Drop Everything? Analyzing Developer Response to Fix a High Severity Dependency

Although using third-party libraries has become prevalent in contemporary software development, prior work are all in agreement that developers struggle to update their dependencies. They often acknowledge that due to the migration effort, priority and other issues cause lags in the adoption process. On the other hand, with a vulnerability that has showstopping potential, we expect developers to drop everything! to fix the risk. In this new idea paper, we explore a case study of when Log4JShell, which has the highest ever reported severity of 10. Our goal is to analyze the developer response in relation to how fast they migrated to a safer version, and what were the information discussed while fixing this severe vulnerability.