Census II Report Details Critical Open Source Packages

Free and open source software (FOSS) is a foundation of the modern global economy, and ensuring the security of FOSS is vital the future of nearly all industries, according to the recent Census II report investigating the use of open source.

Understanding the overall health, value, and security of FOSS is difficult “because it is produced in a decentralized and distributed manner. This distributed development approach makes it unclear how much FOSS, and precisely what FOSS projects, are most widely used,” the report states.

The Census II report, however, aims to help identify critical FOSS packages in order to better allocate resources and address security issues. The report includes eight lists detailing the top 500 npm and non-npm packages by various criteria.


In addition to these detailed package lists, the report describes other challenges relating to the security and maintenance of open source software, specifically: 

  • The need for a standardized naming schema for software components. 
  • The complexities associated with package versions. 
  • Much of the most widely used FOSS is developed by only a handful of contributors.
  • The increasing importance of individual developer account security. 
  • The persistence of legacy software in the open source space.

In terms of contributions from only a few developers, the study found that in 49 of the top 50 non-npm projects in 2021:

  • 23% of projects had one developer accounting for more than 80% of the lines of code added.
  • 94% of projects had fewer than 10 developers accounting for more than 90% of the lines of code added. 

“These findings are counter to the typically held belief that thousands or millions of developers are responsible for developing and maintaining FOSS projects,” the report says.

See the full report for the detailed lists of top packages and other information.