With the urgent need to secure supply chains among Open Source libraries, attention has focused on mitigating vulnerabilities detected in these libraries. Although awareness has improved recently, most studies still report delays in the mitigation process. This suggests that developers still have to deal with other contributions that occur during the period of fixing vulnerabilities, such as coinciding Pull Requests (PRs) and Issues, yet the impact of these contributions remains unclear. To characterize these contributions, we conducted a mixed-method empirical study to analyze NPM GitHub projects affected by 554 different vulnerability advisories, mining a total of 4,699 coinciding PRs and Issues. We believe that tool development and improved workload management for developers have the potential to create a more efficient and effective vulnerability mitigation process.

翻译：随着开源库供应链安全的迫切需求，关注点已集中在缓解这些库中检测到的漏洞上。尽管近期安全意识有所提升，但大多数研究仍报告缓解过程存在延迟。这表明开发人员在修复漏洞期间仍需处理其他同时发生的贡献，例如同时出现的拉取请求（PRs）和问题（Issues），然而这些贡献的影响尚不明确。为刻画这些贡献的特征，我们采用混合方法的实证研究，分析了受554个不同漏洞公告影响的NPM GitHub项目，共挖掘了4,699个同时发生的PRs和Issues。我们认为，针对开发者的工具开发和工作量管理改进，有望创建更高效、更有效的漏洞缓解流程。