Sonatype Report: Decline in Open Source Project Maintenance, 1 in 8 Downloads Risky
A comprehensive analysis encompassing nearly 1.2 million open source software projects, spanning four major ecosystems, has revealed a concerning trend: only about 11% of these projects are actively maintained. This finding comes from Sonatype’s 9th Annual State of the Software Supply Chain report, released on October 3. The report provides a detailed examination of 1,176,407 projects and highlights an 18% decline in actively maintained projects this year, with just 118,028 receiving ongoing maintenance. Interestingly, some new projects that were unmaintained in 2022 are now being actively managed.
The ecosystems analyzed include JavaScript, through NPM; Java, via the Maven project management tool; Python, using the PyPI package index; and .NET, through the NuGet gallery, with some inclusion of Go projects as well. The report highlights a significant drop in maintenance within these ecosystems, noting that 18.6% of Java and JavaScript projects that were maintained in 2022 are no longer receiving attention today.
Maintaining open source projects consistently has been linked to better adherence to critical software security practices. Sonatype’s findings underline this, showing that well-maintained projects tend to outperform their neglected counterparts in terms of security and reliability.
Sonatype also found that open source projects that are consistently maintained outperform counterparts on critical best practices for software security.
The 62-page report integrates a blend of public and proprietary data and analysis, covering dependency update patterns for over 400 billion Maven Central downloads and thousands of open source projects. It also includes survey data from 621 engineering professionals and security trends across the major software ecosystems. Additional key findings from the report are:
- 67% of respondents did not believe their applications depended on known vulnerable libraries, yet nearly 10% reported experiencing security breaches due to open source vulnerabilities in the past 12 months.
- 39% of organizations discover vulnerabilities within one to seven days, while 29% take more than a week and 28% identify them within a day. When it comes to mitigation, 39% of organizations require more than a week to address vulnerabilities.
- The use of AI and machine learning components in corporate environments has surged by 135% over the past year.
- One in eight open source downloads contained a known risk, but 96% of these vulnerable releases had an available fixed version.
- The growth rate of open source download consumption has slowed over the past two years.
These findings paint a picture of a maturing but challenged open source ecosystem. The decline in active maintenance raises concerns about the sustainability and security of many projects that organizations depend on. The report suggests a need for more robust maintenance practices and better security measures to manage the inherent risks of using open source software.
Overall, Sonatype’s report serves as a crucial resource for understanding the current state of open source software maintenance and the associated risks. It underscores the importance of active maintenance in ensuring the security and reliability of open source projects and highlights the ongoing challenges faced by the open source community in managing and securing the vast array of available software.