Open Source Upgrades: 95% Break Stuff, 75% of Patches Do Too, Says Endor Labs Report

95% of open source software upgrades have breaking changes, causing other components to fail, according to Endor Labs. Patches fare slightly better with a 75% chance. Prioritizing vulnerabilities for patching is tough, but techniques like function-level reachability analysis can significantly reduce the noise.

3P
Published: September 12, 2024 9:07 amAdded: September 12, 2024 at 2:52 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Welcome to the world of open source software, where breaking changes and delays are the new norm! It’s like trying to fix a leaky boat while sailing through a storm of vulnerabilities, and oh, did we mention someone forgot to bring the duct tape?

Key Points:

  • 95% of open source software version upgrades contain at least one breaking change.
  • Patches have a 75% chance of causing a break.
  • 24% of vulnerable components require a major version update.
  • 69% of security advisories are published after the corresponding security release, with a median delay of 25 days.
  • Less than 9.5% of vulnerabilities are exploitable at the function level.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?