Report finds few open source projects actively maintained

Report finds few open source projects actively maintained

Sonatype’s annual software supply chain analysis finds open source project maintenance in decline, while 1 in 8 open source downloads have a known risk.

Credit: Dreamstime

A recent analysis accounting for nearly 1.2 million open source software projects across four major ecosystems found that only about 11 per cent of projects were actively maintained. 

In its 9th Annual State of the Software Supply Chain report, published October 3, software supply chain management company Sonatype assessed 1,176,407 projects and reported an 18 per cent decline this year in actively maintained projects. Just 11 per cent of projects—118,028—were receiving active maintenance.

The four ecosystems included JavaScript, via NPM; Java, via the Maven project management tool; Python, via the PyPI package index; and .NET, through the NuGet gallery. According to the report, 18.6 per cent of Java and JavaScript projects that were being maintained in 2022 are no longer being maintained today.

Sonatype also found that open source projects that are consistently maintained outperform counterparts on critical best practices for software security.

The 62-page report blends public and proprietary data and analysis, including dependency update patterns for more than 400 billion Maven Central downloads and thousands of open source projects. It also incorporates survey results from 621 engineering professionals and security trends from the four major software ecosystems. Additional findings from the report: 

  • 67 per cent of respondents said they did not believe their applications relied on known vulnerable libraries. Nearly 10 per cent reported security breaches due to open source vulnerabilities in the past 12 months.
  • 39 per cent of organizations discover vulnerabilities within one to seven days while 29 per cent take more than a week and 28 per cent discover them within a day. As far as mitigation, 39 per cent require more than a week to mitigate vulnerabilities.
  • Use of AI and machine learning software components within corporate environments surged 135 per cent over the last year.
  • One in eight open source downloads had a known risk, but 96 per cent of vulnerable downloaded releases had a fixed version available.
  • The rate of download growth in open source consumption has slowed during the past two years. 

Show Comments