines. Empirical Software Engineering 27 4 (28 Apr 2022) 94. 10.1007\/s10664-021-10072-8","DOI":"10.1007\/s10664-021-10072-8"},{"key":"e_1_3_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1145\/2950290.2950325"},{"key":"e_1_3_3_2_10_2","doi-asserted-by":"publisher","unstructured":"John\u00a0L. Campbell Charles Quincy Jordan Osserman and Ove\u00a0K. Pedersen. 2013. Coding In-depth Semistructured Interviews: Problems of Unitization and Intercoder Reliability and Agreement. Sociological Methods&; Research 42 3 (Aug. 2013) 294\u2013320. 10.1177\/0049124113500475","DOI":"10.1177\/0049124113500475"},{"key":"e_1_3_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196465"},{"key":"e_1_3_3_2_12_2","doi-asserted-by":"publisher","unstructured":"Md\u00a0Atique\u00a0Reza Chowdhury Rabe Abdalkareem Emad Shihab and Bram Adams. 2022. On the Untriviality of Trivial Packages: An Empirical Study of npm JavaScript Packages. IEEE Transactions on Software Engineering 48 8 (2022) 2695\u20132708. 10.1109\/TSE.2021.3068901","DOI":"10.1109\/TSE.2021.3068901"},{"key":"e_1_3_3_2_13_2","doi-asserted-by":"publisher","unstructured":"Javier\u00a0Luis C\u00e1novas\u00a0Izquierdo and Jordi Cabot. 2021. On the analysis of non-coding roles in open source development: An empirical study of NPM package projects. Empirical Software Engineering 27 1 (Nov. 2021). 10.1007\/s10664-021-10061-x","DOI":"10.1007\/s10664-021-10061-x"},{"key":"e_1_3_3_2_14_2","first-page":"181","volume-title":"2018 IEEE\/ACM 15th International Conference on Mining Software Repositories (MSR)","author":"Decan Alexandre","year":"2018","unstructured":"Alexandre Decan, Tom Mens, and Eleni Constantinou. 2018. On the Impact of Security Vulnerabilities in the npm Package Dependency Network. In 2018 IEEE\/ACM 15th International Conference on Mining Software Repositories (MSR). 181\u2013191."},{"key":"e_1_3_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1145\/3273934.3273942"},{"key":"e_1_3_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1145\/3382494.3410685"},{"key":"e_1_3_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833756"},{"key":"e_1_3_3_2_18_2","unstructured":"Mark Kasunic. 2005. Designing an effective survey."},{"key":"e_1_3_3_2_19_2","doi-asserted-by":"publisher","unstructured":"Barbara\u00a0A. Kitchenham and Shari\u00a0Lawrence Pfleeger. 2002. Principles of survey research: part 3: constructing a survey instrument. SIGSOFT Softw. Eng. Notes 27 2 (Mar 2002) 20\u201324. 10.1145\/511152.511155","DOI":"10.1145\/511152.511155"},{"key":"e_1_3_3_2_20_2","unstructured":"Johan Lin\u00e5ker Sardar\u00a0Muhammad Sulaman Rafael\u00a0Maiani de Mello and Martin H\u00f6st. 2015. Guidelines for conducting surveys in software engineering. (2015)."},{"key":"e_1_3_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510142"},{"key":"e_1_3_3_2_22_2","doi-asserted-by":"publisher","unstructured":"Tamara Lopez Helen Sharp Arosha Bandara Thein Tun Mark Levine and Bashar Nuseibeh. 2023. Security Responses in Software Development. ACM Transactions on Software Engineering and Methodology 32 3 (April 2023) 1\u201329. 10.1145\/3563211","DOI":"10.1145\/3563211"},{"key":"e_1_3_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/icse55347.2025.00004"},{"key":"e_1_3_3_2_24_2","doi-asserted-by":"publisher","unstructured":"Jefferson\u00a0Seide Moll\u00e9ri Kai Petersen and Emilia Mendes. 2020. An empirically evaluated checklist for surveys in software engineering. Information and Software Technology 119 (2020) 106240. 10.1016\/j.infsof.2019.106240","DOI":"10.1016\/j.infsof.2019.106240"},{"key":"e_1_3_3_2_25_2","unstructured":"Palo\u00a0Alto Networks. 2025. Breakdown: Widespread npm Supply Chain Attack Puts Billions of Weekly Downloads at Risk. https:\/\/www.paloaltonetworks.com\/blog\/cloud-security\/npm-supply-chain-attack\/"},{"key":"e_1_3_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"e_1_3_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/icsme58944.2024.00081"},{"key":"e_1_3_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1109\/icsme58944.2024.00055"},{"key":"e_1_3_3_2_29_2","doi-asserted-by":"publisher","unstructured":"Irum Rauf Marian Petre Thein Tun Tamara Lopez Paul Lunn Dirk Van Der\u00a0Linden John Towse Helen Sharp Mark Levine Awais Rashid and Bashar Nuseibeh. 2021. The Case for Adaptive Security Interventions. ACM Transactions on Software Engineering and Methodology 31 1 (Sept. 2021) 1\u201352. 