Sonatype's 10th annual State of the Software Supply Chain report marks a transformative decade for open source software.
Once a grassroots innovation engine, open source is now the backbone of global digital infrastructure, driving innovation at an unprecedented scale while introducing new challenges. This year's report provides a comprehensive analysis of key trends, persistent risks, and actionable strategies for securing the software supply chain.
As we conclude our blog series, let's recap insights, highlight key findings from the report, and chart a path forward for open source resilience.
In our opening post, we reflected on how open source grew into a cornerstone of the software industry. Over the past decade, the number of open source projects and their consumption have grown exponentially.
JavaScript (npm) alone accounted for 4.5 trillion requests in 2024, a 70% year-over-year increase. Yet, this growth has also attracted bad actors, with malicious packages growing 156% year-over-year.
Open source's explosive growth brings new challenges. Python's ecosystem saw requests surge to 530 billion in 2024, driven by AI and cloud adoption.
Yet, vulnerabilities persist. Despite awareness, 13% of Log4j downloads in 2024 still contained the critical Log4Shell vulnerability — a stark reminder of the gaps in dependency management.
As the scale of open source creates new challenges, the complex risk landscape of open source continues to evolve.
Vulnerabilities often linger due to complacency, with 95% of vulnerabilities having safer alternatives readily available.
Meanwhile, open source malware has evolved into a critical threat, targeting developer environments and bypassing traditional security tools.
Managing dependencies across modern applications is no small feat, with the average application containing 180 components.
Our report also explores the importance of reducing inefficiencies through better tools, like software composition analysis (SCA), which help developers focus on innovation instead of reactive fixes.
After examining ways to enhance efficiency and reduce waste, we presented actionable strategies to bolster resilience. These include integrating SCA into CI/CD pipelines and utilizing software bills of materials (SBOMs).
These proactive steps can cut remediation times by up to 264 days while fostering transparency and accountability.
With open source adoption reaching multitrillion request levels, the stakes for effective security have never been higher.
In 2024, the ecosystem saw over 512,000 malicious packages introduced — a trend fueled by increasingly sophisticated attacks. It’s clear that traditional security measures alone cannot keep pace with this scale.
The concept of "Persistent Risk," introduced in this year's report, underscores the challenges of unfixed vulnerabilities.
Organizations must prioritize robust dependency management and adopt SBOMs to identify and mitigate these risks proactively.
Organizations lose valuable time addressing issues that could be preempted with better tooling and practices.
By streamlining workflows and integrating security early in the software development life cycle (SDLC), teams can unlock efficiencies that fuel innovation.
The rise of regulations like the Cyber Resilience Act (CRA) and Executive Order 14028 reflects a global shift towards accountability in software security.
These frameworks underscore the need for transparency and enforce robust practices for managing open source components.
As we enter the next decade, the lessons from the past ten years provide a clear roadmap:
Prioritize transparency: SBOM adoption must accelerate to keep pace with regulatory requirements and evolving threats.
Invest in automation: Robust tools that provide real-time insights into vulnerabilities and risks are critical for maintaining security at scale.
Foster collaboration: Open source's strength lies in its community. Investing in maintainers and fostering collaboration can ensure ecosystems remain secure and resilient.
Open source has transformed how we build software, but with great innovation comes great responsibility. By embedding security into the fabric of development and fostering a culture of transparency, organizations can turn today's challenges into tomorrow's strengths.
The journey isn't over. To dive deeper into these insights and explore strategies for your organization, download the full State of the Software Supply Chain.