Open Source Package Ecosystem Dashboard

Explosive Ecosystem Growth

Package registries have grown exponentially, with npm now hosting 2M+ packages

PyPI Packages

717K

Python

npm Packages

2M+

JavaScript

Crates

210K

Rust

RubyGems

190K

Ruby

Maven Artifacts

658K

Java/JVM

Package Count Growth (2015-2025)

npm

PyPI

Maven

Crates

RubyGems

Monthly Downloads (Billions)

Monthly Bandwidth (Petabytes)

💡 Key Insight

PyPI alone serves 747 petabytes annually at a sustained rate of 189 Gbps. That's equivalent to streaming 62 million hours of HD video per month. npm handles 184 billion downloads monthly from its 2M+ packages.

The Infrastructure Reality

Running a package registry costs millions monthly—most rely on donated infrastructure

PyPI CDN Value

$1.8M+

Monthly (Fastly donation)

RubyGems Total

$500K

Monthly operations

Total Staff

~25

Across all registries

Requests/Staff

40B+

Per staff member monthly

Monthly Cost Breakdown by Registry ($K)

CDN (Fastly donated)

CDN (commercial)

Cloud Storage

Compute

Staff

Infrastructure Dependencies

Fastly

PyPI, RubyGems, Crates.io, Rust

$3M+/mo

CDN

AWS

PyPI, Crates.io

$100K+/mo

Compute

Google Cloud

PyPI

$10K/mo

Storage

Microsoft/GitHub

npm

Absorbed

Full Stack

Staff per Registry

PyPI

Fastly 100% in-kind

RubyGems

$500K/month total

Crates

AWS/Fastly donated

npm

GitHub/Microsoft

Maven

Sonatype managed

Foundation Annual Budgets vs. Rising Operational Costs (2020-2024)

Foundation budgets grow modestly while infrastructure costs (shown as dashed lines) scale with traffic

PSF Revenue

Ruby Central Revenue

Rust Foundation Budget

Estimated Infra Costs (if paid)

The Funding Gap: Budget vs Donated Infrastructure

Foundation budgets (blue) vs. donated Fastly CDN credits (green) + other infra (yellow)

Foundation Budget Breakdown (2023-2024)

Python Software Foundation

Revenue: $4.4M | Expenses: $4.5M

2023

PyCon: $1.8M, Grants: $677K

Ruby Central

Revenue: $3.1M | Expenses: $2.9M

2024

10x growth since 2020

Rust Foundation

Budget: ~$1.9M | Grants: $400K+

2024

5 Platinum members

OpenJS Foundation

€875K grant from Sovereign Tech Fund

2023

npm ecosystem support

⚠️ The Sustainability Crisis

Package registries serve trillions of requests annually with teams of just 5-10 people. Without donations from Fastly, AWS, and Google Cloud worth $50M+ annually, the open source ecosystem would collapse. Maven Central now implements rate limiting because 83% of bandwidth comes from just 1% of IPs.

The Security Arms Race

Malware growth outpaces security investment—registries are playing catch-up

Malicious Packages

845K+

Detected since 2019

↑ 156% YoY

npm Malware Share

98.5%

Of all detected

Median Removal

39h

Time to remove malware

2FA Adoption

80%+

PyPI users (mandated)

Cumulative Malicious Packages Detected

Security Feature Adoption (%)

Major Supply Chain Incidents

18,000+ customers affected via Orion updates

CVSS 10.0, hundreds of millions of devices

Crypto miners in popular npm package

1,700+ downloads across 30+ countries

Backdoor in Linux compression utility

First npm worm, 500+ packages infected

Trusted Publishing Adoption (PyPI)

Trusted Publishing eliminates API tokens by using OIDC with CI/CD providers. Adoption grew from 10% to 45,000 projects in under a year.

🚨 The Security Reality

Malicious packages increased 156% in 2024 alone—that's 1,400+ new malicious packages published daily. npm accounts for 98.5% of all detected malware. Despite mandatory 2FA and Trusted Publishing, the median time to remove malware is still 39 hours. The first self-replicating worm (Shai-Hulud) infected 500+ npm packages in 2025.

OpenSSF Security Maturity Assessment

Based on OpenSSF Principles for Package Repository Security framework. Tracks: Authentication, Authorization, General Capabilities, CLI Tooling. Levels 0-3 (higher = more mature).

Level 0 (None)

Level 1 (Basic)

Level 2 (Moderate)

Level 3 (Advanced)

Registry	Authentication	Authorization	General Capabilities	CLI Tooling	Overall
PyPI	3	2	2	2	2.3
npm	3	2	2	2	2.3
RubyGems	2	2	2	1	1.8
Crates.io	2	2	2	2	2.0
Maven Central	1	2	2	3	2.0

Security Maturity by Track

How each registry scores on OpenSSF's four security tracks (0-3 scale)

What Each Level Requires

No security requirements implemented

MFA support, security reporting, basic account recovery

MFA for critical packages, vulnerability warnings, namespace protection

MFA required for all, build provenance, OIDC Trusted Publishing, SLSA attestations

📊 OpenSSF Gap Analysis

Most registries cluster around Level 2 (Moderate), but none have achieved consistent Level 3 across all tracks. PyPI leads in Authentication (mandatory 2FA + Trusted Publishing), while Maven excels in CLI Tooling (GPG signing requirement). The biggest gap across all registries is General Capabilities—particularly real-time malware detection and build reproducibility verification. Reaching Level 3 across all tracks would require the unfunded security work detailed in the Hidden Gaps tab.