10.1145\/3471930","DOI":"10.1145\/3471930"},{"key":"e_1_3_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623122"},{"key":"e_1_3_3_2_31_2","doi-asserted-by":"publisher","unstructured":"Donald\u00a0G. Saari. 2022. Selecting a voting method: the case for the Borda count. Constitutional Political Economy 34 3 (Dec. 2022) 357\u2013366. 10.1007\/s10602-022-09380-y","DOI":"10.1007\/s10602-022-09380-y"},{"key":"e_1_3_3_2_32_2","doi-asserted-by":"crossref","unstructured":"Amirali Sajadi Binh Le Anh Nguyen Kostadin Damevski and Preetha Chatterjee. 2025. Do LLMs consider security? an empirical study on responses to programming questions. Empirical Software Engineering 30 3 (2025) 101.","DOI":"10.1007\/s10664-025-10658-6"},{"key":"e_1_3_3_2_33_2","unstructured":"socket.dev\/. 2024. npm in Review: A 2023 Retrospective on Growth Security and Quirky Facts. https:\/\/socket.dev\/blog\/2023-npm-retrospective"},{"key":"e_1_3_3_2_34_2","doi-asserted-by":"publisher","unstructured":"Klaas-Jan Stol and Brian Fitzgerald. 2018. The ABC of Software Engineering Research. ACM Trans. Softw. Eng. Methodol. Article 11 (Sept. 2018) 51\u00a0pages. 10.1145\/3241743","DOI":"10.1145\/3241743"},{"key":"e_1_3_3_2_35_2","doi-asserted-by":"publisher","unstructured":"Margaret-Anne Storey Neil\u00a0A. Ernst Courtney Williams and Eirini Kalliamvakou. 2020. The who what how of software engineering research: a socio-technical framework. Empirical Software Engineering 25 5 (Aug. 2020) 4097\u20134129. 10.1007\/s10664-020-09858-z","DOI":"10.1007\/s10664-020-09858-z"},{"key":"e_1_3_3_2_36_2","doi-asserted-by":"crossref","unstructured":"Ron Torten Carmen Reaiche and Stephen Boyle. 2018. The impact of security awareness on information technology professionals\u2019 behavior. Computers & Security 79 (2018) 68\u201379.","DOI":"10.1016\/j.cose.2018.08.007"},{"key":"e_1_3_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-32489-6_4"},{"key":"e_1_3_3_2_38_2","doi-asserted-by":"crossref","unstructured":"Laurie Williams Giacomo Benedetti Sivana Hamer Ranindya Paramitha Imranur Rahman Mahzabin Tamanna Greg Tystahl Nusrat Zahan Patrick Morrison Yasemin Acar et\u00a0al. 2025. Research directions in software supply chain security. ACM Transactions on Software Engineering and Methodology 34 5 (2025) 1\u201338.","DOI":"10.1145\/3714464"},{"key":"e_1_3_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1145\/2901739.2901743"},{"key":"e_1_3_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1145\/3510457.3513044"},{"key":"e_1_3_3_2_41_2","doi-asserted-by":"publisher","unstructured":"Ahmed Zerouali Tom Mens Alexandre Decan and Coen De\u00a0Roover. 2022. On the impact of security vulnerabilities in the npm and RubyGems dependency networks. Empirical Software Engineering 27 5 (May 2022). 10.1007\/s10664-022-10154-1","DOI":"10.1007\/s10664-022-10154-1"},{"key":"e_1_3_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1109\/saner.2019.8667997"},{"key":"e_1_3_3_2_43_2","series-title":"(SEC\u201919)","first-page":"995","volume-title":"Proceedings of the 28th USENIX Conference on Security Symposium","author":"Zimmermann Markus","year":"2019","unstructured":"Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Smallworld with high risks: a study of security threats in the npm ecosystem. In Proceedings of the 28th USENIX Conference on Security Symposium (Santa Clara, CA, USA) (SEC\u201919). USENIX Association, USA, 995\u20131010."}],"event":{"name":"CHASE'26: 19th International Conference on Cooperative and Human Aspects of Software Engineering","location":"Rio de Janeiro Brazil","acronym":"CHASE'26","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"]},"container-title":["Proceedings of the 19th International Conference on Cooperative and Human Aspects of Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3794860.3794908","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,7,9]],"date-time":"2026-07-09T10:49:56Z","timestamp":1783594196000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3794860.3794908"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,4,12]]},"references-count":42,"alternative-id":["10.1145\/3794860.3794908","10.1145\/3794860"],"URL":"https:\/\/doi.org\/10.1145\/3794860.3794908","relation":{},"subject":[],"published":{"date-parts":[[2026,4,12]]},"assertion":[{"value":"2026-07-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}