New report offers valuable resource to help organizations evaluate the safety and reliability of open-source packages
TEL AVIV, Israel and BOSTON – June 28, 2023 – Mend.io, a leader in application security, released findings today from its latest report, the Mend.io Open Source Reliability Leaderboard. Powered by data from Renovate, Mend.io’s popular open-source dependency management tool, the Leaderboard presents the top packages in terms of reliability across three of the most widely used languages.
“The Leaderboard helps shift the AppSec view from detection to prevention, a valuable perspective for reducing the risk imposed by our increasingly vulnerable software supply chain,” said Rhys Arkins, vice president of product management, Mend.io. “Success hinges on having the knowledge necessary to prevent possible open-source vulnerabilities from ever being installed in the first place. For that to happen, companies need to know not only what packages are in use at their companies, but how safe they are.”
The Leaderboard allows the Mend.io team to leverage and share a valuable resource. There is no better arbiter of package reliability than Renovate, which has gathered crowd-sourced data on over 25 million dependency updates. By analyzing what packages are consistently releasing good updates, the Leaderboard presents an accurate picture of a package’s overall reliability for software engineers trying to balance functional risk with security risk.
The full report showcases detailed rankings for npm, PyPi, and Maven.
Key findings:
Group runs bring down overall package reliability.
Any fan of the TV show Survivor can tell you that in competition, groups are often hurt by their weakest link, and the same holds true when it comes to group updates. A group of ten packages is ten times more likely to encounter a failure.
Release frequency has no effect on average success rates.
You would think that more-frequent releases would improve reliability through faster bug fixes and an engaged maintainer community, but such was not the case.
The Best of the Best
Looking across the overall categories, the top three most reliable packages for each language are:
Npm:
- prettier-eslint
- np
- jest-cli
Maven:
- org.apache.maven.scm:maven-scm-provider-gitexe
- com.github.ekryd.sortpom:sortpom-maven-plugin
- org.apache.maven.plugins:maven-release-plugin
PyPi:
- Pulumi
- Botocore-stubs
- types-python-dateutil
About the Report
The report examines data from Renovate, an automated dependency management tool that leverages crowd-sourced data on over 25 million dependency updates.
To download a full copy of the report, visit here.
About Mend.io
Mend.io, formerly known as WhiteSource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development – using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks. With a proven track record of successfully meeting complex and large-scale application security needs, Mend.io is the go-to technology for the world’s most demanding development and security teams. The company has more than 1,000 customers, including 25 percent of the Fortune 100, and manages Renovate, the open source automated dependency update project. For more information, visit www.mend.io, the Mend.io blog, and Mend.io on LinkedIn and Twitter.