A Decade of Evolution, Innovation, and Growing Risks

As we mark the 10th annual State of the Software Supply Chain report,  the transformation of open source software has been nothing short of profound. Open source consumption has exploded, with estimates placing this year’s downloads at over 6.6 trillion. This reliance on open source components, now making up to 90% of the modern software application, has ushered in both unprecedented innovation and complex challenges for software supply chains. Because of this, the industry has also become increasingly regulated, moving from a hands-off approach in the early 2010s to proactive frameworks that address growing cybersecurity risks in the global software supply chain.

Here’s what else we found. 

Open Source Scale and Consumption Behaviors

Open source software adoption is at a multitrillion request scale, with ecosystems like JavaScript (npm) and Python (PyPI) leading the charge:

• JavaScript (npm) accounted for a staggering 4.5 trillion requests in 2024, representing 70% year-over-year growth in requests.
• Python (PyPI), driven by AI and cloud adoption, is estimated to reach 530 billion package requests by the end of 2024, up 87% year-over-year.

But this growth brings new risks. A rise in open source malware has infiltrated open source ecosystems at an alarming rate. Over 512,847 malicious packages have been logged just in the past year, a 156% increase year-over-year, highlighting a critical need for organizations to adapt their consumption practices. Traditional security tools often fail to detect these novel attacks, leaving developers and automated build environments highly vulnerable. This has resulted in a new wave of next-generation supply chain attacks, which target developers directly, bypassing existing defenses.

Further, each ecosystem presents different challenges. For instance, npm has experienced much of its growth from spam; Python is the fastest-growing in projects and volume, and shows more vulnerabilities per package compared to others; and Java (Maven) has an average of 28 versions per project.

Read more in our chapter on Open Source Scale.

Despite advances in supply chain security practices, consumer behavior lags, illustrating a critical failure in consumption practices. To address these issues, organizations must embrace best practices like proactive dependency management, choosing high-quality components, and avoiding malware risks.

To better understand how to actually choose high-quality components, we took a look at key heuristics — which include active community engagement, projects publishing Software Bills of Materials (SBOMs), and support from recognized foundations. We notably found that projects backed by recognized foundations have better security practices and reduced vulnerabilities.

Efficiency and Waste: The Time Drain on Developers

Efficiency in the development process is also at risk. Managing open source risks requires optimizing security policies and practices to keep up with the fast-paced evolution of new OSS libraries. Organizations struggle with the impracticality of slowing down DevOps processes for manual vulnerability reviews, leading to frustration among developers. Enterprises must aim to reduce waste by optimizing their remediation effort with the best possible software composition analysis tool.

Through our analysis, we know: 

• Size of application does not matter — with the average applications containing 180 components, even small applications face unmanageable workloads due to increasing dependencies. 
• Quality data does matter. 92% of crowdsourced or publicly available vulnerability data needed a correction once reviewed in more detail by a security researcher; 69% of vulnerabilities that were initially scored below 7 on the CVSS scale were corrected to 7 or higher, creating what we’re calling surprise risk and a false sense of comfort.
• Efficiency isn’t just about security, but about licenses: while an open source project typically has an overarching license, individual files may have different licenses as contributions grow, potentially impacting the project downstream.

The current reactive approach to vulnerabilities and license reviews wastes developer time, leading to inefficiency and higher costs. To combat this, enterprises need effective software composition analysis tools that provide high-quality component intelligence and integrate seamlessly into the development process.

A Call to Action and Vigilance: Proactive Management, Continuous Security, and Advanced Tooling

As attackers evolve their strategies to target the very foundation of software supply chains, the responsibility falls on software manufacturers, consumers, and regulators to adopt robust security practices. We can stop the bleeding and mitigate these mounting risks with proactive dependency management, advanced tooling, and earlier security intervention.

• Always-on security practices, when tools like Software Composition Analysis (SCA) are integrated directly into CI/CD pipelines, and throughout the development process — this can reduce wasted developer time and provide context for informed decision-making  and get ahead of this risk.
• Reducing persistent risk is possible by focusing on tools that help manage dependencies and apply realtime vulnerability detection. In fact, we found that projects using a Software Bill of Materials (SBOM) to manage OSS dependencies showed a 264-day reduction in mean time to remediate (MTTR) compared to those that did not. 

By embedding these practices early and managing OSS consumption more rigorously, organizations can cut down on risks before they grow corrosive and costly. Organizations must prioritize an advanced SCA tool that helps by selecting high-quality, well-maintained components, addressing risks as early as possible, and remaining vigilant against the evolving landscape of supply chain attacks. This proactive approach not only reduces developer frustration but also cuts down on wasted resources. Failure to do so leaves software ecosystems open to catastrophic breaches and operational inefficiencies.

The balance between innovation and security is more critical than ever. Open source ecosystems will continue to fuel technological breakthroughs, but organizations must evolve their security practices to avoid becoming victims of their own success. By addressing complacency, adopting robust tooling, and staying vigilant, software manufacturers can mitigate the persistent risks that threaten the future of innovation.

About the Analysis

Sonatype’s 10th Annual State of the Software Supply Chain report blends a broad set of public and proprietary data and analysis, including dependency update patterns for more than 1.5 trillion requests from Maven Central and thousands of open source projects, and the assessment of hundreds of thousands of key enterprise applications. This year’s report also analyzed operational supply, demand and security trends associated with the Java (Maven Central), JavaScript (npm), Python (PyPI), and .NET (NuGet) ecosystems. Special analysis was included thanks to the CHAOSS Community and their CHAOSS Community Report, as well as Tidelift and their survey of more than 400 open source maintainers as source for The 2024 Tidelift State of the Open Source Maintainer Report. The authors have taken great care to present statistically significant sample sizes with regard to component versions, downloads, vulnerability counts, and other data surfaced in this year’s report.