The Growing Gap

Resources aren't keeping pace with growth, attacks, or expectations

📈

Ecosystem Growth

• 47% CAGR in packages (15 years)
• 2M+ npm, 717K+ PyPI packages
• 747 PB/year bandwidth (PyPI alone)
• 1.4 trillion Maven requests/year

↑ Exponential

💰

Infrastructure Investment

• ~25 staff total across registries
• 80%+ costs are donated
• $6M/year RubyGems operations
• Rate limiting being introduced

→ Flat/Linear

🔒

Security Expectations

• SBOM mandates (Executive Orders)
• Real-time malware scanning
• Trusted Publishing/Sigstore
• 82% expect secure-by-design

↑ Step Function

The Gap in Numbers

156%

YoY malware growth

85%

5-10 staff for trillion+ requests

39h

Median malware removal

20%

Only 20% have full visibility

80%

Deps remain un-upgraded

10-Year Comparison

Metric	2015	2025	Change
Total Packages (all registries)	~400K	~4M	+900%
Monthly Downloads (PyPI)	~500M	83.6B	+16,620%
Monthly Bandwidth (PyPI)	~5 PB	62 PB	+1,140%
Registry Staff (all)	~10	~25	+150%
Malicious Packages/Year	~100	~300K	+299,900%
Security Features Required	1 (email)	6+ (2FA, SBOM, etc)	+500%

The Bottom Line

Package registries are critical infrastructure serving trillions of requests with teams smaller than a typical startup. Growth has been 10-100x while staffing increased only 2.5x.

Meanwhile, security expectations have shifted from "nice to have" to government mandates. Without significant investment, we're building trillion-dollar businesses on infrastructure held together by donations and goodwill.

Key Questions for the Community

How do we sustainably fund registry infrastructure?
Should security be opt-in or mandatory?
Who bears the cost of compliance (SBOM, attestation)?
Can we achieve sub-1-hour malware removal?
What happens when donations end?

The Hidden Gaps

What doesn't show up in the numbers: volunteer labor, grant-dependent security, and unfunded work

Unpaid Maintainers

60%

Receive zero compensation

Economic Value

$8.8T

Demand-side (Harvard)

Security Funding

~$4M

Alpha-Omega grants (not recurring)

Burnout Rate

60%

Have quit or considered it

Who Actually Funds Registry Security Work?

Almost all security work in non-profit registries is funded by Alpha-Omega and Sovereign Tech Fund grants—not foundation operating budgets. These are time-limited grants, not recurring revenue.

Alpha-Omega Security Grants (2023-2025)

⚠️ Time-limited grants, not guaranteed to renew

PyPI / PSF

Security Developer in Residence (Seth Larson)

$1.3M+

Sigstore, SBOMs, audits

Ruby Central

Security Engineer in Residence

$950K

Trusted Publishing, signing

Rust Foundation

crates.io security initiatives

$911K

Malware scanning, provenance

OpenJS Foundation

JavaScript ecosystem security

$580K

Node.js hardening

Sovereign Tech Fund Grants

⚠️ One-time government investments

OpenJS Foundation

Infrastructure & security policies

€875K

Concluded 2024

PyPI / Python

Package registry security

€1.06M

Time-limited

RubyGems & Bundler

Registry improvements

€668K

Time-limited

The Volunteer Labor Subsidy

Open source has $8.8 trillion in economic value but only $4.2 billion in labor costs—because 60% of maintainers are unpaid volunteers

Maintainer Reality (Tidelift 2024)

60%

Unpaid hobbyist maintainers

60%

Have quit or considered quitting

7M / 11.8M

Projects with single maintainer

More time on security vs. few years ago

Security Work NOT Getting Done

Critical security capabilities that registries want but can't fund

Security Capability	Status	Barrier	Est. Cost
24/7 Malware Detection (ML/AI)	❌ Not funded	Requires ML ops team, continuous monitoring	$500K-2M/yr
24/7 Incident Response Team	❌ Not funded	No registry has documented on-call rotation	$300K-500K/yr
Recurring Security Audits	⚠️ One-time only	Grant-funded audits don't recur	$50K-300K/audit
Full Build Provenance	⚠️ Partial	Only ~5% adoption on PyPI	$100K-500K
Reproducible Builds Verification	❌ Not funded	Requires rebuild infrastructure	$200K+
Additional Security Staff	❌ Not funded	Can't compete with tech salaries	$150K-250K/FTE

🚨 The Precarious Reality

Security work at PyPI, RubyGems, and crates.io is almost entirely funded by Alpha-Omega grants and Sovereign Tech Fund—not from foundation operating budgets. These are time-limited grants that could end at any time. Meanwhile, 60% of maintainers are unpaid volunteers contributing to an ecosystem worth $8.8 trillion. The gap between what's needed and what's funded grows wider every year.

What Happens When the Grants End?

Alpha-Omega and Sovereign Tech Fund grants have funded Security Developer in Residence positions, security audits, and Trusted Publishing implementations. But these are not permanent funding.

When grants expire, registries face impossible choices: absorb costs they can't afford, let security staff go, or stop security work entirely.

Grant Dependency Risk

● PyPI Security Dev in Residence: Grant-funded since 2023
● RubyGems Security Engineer: Grant-funded since 2024
● STF grants to OpenJS: Already concluded (2024)
● No registry has sustainable security funding model