Going Viral: Case Studies on the Impact of Protestware

TL;DR

Protestware represents a novel form of political expression within open-source software that can disrupt software supply chains. The authors employ a mixed-methods approach, combining large-scale GitHub and social-media mining with manual coding to analyze Colors.js and es5-ext against Ua-parser. Key findings indicate protestware can match the disruption level of security vulnerabilities, yet is less likely to trigger widespread dependency abandonment, with diffusion often accelerated by social platforms and early mentions on Twitter. The work provides nuanced insights into the narratives around protestware, identifying four opinion themes, and proposes governance-oriented directions to foster constructive dialogue and reduce toxicity in OSS communities.

Abstract

Maintainers are now self-sabotaging their work in order to take political or economic stances, a practice referred to as "protestware". In this poster, we present our approach to understand how the discourse about such an attack went viral, how it is received by the community, and whether developers respond to the attack in a timely manner. We study two notable protestware cases, i.e., Colors.js and es5-ext, comparing with discussions of a typical security vulnerability as a baseline, i.e., Ua-parser, and perform a thematic analysis of more than two thousand protest-related posts to extract the different narratives when discussing protestware.