Sonatype’s Annual Software Supply Chain Analysis Finds Open Source Project Maintenance in Decline, While 1 in 8 Open Source Downloads Have a Known Risk
A recent analysis accounting for nearly 1.2 million open source software projects primarily across four major ecosystems found that only about 11% of projects were actively maintained.
In its 9th Annual State of the Software Supply Chain report, published October 3, software supply chain management company Sonatype assessed 1,176,407 projects and reported an 18% decline this year in actively maintained projects. Just 11% of projects—118,028—were receiving active maintenance. The report also found some new projects, unmaintained in 2022, now being maintained.
The four ecosystems included JavaScript, via NPM; Java, via the Maven project management tool; Python, via the PyPI package index; and .NET, through the NuGet gallery. Some Go projects also were included. According to the report, 18.6% of Java and JavaScript projects that were being maintained in 2022 are no longer being maintained today.
Sonatype also found that open source projects that are consistently maintained outperform counterparts on critical best practices for software security.
The 62-page report blends public and proprietary data and analysis, including dependency update patterns for more than 400 billion Maven Central downloads and thousands of open source projects. It also incorporates survey results from 621 engineering professionals and security trends from the four major software ecosystems.
Additional findings from the report include the fact that 1 in 8 open source downloads have a known risk, highlighting the importance of maintaining and updating open source projects to ensure security and reliability.
The 62-page report blends public and proprietary data and analysis, including dependency update patterns for more than 400 billion Maven Central downloads and thousands of open source projects. It also incorporates survey results from 621 engineering professionals and security trends from the four major software ecosystems