A new report by Mend.io found the top three most reliable packages for npm, Maven, and PyPi.
The top packages for each are:
Npm:
- prettier-eslint
- np
- Jest-cli
Maven:
- org.apache.maven.scm:maven-scm-provider-gitexe
- com.github.ekryd.sortpom:sortpom-maven-plugin
- Org.apache.maven.plugins:maven-release-plugin
PyPi:
- Pulumi
- Botocore-stubs
- types-python-dateutil
The report examined data from Renovate, the company’s automated dependency management tool that leverages crowd-sourced data on over 25 million dependency updates.
The packages were then ranked based on non-grouped (individual) updates and grouped updates which were analyzed separately, only minor updates were included and sourced from reliable repos.
“The Leaderboard helps shift the AppSec view from detection to prevention, a valuable perspective for reducing the risk imposed by our increasingly vulnerable software supply chain,” said Rhys Arkins, vice president of product management at Mend.io. “Success hinges on having the knowledge necessary to prevent possible open-source vulnerabilities from ever being installed in the first place. For that to happen, companies need to know not only what packages are in use at their companies, but how safe they are.”