{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2017:HF6JVXXWFOXZTZQFUPMBN556FG","short_pith_number":"pith:HF6JVXXW","canonical_record":{"source":{"id":"1709.04621","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2017-09-14T05:59:50Z","cross_cats_sorted":[],"title_canon_sha256":"917981ca4e626d3cf2013c033eb5fc5c863e9c5c23ceb4a2d5c738ad60e23a8c","abstract_canon_sha256":"d612a9ce4f716887659477adf20a05a09eb32b470ba166916ed1419f288643a3"},"schema_version":"1.0"},"canonical_sha256":"397c9adef62baf99e605a3d816f7be2992ada128b0459421abc41d21cec5ed7a","source":{"kind":"arxiv","id":"1709.04621","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"1709.04621","created_at":"2026-05-18T00:35:11Z"},{"alias_kind":"arxiv_version","alias_value":"1709.04621v1","created_at":"2026-05-18T00:35:11Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1709.04621","created_at":"2026-05-18T00:35:11Z"},{"alias_kind":"pith_short_12","alias_value":"HF6JVXXWFOXZ","created_at":"2026-05-18T12:31:18Z"},{"alias_kind":"pith_short_16","alias_value":"HF6JVXXWFOXZTZQF","created_at":"2026-05-18T12:31:18Z"},{"alias_kind":"pith_short_8","alias_value":"HF6JVXXW","created_at":"2026-05-18T12:31:18Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2017:HF6JVXXWFOXZTZQFUPMBN556FG","target":"record","payload":{"canonical_record":{"source":{"id":"1709.04621","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2017-09-14T05:59:50Z","cross_cats_sorted":[],"title_canon_sha256":"917981ca4e626d3cf2013c033eb5fc5c863e9c5c23ceb4a2d5c738ad60e23a8c","abstract_canon_sha256":"d612a9ce4f716887659477adf20a05a09eb32b470ba166916ed1419f288643a3"},"schema_version":"1.0"},"canonical_sha256":"397c9adef62baf99e605a3d816f7be2992ada128b0459421abc41d21cec5ed7a","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-18T00:35:11.093962Z","signature_b64":"nep9AspLNUlr8Wp8p/nfwmjklNPi+1xX35NqutBwkUQhn6QcgfqAOtnS4V4UzRuJPTQjUfKk+cFIVslHHZe5Bg==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"397c9adef62baf99e605a3d816f7be2992ada128b0459421abc41d21cec5ed7a","last_reissued_at":"2026-05-18T00:35:11.093456Z","signature_status":"signed_v1","first_computed_at":"2026-05-18T00:35:11.093456Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"1709.04621","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-18T00:35:11Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"vV+4juWwHZ8KI1Jw1Af5f2QyTlJbjtQ5HG9IESV0xuqxJSP1H9YZH2vXFshXb3pOTcLBnTMqjb5l+ot6szDVCQ==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-31T19:55:22.372033Z"},"content_sha256":"ea80f03a30595738b5187afb3bcfe2bd1853444637f15f0f91c20896f048aa21","schema_version":"1.0","event_id":"sha256:ea80f03a30595738b5187afb3bcfe2bd1853444637f15f0f91c20896f048aa21"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2017:HF6JVXXWFOXZTZQFUPMBN556FG","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Do Developers Update Their Library Dependencies? An Empirical Study on the Impact of Security Advisories on Library Migration","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":[],"primary_cat":"cs.SE","authors_text":"Ali Ouni, Daniel M. German, Katsuro Inoue, Raula Gaikovina Kula, Takashi Ishio","submitted_at":"2017-09-14T05:59:50Z","abstract_excerpt":"Third-party library reuse has become common practice in contemporary software development, as it includes several benefits for developers. Library dependencies are constantly evolving, with newly added features and patches that fix bugs in older versions. To take full advantage of third-party reuse, developers should always keep up to date with the latest versions of their library dependencies. In this paper, we investigate the extent of which developers update their library dependencies. Specifically, we conducted an empirical study on library migration that covers over 4,600 GitHub software "},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1709.04621","kind":"arxiv","version":1},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-18T00:35:11Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"MbHlDcmf+ae/0ykdHVicBfhz8syAA1DTRx1anrTFT8sjg58ZX3OVhuuKTLocFy6epHjkdQfE2rXM2ZfIkf5eBw==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-31T19:55:22.372702Z"},"content_sha256":"a4209e8a3f1f989704deb27da7caedb2b986c4dba92ed54eb0f70f7b7672e9c6","schema_version":"1.0","event_id":"sha256:a4209e8a3f1f989704deb27da7caedb2b986c4dba92ed54eb0f70f7b7672e9c6"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/HF6JVXXWFOXZTZQFUPMBN556FG/bundle.json","state_url":"https://