Although using third-party libraries has become prevalent in contemporary software development, developers often struggle to update their dependencies. Prior works acknowledge that due to the migration effort, priority and other issues cause lags in the migration process. The common assumption is that developers should drop all other activities and prioritize fixing the vulnerability. Our objective is to understand developer behavior when facing high-risk vulnerabilities in their code. We explore the prolific, and possibly one of the cases of the Log4JShell, a vulnerability that has the highest severity rating ever, which received widespread media attention. Using a mixed-method approach, we analyze 219 GitHub Pull Requests (PR) and 354 issues belonging to 53 Maven projects affected by the Log4JShell vulnerability. Our study confirms that developers show a quick response taking from 5 to 6 days. However, instead of dropping everything, surprisingly developer activities tend to increase for all pending issues and PRs. Developer discussions involved either giving information (29.3\%) and seeking information (20.6\%), which is missing in existing support tools. Leveraging this possibly-one of a kind event, insights opens up a new line of research, causing us to rethink best practices and what developers need in order to efficiently fix vulnerabilities.

翻译：尽管在当代软件开发中广泛使用第三方库，开发者往往难以更新其依赖项。先前研究指出，由于迁移工作量、优先级及其他问题，迁移过程常出现滞后。普遍假设是开发者应暂停所有其他活动，优先修复漏洞。本研究旨在理解开发者在面对代码中高风险漏洞时的行为模式。我们以Log4JShell这一具有史上最高严重性评级、且受到媒体广泛关注的重大漏洞案例为研究对象，采用混合方法分析了53个受Log4JShell漏洞影响的Maven项目中219个GitHub拉取请求（PR）和354个议题。研究证实开发者响应迅速（耗时5-6天），但出人意料的是，开发者并未搁置其他工作，反而对所有待处理议题和PR的活动量均有所增加。开发者讨论主要涉及提供信息（29.3%）与寻求信息（20.6%），而这正是现有支持工具所缺失的功能。通过剖析此次罕见的安全事件，本研究开辟了新的研究方向，促使我们重新审视最佳实践，并思考开发者需要何种支持才能高效修复漏洞。