In recent years, the adoption and growth of open source software (OSS) have soared, with 2024 set to break records, projecting over 6.6 trillion downloads by year-end. The vast influence of open source now underpins nearly every aspect of software development.
However, this rapid expansion also brings about unprecedented challenges.
In our recently published 2024 State of the Software Supply Chain report, we dig into the scale of open source and highlight both the remarkable expansion of its ecosystems and the increasing threats posed by malicious actors.
Let's explore key insights and statistics from the report to understand the scale of open source adoption and the security challenges it brings.
Explosive growth across ecosystems
One of the most notable points from the report is the sheer growth in open source downloads across multiple ecosystems:
-
npm, the JavaScript ecosystem, continues to dominate with 4.5 trillion requests in 2024, marking a 70% year-over-year growth.
-
PyPI, the Python ecosystem, is the fastest-growing ecosystem, expected to reach 530 billion requests by year-end, an 87% YoY increase.
-
The Maven Central ecosystem (primarily used by Java developers) is projected to handle 1.5 trillion requests in 2024.
This rapid expansion highlights the widespread adoption of open source components across various industries. However, not all growth is genuine. Ecosystems like npm have experienced a rise in "spam" packages — malicious or low-quality packages published with ill intent.
The rise of malicious packages
As the availability of open source components continues to grow, there is a concerning increase in open source malware. Over the past year, Sonatype has documented more than 512,847 malicious packages, marking a 156% rise compared to the previous year.
The npm ecosystem has been hit particularly hard, with malicious packages distorting its growth statistics. This influx of bad actors has forced ecosystems like PyPI to pause accepting new releases to stem the tide of malicious content.
This growth in malicious packages underscores the need for more robust defenses within open source ecosystems, as developers and organizations increasingly face risks that traditional security tools struggle to detect.
Key statistics on open source consumption
Our report offers key metrics that highlight the current scale of open source consumption across ecosystems, such as the following:
-
4.5 trillion requests in npm (JavaScript)
-
530 billion requests in PyPI (Python)
-
159 billion requests in NuGet (.NET)
These numbers illustrate the pervasive role of open source software in modern development.
However, the increase in downloads also brings heightened potential risks. Our research uncovered 704,102 malicious packages since 2019, highlighting the darker side of large-scale open source adoption.
Challenges of managing open source dependencies
The rapid expansion of open source usage poses fresh challenges for both developers and organizations. A major concern is the complexity of managing open source dependencies efficiently. With the surge in available components, ensuring their security and reliability has become a daunting task.
Numerous ecosystems are struggling to keep up, with ongoing risks arising from outdated and insecure packages.
The main challenges include:
-
Spam and malware contamination: The flood of low-quality or malicious packages strains developer resources and security efforts.
-
Version complexity: Ecosystems like Maven Central report an average of 28 versions per project, adding to the challenge of selecting and maintaining secure, up-to-date components.
The role of AI in accelerating growth
The report attributes a portion of the rapid growth in open source consumption to the rise of AI and ML technologies, especially in ecosystems like Python. As AI projects increasingly rely on open source libraries, the demand for components from PyPI has surged.
However, this growth also exposes new risks. AI projects often rely on multiple layers of dependencies, making them especially vulnerable to software supply chain attacks. Developers need to be more vigilant than ever when selecting and securing these dependencies to ensure the integrity of their projects.
Balancing innovation and risk
The rise of open source software presents remarkable opportunities for innovation, yet it also introduces substantial challenges, particularly in managing security risks and the complexity of dependencies.
As our research shows, organizations must evolve their practices to keep up with the scale of open source usage and address the increasing threats posed by malicious actors.
To learn more about the state of open source and how to protect your software supply chain, check out the full State of the Software Supply Chain report.
