Feb 21, 2020

Pinpointing weaknesses in the open source ecosystem

Open source census

The Linux Foundation—in partnership with the Laboratory for Innovation Science at Harvard University—released a new census of open source software, dubbed Vulnerabilities in the Core.

With data collected from actual production environments—compiled through automated scans of companies’ tech stacks—the report reveals serious potential weaknesses in the open source ecosystem.

First, individual developers are a major weakness. The report found that seven of the top ten most popular packages in the world were hosted under individual developer accounts. That exposes much of today’s most important software to possible backdoor attacks and simple account takeovers.

Worse, developers have the power to simply choose to remove or delete these packages. Take, for example, how in 2016 a sole developer removed his npm package left-pad in protest, breaking Node, Babel, and thousands of other projects in the process.

Second, open source has not escaped the problem of legacy technology. The report highlights how minimist, a library to parse argument options that reigns as the sixth most popular package in the world, outranks yargs, a newer and better alternative. Disturbingly, minimist—whose last commit dates back to 2015—rakes in more than 35 million downloads each week from the npm registry.

A way forward: The Linux Foundations hopes identifying these issues is the first step in helping the community better focus its resources on tackling the most severe vulnerabilities in open source software.

Want to get more of these in your inbox?

Subscribe for weekly updates from the Software team.