The Linux Foundation and Harvard’s Lab for Innovation Science have teamed up to educate developers and security professionals on what the most widely used open-source application libraries are.

The report, Census II, is a follow-up to Census I, which was conducted in 2015 to identify the packages in Debian Linux that were most critical to the operation and security of the kernel. According to the Linux Foundation, Census II allows for a more “complete picture of free and open source (FOSS) adoption.”

“Understanding what FOSS packages are the most critical to society allows us to proactively support projects that warrant operations and security support,” said Brian Behlendorf, executive director at Linux Foundation’s Open Source Security Foundation (OpenSSF). “Open source software is the foundation upon which our day-to-day lives run, from our banking institutions to our schools and workplaces. Census II provides the foundational detail we need to support the world’s most critical and valuable infrastructure.” 

As a result of the research, the Linux Foundation identified five findings crucial to the future health of open-source software:

  1. A standardized naming schema is needed for components
  2. Package versions often include a number of associated complexities
  3. The most widely used open source software is developed by a handful of contributors
  4. Individual developer account security is becoming more and more important
  5. Legacy software persists in the open source ecosystem

Data explored in the report includes both the top 500 npm packages and top 500 non-npm packages. These are also split into versioned and version-agnostic, and direct and indirect packages.

For example, the top 10 version-agnostic packages available through npm are lodash, react, axios, debug, @babel/core, express, semver, uuid, react-dom, and jquery. 

View the report for the full list of libraries.