The Core Infrastructure Initiative Census Program II report released earlier this year identified the most commonly used FOSS components in production applications, with the goal of understanding potential vulnerabilities in these components and better securing the open source software supply chain.
The report’s list of the 10 most commonly used FOSS packages includes:
- inherits — Browser-friendly inheritance fully compatible with standard node.js inherits.
- isarray — Array#isArray for older browsers and deprecated Node.js versions.
- minimist — Parse argument options.
- qs — A querystring parsing and stringifying library with some added security.
- readable-stream — Node.js core streams for userland.
- string_decoder — Node-core string_decoder for userland.
Additionally, the report identified the following “lessons learned” from the project, which the researchers believe require further exploration and consideration:
- The need for a standardized naming schema for software components
- The increasing importance of individual developer account security
- The persistence of legacy software in open source