pith.science/pith/HF6JVXXWFOXZTZQFUPMBN556FG/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/HF6JVXXWFOXZTZQFUPMBN556FG/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-05-31T19:55:22Z","links":{"resolver":"https://pith.science/pith/HF6JVXXWFOXZTZQFUPMBN556FG","bundle":"https://pith.science/pith/HF6JVXXWFOXZTZQFUPMBN556FG/bundle.json","state":"https://pith.science/pith/HF6JVXXWFOXZTZQFUPMBN556FG/state.json","well_known_bundle":"https://pith.science/.well-known/pith/HF6JVXXWFOXZTZQFUPMBN556FG/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2017:HF6JVXXWFOXZTZQFUPMBN556FG","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"d612a9ce4f716887659477adf20a05a09eb32b470ba166916ed1419f288643a3","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2017-09-14T05:59:50Z","title_canon_sha256":"917981ca4e626d3cf2013c033eb5fc5c863e9c5c23ceb4a2d5c738ad60e23a8c"},"schema_version":"1.0","source":{"id":"1709.04621","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"1709.04621","created_at":"2026-05-18T00:35:11Z"},{"alias_kind":"arxiv_version","alias_value":"1709.04621v1","created_at":"2026-05-18T00:35:11Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1709.04621","created_at":"2026-05-18T00:35:11Z"},{"alias_kind":"pith_short_12","alias_value":"HF6JVXXWFOXZ","created_at":"2026-05-18T12:31:18Z"},{"alias_kind":"pith_short_16","alias_value":"HF6JVXXWFOXZTZQF","created_at":"2026-05-18T12:31:18Z"},{"alias_kind":"pith_short_8","alias_value":"HF6JVXXW","created_at":"2026-05-18T12:31:18Z"}],"graph_snapshots":[{"event_id":"sha256:a4209e8a3f1f989704deb27da7caedb2b986c4dba92ed54eb0f70f7b7672e9c6","target":"graph","created_at":"2026-05-18T00:35:11Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"Third-party library reuse has become common practice in contemporary software development, as it includes several benefits for developers. Library dependencies are constantly evolving, with newly added features and patches that fix bugs in older versions. To take full advantage of third-party reuse, developers should always keep up to date with the latest versions of their library dependencies. In this paper, we investigate the extent of which developers update their library dependencies. Specifically, we conducted an empirical study on library migration that covers over 4,600 GitHub software ","authors_text":"Ali Ouni, Daniel M. German, Katsuro Inoue, Raula Gaikovina Kula, Takashi Ishio","cross_cats":[],"headline":"","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2017-09-14T05:59:50Z","title":"Do Developers Update Their Library Dependencies? An Empirical Study on the Impact of Security Advisories on Library Migration"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1709.04621","kind":"arxiv","version":1},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:ea80f03a30595738b5187afb3bcfe2bd1853444637f15f0f91c20896f048aa21","target":"record","created_at":"2026-05-18T00:35:11Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"d612a9ce4f716887659477adf20a05a09eb32b470ba166916ed1419f288643a3","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2017-09-14T05:59:50Z","title_canon_sha256":"917981ca4e626d3cf2013c033eb5fc5c863e9c5c23ceb4a2d5c738ad60e23a8c"},"schema_version":"1.0","source":{"id":"1709.04621","kind":"arxiv","version":1}},"canonical_sha256":"397c9adef62baf99e605a3d816f7be2992ada128b0459421abc41d21cec5ed7a","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"397c9adef62baf99e605a3d816f7be2992ada128b0459421abc41d21cec5ed7a","first_computed_at":"2026-05-18T00:35:11.093456Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-18T00:35:11.093456Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"nep9AspLNUlr8Wp8p/nfwmjklNPi+1xX35NqutBwkUQhn6QcgfqAOtnS4V4UzRuJPTQjUfKk+cFIVslHHZe5Bg==","signature_status":"signed_v1","signed_at":"2026-05-18T00:35:11.093962Z","signed_message":"canonical_sha256_bytes"},"source_id":"1709.04621","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:ea80f03a30595738b5187afb3bcfe2bd1853444637f15f0f91c20896f048aa21","sha256:a4209e8a3f1f989704deb27da7caedb2b986c4dba92ed54eb0f70f7b7672e9c6"],"state_sha256":"4e02c89129247cc824d2406fb2457d2440388845352c515c2725d216c6726489"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"dzir2IhnQ29vmrCCgyeb9xIJQHkOasrJ+JFM4h1eYPYSaffYjpYvpD1h4CgJj2HiObj7t5KCUjhC5G+Wnz1NCA==","signed_message":"bundle_sha256_bytes","signed_at":"2026-05-31T19:55:22.376638Z","bundle_sha256":"9eea8c58bcb7473c6a904be2482f38f0822396177c41ca04102492e3c4e92ffa"}}