The state of open source security – 2019

February 26, 2019 | in Open Source, Ecosystems
| By Liran Tal

Check out our new Open Source Security Report 2020. This report reflects on open source security concerns in 2020, trends in vulnerabilities across packages and container images. 

Welcome to Snyk’s annual state of open source software security report 2019.
This report is split into several posts:

Or download our lovely handcrafted pdf report which contains all of this information and more in one place.


Let’s start by showing you some of the key takeaways from the whole report as a dashboard:

    Open source adoption

  • 78% of vulnerabilities are found in indirect dependencies
  • Growth in indexed packages, 2017 to 2018
    • Maven Central – 102%
    • PyPI – 40%
    • npm – 37%
    • NuGet – 26%
    • RubyGems – 5.6%
    • npm reported 304 billion downloads for 2018

    Vulnerability identification

  • 37% of open source developers don’t implement any sort of security testing during CI and 54% of developers don’t do any docker image security testings
  • The median time from when a vulnerability was added to an open source package until it was fixed was over 2 years

   Known vulnerabilities

  • 88% growth in application vulnerabilities over two years
  • In 2018, vulnerabilities for npm grew by 47%. Maven Central and PHP Packagist disclosures grew by 27% and 56% respectively
  • In 2018, we tracked over 4 times more vulnerabilities found in RHEL, Debian and Ubuntu as compared to 2017

    Who’s responsible for open source security?

  • 81% of users feel developers are responsible for open source security
  • 68% of users feel that developers should own the security responsibility of their docker container images
  • Only three in ten open source maintainers consider themselves to have high security knowledge

  Known vulnerabilities in docker images

  • Each of the top ten most popular default docker images contains at least 30 vulnerable system libraries
  • 44% of scanned docker images can fix known vulnerabilities by updating their base image tag

     Snyk stats

  • In the second half of 2018 alone, Snyk opened more than 70,000 Pull Requests for its users to remediate vulnerabilities in their projects
  • CVE/NVD and public vulnerability databases miss many vulnerabilities, only accounting for 60% of the vulnerabilities Snyk tracks
  • In 2018 alone, 500 vulnerabilities were disclosed by Snyk’s proprietary dedicated research team

Maven Central packages double; a quarter of a million new packages indexed in npm

We’ve seen big technology players doubling-down on open source in 2018. In every registry we reviewed, we saw an increasing rate of open source libraries being indexed in every language ecosystem. This is to be expected, but the rate of growth may come as a surprise to many.

All but one ecosystem presents two-digit numbers for increased growth in new libraries added to open source registries: Maven Central, with a strong growth of 102%, followed by PyPI with 40%, npm with 37%, NuGet with 26% and lastly RubyGems with 5.6% growth of newly indexed packages in the registries.

We may see further growth in numbers from 2018 due to undisclosed vulnerabilities that will only be publicized later this year, further amplifying the direction of this trend.

Total packages indexed per ecosystem


Use of open source is accelerating. In 2018, Java packages doubled, and npm added roughly 250,000 new packages

Test your applications for known vulnerabilities

By submitting this form you consent to us emailing you occasionally about our products and services.
You can unsubscribe from emails at any time, and we will never pass your email onto third parties. Privacy Policy

In 2018, The Linux Foundation reported that open source contributors have committed over 31 billion lines of code to date. However, with great adoption comes great responsibility and risk that need to be mitigated by anyone who owns, maintains or uses this code. In 2017 the CVE list reported more than 14,000 vulnerabilities, breaking the record for the most CVEs reported in a single year. 2018 continued the record-breaking streak with over 16,000 vulnerabilities reported.

We can see how open source package growth translates into user adoption when looking at the download numbers for various packages in different ecosystems.

Examining the python registry, PyPI boasts more than 14 billion downloads during 2018, and doubles the download count in our 2017 report of approximately 6.3 billion downloads.

Open source software consumption is also taking huge leaps forward. Twice as many Python packages were downloaded from PyPI, and a staggering 317 billion JavaScript packages from npm

The spike in download count mid-year is due to a fault in linehaul, the statistics gathering service for PyPI, which missed recording about half of the downloads up until around August. The missing downloads presumably add up to more than the recorded 14 billion downloads of 2018.

Number of PyPI packages downloaded in 2018

The npm registry is core to the entire JavaScript ecosystem. It has seen steady growth for both the number of packages being added and downloaded consistently over the years. It featured more than 30 billion downloads just for the single month of December 2018, and an incredible 317 billion downloads for the entire year of 2018.

As package counts grow, so do their vulnerabilities. A record setting 16,000 new vulnerabilities were disclosed in 2018

The increased adoption of Docker containers further amplifies the strong growth of open source software. Docker Inc, the de-facto library and community for container images, reports more than 1 billion container downloads every 2 weeks over the last year, and about 50 billion to date, with more than 1 million new applications added into Docker Hub over the last year alone.

Number of npm packages downloaded in 2018

Continue reading from our key takeaway posts:


Check out the new State of Open Source Security Report 2020!

About this report

To better understand the open source security landscape, and what we can all do to make it better, we gathered information from a number of public and private data sources including the following:

  • a survey created and distributed by Snyk that was completed by over 500 open source maintainers and users.
  • internal data from the Snyk vulnerability database, as well as hundreds of thousands of projects monitored and protected by Snyk.
  • research taken from external sources published by various vendors
  • data gathered by scanning millions of GitHub repositories and packages on public registries.