The Core Infrastructure Initiative Census Program II report released earlier this year identified the most commonly used FOSS components in production applications, with the goal of understanding potential vulnerabilities in these components and better securing the open source software supply chain.
The report’s list of the 10 most commonly used FOSS packages includes:
- async — A utility module which provides straightforward, powerful functions for working with asynchronous JavaScript.
- inherits — Browser-friendly inheritance fully compatible with standard node.js inherits.
- isarray — Array#isArray for older browsers and deprecated Node.js versions.
- kind-of — Get the native JavaScript type of a value.
- lodash — A modern JavaScript utility library delivering modularity, performance and extras.
- minimist — Parse argument options.
- natives — Do stuff with Node.js’s native JavaScript modules
- qs — A querystring parsing and stringifying library with some added security.
- readable-stream — Node.js core streams for userland.
- string_decoder — Node-core string_decoder for userland.
Additionally, the report identified the following “lessons learned” from the project, which the researchers believe require further exploration and consideration:
- The need for a standardized naming schema for software components
- The increasing importance of individual developer account security
- The persistence of legacy software in open source
Comments