3066                                                       软件学报  2025  年第  36  卷第  7  期


                 [68]  Li ZM, Wang Y, Lin ZQ, Cheung SC, Lou JG. Nufix: Escape from NuGet dependency maze. In: Proc. of the 44th Int’l Conf. on Software
                     Engineering. Pittsburgh: ACM, 2022. 1545–1557. [doi: 10.1145/3510003.3510118]
                 [69]  Wang Y, Sun P, Pei L, Yu Y, Xu C, Cheung SC, Yu H, Zhu ZL. Plumber: Boosting the propagation of vulnerability fixes in the npm
                     ecosystem. IEEE Trans. on Software Engineering, 2023, 49(5): 3155–3181. [doi: 10.1109/TSE.2023.3243262]
                 [70]  Mojica IJ, Adams B, Nagappan M, Dienst S, Berger T, Hassan AE. A large-scale empirical study on software reuse in mobile Apps. IEEE
                     Software, 2014, 31(2): 78–86. [doi: 10.1109/MS.2013.142]
                 [71]  Wang  Y,  Wu  YX,  Gao  T,  Chen  ZY,  Xu  C,  Yu  H,  Cheung  SC.  Survey  on  governance  technology  of  open-source  software  library
                     ecosystem: Twenty years of progress. Ruan Jian Xue Bao/Journal of Software, 2024, 35(2): 629–674 (in Chinese with English abstract).
                     http://www.jos.org.cn/1000-9825/6983.htm [doi: 10.13328/j.cnki.jos.006983]
                 [72]  Liang GY, Wu YJ, Wu JZ, Zhao C. Open source software supply chain for reliability assurance of operating systems. Ruan Jian Xue
                     Bao/Journal of Software, 2020, 31(10): 3056–3073 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/6070.htm [doi:
                     10.13328/j.cnki.jos.006070]
                 [73]  Ochoa L, Degueule T, Falleri JR. BreakBot: Analyzing the impact of breaking changes to assist library evolution. In: Proc. of the 44th
                     IEEE/ACM  Int’l  Conf.  on  Software  Engineering:  New  Ideas  and  Emerging  Results  (ICSE-NIER).  Pittsburgh:  IEEE,  2022.  26–30.
                     [doi: 10.1145/3510455.3512783]
                 [74]  Ochoa L, Degueule T, Falleri JR, Vinju J. Breaking bad? Semantic versioning and impact of breaking changes in Maven central: An
                     external and differentiated replication study. Empirical Software Engineering, 2022, 27(3): 61. [doi: 10.1007/s10664-021-10052-y]
                 [75]  Jayasuriya D, Terragni V, Dietrich J, Ou S, Blincoe K. Understanding breaking changes in the wild. In: Proc. of the 32nd ACM SIGSOFT
                     Int’l Symp. on Software Testing and Analysis. Seattle: Association for Computing Machinery, 2023. 1433–1444. [doi: 10.1145/3597926.
                     3598147]
                 [76]  Jayasuriya D, Terragni V, Dietrich J, Blincoe K. Understanding the impact of APIs behavioral breaking changes on client applications.
                     Proc. of the ACM on Software Engineering, 2024, 1(FSE): 56. [doi: 10.1145/3643782]
                 [77]  Zhang LY, Liu CW, Xu ZZ, Chen S, Fan LL, Chen BH, Liu Y. Has my release disobeyed semantic versioning? Static detection based on
                     semantic differencing. In: Proc. of the 37th IEEE/ACM Int’l Conf. on Automated Software Engineering. Rochester: ACM, 2022. 51. [doi:
                     10.1145/3551349.3556956]
                 [78]  Dann A, Hermann B, Bodden E. UpCy: Safely updating outdated dependencies. In: Proc. of the 45th  IEEE/ACM Int’l Conf. on Software
                     Engineering (ICSE). Melbourne: IEEE, 2023. 233–244. [doi: 10.1109/ICSE48619.2023.00031]
                 [79]  Li WK, Wu F, Fu C, Zhou F. A large-scale empirical study on semantic versioning in Golang ecosystem. In: Proc. of the 38th IEEE/ACM
                     Int’l Conf. on Automated Software Engineering (ASE). Luxembourg: IEEE, 2023. 1604–1614. [doi: 10.1109/ASE56229.2023.00140]
                 [80]  Wu YL, Yu ZL, Wen M, Li Q, Zou DQ, Jin H. Understanding the threats of upstream vulnerabilities to downstream projects in the Maven
                     ecosystem. In: Proc. of the 45th IEEE/ACM Int’l Conf. on Software Engineering (ICSE). Melbourne: IEEE, 2023. 1046–1058. [doi: 10.
                     1109/ICSE48619.2023.00095]
                 [81]  Zhang LY, Liu CW, Chen S, Xu ZZ, Fan LL, Zhao LD, Zhang YR, Liu Y. Mitigating persistence of open-source vulnerabilities in Maven
                     ecosystem. In: Proc. of the 38th IEEE/ACM Int’l Conf. on Automated Software Engineering (ASE). Luxembourg: IEEE, 2023. 191–203.
                     [doi: 10.1109/ASE56229.2023.00058]
                 [82]  Mir AM, Keshani M, Proksch S. On the effect of transitivity and granularity on vulnerability propagation in the Maven ecosystem. In:
                     Proc. of the 2023 IEEE Int’l Conf. on Software Analysis, Evolution and Reengineering (SANER). Taipa: 2023. 201–211. [doi: 10.1109/
                     SANER56733.2023.00028]
                 [83]  Pashchenko I, Plate H, Ponta SE, Sabetta A, Massacci F. Vuln4Real: A methodology for counting actually vulnerable dependencies. IEEE
                     Trans. on Software Engineering, 2022, 48(5): 1592–1609. [doi: 10.1109/TSE.2020.3025443]
                 [84]  Fourné M, Wermke D, Enck W, Fahl S, Acar Y. It’s like flossing your teeth: On the importance and challenges of reproducible builds for
                     software supply chain security. In: Proc. of the 2023 IEEE Symp. on Security and Privacy (SP). San Francisco: IEEE, 2023. 1527–1544.
                     [doi: 10.1109/SP46215.2023.10179320]
                 [85]  Keshani  M,  Velican  TG,  Bot  G,  Proksch  S.  AROMA:  Automatic  reproduction  of  Maven  artifacts.  Proc.  of  the  ACM  on  Software
                     Engineering, 2024, 1(FSE): 38. [doi: 10.1145/3643764]
                 [86]  Gao K, Xu WW, Yang WH, Zhou MH. PyRadar: Towards automatically retrieving and validating source code repository information for
                     PyPI packages. Proc. of the ACM on Software Engineering, 2024, 1(FSE): 115. [doi: 10.1145/3660822]
                 [87]  Hu JC, Zhang LY, Liu CW, Yang S, Huang S, Liu Y. Empirical analysis of vulnerabilities life cycle in Golang ecosystem. In: Proc. of the