Tel Aviv, Israel and Boston, June 28, 2023 /PRNewswire/ — Mend.io, a leading company in application security, recently released the findings from its latest report, the Mend.io Open Source Reliability Leaderboard. This report, powered by data from Renovate, Mend.io’s popular open-source dependency management tool, showcases the top packages in terms of reliability across three of the most widely used programming languages.
Rhys Arkins, the Vice President of Product Management at Mend.io, emphasized the importance of shifting the perspective on application security from detection to prevention. He stated, “Success hinges on having the knowledge necessary to prevent possible open-source vulnerabilities from ever being installed in the first place. For that to happen, companies need to know not only what packages are in use at their companies, but how safe they are.”
The Mend.io Open Source Reliability Leaderboard is an invaluable resource as it leverages the data gathered by Renovate, which has analyzed over 25 million dependency updates from the open-source community. By examining which packages consistently release good updates, the Leaderboard provides software engineers with an accurate assessment of a package’s overall reliability, allowing them to strike a balance between functional risk and security risk.
The report features detailed rankings for npm, PyPi, and Maven, three of the most popular programming languages.
One of the key findings highlighted in the report is that group updates can negatively impact package reliability. Drawing a parallel to the TV show Survivor, the report states that a group of ten packages is ten times more likely to encounter a failure. This finding emphasizes the importance of individual package reliability and highlights the need for thorough evaluation before incorporating packages into software projects.
Contrary to popular belief, the report also dispels the notion that more frequent releases improve reliability. Despite the assumption that faster bug fixes and a more engaged maintainer community would enhance reliability, the analysis showed that release frequency has no effect on average success rates. This suggests that other factors, such as code quality and the thoroughness of testing, may play a more significant role in determining package reliability.
The report also provides the top three most reliable packages for each language:
– For npm, the top three packages are prettier-eslint, np, and jest-cli.
– For Maven, the top three packages are org.apache.maven.scm:maven-scm-provider-gitexe, com.github.ekryd.sortpom:sortpom-maven-plugin, and org.apache.maven.plugins:maven-release-plugin.
– For PyPi, the top three packages are Pulumi, Botocore-stubs, and types-python-dateutil.
Overall, the report emphasizes the need for companies to prioritize reliability and security when selecting open-source packages for their software projects.
For more information and to access the full report, visit https://eu-app.contentstack.com/#!/stack/blt66983808af36a8ef/content-type/dr_article/en-us/entry/create.
About Mend.io
Mend.io, formerly known as WhiteSource, is a trusted company with over a decade of experience in helping global organizations build robust application security programs. Their automated technology protects organizations from supply chain attacks, vulnerabilities in open-source and custom code, and open-source license risks. With a proven track record and over 1,000 customers, including 25% of the Fortune 100, Mend.io is a go-to technology for development and security teams. They also manage Renovate, the open-source automated dependency update project.
To learn more about Mend.io and their solutions, visit www.mend.io, read their blog at www.mend.io/blog/, and follow them on LinkedIn at https://www.linkedin.com/mendio?_l=en_US and Twitter at https://twitter.com/mend_io.
SOURCE Mend.io