Chart of the Week

OCT 2023: VOLUME 3

Packages are reused 2.7 times on average within the same Open-Source Project

The Data

Based on Lineaje AI Labs research the majority of vulnerabilities in open-source are not fixed by open source developers. Lineaje AI labs analyzed 121,443 open-source projects and discovered 118,573 vulnerabilities in them. The saving grace is that vulnerabilities are not evenly distributed across dependencies.

The Implication

  • Inherited Vulnerabilities: With packages being reused multiple times within a single project, a single compromised package must be patched multiple times for each instance of the component.
  • Direct vs Transitive: The same dependency may exist as both a direct component and a transitive component necessitating different patching approaches.
  • Reachability: The reuse of packages within a project can lead to intricate dependency chains. Reachability has to consider all possible usages of the same package.