Schedule a Demo

Announcing the Open-Source Reliability Leaderboard: A New Resource for Preventive AppSec

Carol Hildebrand June 29, 2023 2 min read
Application Security
A New Resource For Preventive Appsec

We are excited to announce the inaugural edition of the Mend.io Open-Source Reliability Leaderboard! Powered by data from Renovate, the wildly popular open-source dependency management tool, the Leaderboard presents the top packages in terms of reliability across three of the most widely used languages.

The Leaderboard allows the Mend.io team to leverage and share a valuable resource. There is no better arbiter of package reliability than Renovate, which has gathered crowd-sourced data on over 25 million dependency updates. By analyzing what packages are consistently releasing good updates, we built an accurate picture of a package’s overall reliability for software engineers trying to balance functional risk with the security risk imposed by our increasingly vulnerable software supply chain. 

“The Leaderboard helps shift the AppSec view from detection to prevention, a valuable perspective for reducing the risk imposed by our increasingly vulnerable software supply chain,” said Rhys Arkins, vice president of product management at Mend.io. “Success hinges on having the knowledge necessary to prevent possible open-source vulnerabilities from ever being installed in the first place. For that to happen, companies need to know not only what packages are in use at their companies, but how safe they are.” 

The full report showcases detailed rankings for npm, PyPi, and Maven.

Key findings:

Group runs bring down overall package reliability. 

Any fan of the TV show Survivor can tell you that in competition, groups are often hurt by their weakest link, and the same holds true when it comes to group updates. A group of ten packages is ten times more likely to encounter a failure. 

Release frequency has no effect on average success rates.

You would think that more-frequent releases would improve reliability through faster bug fixes and an engaged maintainer community, but this was not the case. 

Looking across the overall categories, the top three most reliable packages for each language are: 

Npm:

  1. prettier-eslint
  2. np
  3. jest-cli

Maven:

  1. org.apache.maven.scm:maven-scm-provider-gitexe 
  2. com.github.ekryd.sortpom:sortpom-maven-plugin
  3. org.apache.maven.plugins:maven-release-plugin

PyPi: 

  1. Pulumi
  2. Botocore-stubs
  3. types-python-dateutil

Read the full report

Automate dependency updates

See Mend Renovate

About the author

Carol Hildebrand

A veteran of Computerworld and CIO magazine, Hildebrand is an award-winning technology writer who writes extensively about cybersecurity and how it impacts business innovation.

Recent resources

Mend.io is a Strong Performer in the Forrester Wave™ Software Composition Analysis, Q4 2024

Mend.io Communications 13 Nov 2024
Open Source Security

See why Mend.io is recognized as a Strong Performer in The Forrester Wave™ Software Composition Analysis (SCA) Q4 2024 report.

Read more

Mend.io & HeroDevs Partnership: Eliminate Risks in Deprecated Package

Sarah Moglia 29 Oct 2024
Open Source Security

Announcing an exclusive partnership between Mend.io and HeroDevs to provide support for deprecated packages.

Read more

All About RAG: What It Is and How to Keep It Secure

Bar-El Tayouri 24 Oct 2024
AI Models Risk

Learn about retrieval-augmented generation, one complex AI system that developers are using.

Read more

© 2024 Mend.io (White Source Ltd.) All rights reserved.