www.linuxfoundation.org | www.openssf.org | lish.harvard.edu
Census II of Free and
Open Source Software —
Application Libraries
January 2022
The Linux Foundation and The Laboratory for Innovation Science at Harvard
Frank Nagle, Harvard Business School
James Dana, Harvard Business School
Jennifer Hoffman, Laboratory for Innovation Science at Harvard
Steven Randazzo, Laboratory for Innovation Science at Harvard
Yanuo Zhou, Harvard Business School
Contents
Acknowledgments .............................................................................................................................................. 3
Executive Summary ............................................................................................................................................4
I. Introduction ......................................................................................................................................................5
II. Context ............................................................................................................................................................. 7
III. Goals of Census II .......................................................................................................................................... 9
IV. Spurring Action ...........................................................................................................................................10
V. Methods .........................................................................................................................................................12
VI. Results ..........................................................................................................................................................18
VII. Lessons Learned ........................................................................................................................................19
VIII. Conclusion .................................................................................................................................................. 23
Appendix A: Top 500 npm, Direct, Version Agnostic Packages ................................................................24
Appendix B: Top 500 Non-npm, Direct, Version Agnostic Packages .......................................................41
Appendix C: Top 500 npm, Indirect & Direct, Version Agnostic Packages .............................................. 58
Appendix D: Top 500 Non-npm, Indirect & Direct, Version Agnostic Packages ....................................75
Appendix E: Top 500 npm, Direct, Versioned Packages ............................................................................. 92
Appendix F: Top 500 Non-npm, Direct, Versioned Packages ..................................................................109
Appendix G: Top 500 npm, Indirect & Direct, Versioned Packages ........................................................127
Appendix H: Top 500 Non-npm, Indirect & Direct, Versioned Packages ..............................................144
3CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
Acknowledgments
This report and the research behind it would not have been possible
without support from Linux Foundation’s Open Source Security
Foundation (OpenSSF), the leadership of Linux Foundation's Jim
Zemlin, and Harvard Business School’s Karim Lakhani. We greatly
appreciate the efforts of Jessica Wilkerson, who contributed heavily
to the preliminary report released in 2020. We also appreciate
feedback from Josh Corman, Steve Lipner, Audris Mockus, Henning
Piezunka, and Sam Ransbotham on the preliminary version of this
report and from Manuel Hoffman on the final version. Gratitude
and thanks to Hilary Carter, Michael Dolan, David A. Wheeler, and
Kate Stewart at the Linux Foundation for their ongoing contribution
and commitment to this undertaking. Finally, we thank our SCA data
partners Snyk, the Synopsys Cybersecurity Research Center (CyRC),
and FOSSA, without whom this report would not be possible.
4CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
Executive Summary
Free and Open Source Software (FOSS) has become a critical part of
the modern economy. There are tens of millions of FOSS projects,
many of which are built into software and products we use every
day. However, it is difficult to fully understand the health, economic
value, and security of FOSS because it is produced in a decentralized
and distributed manner. This distributed development approach
makes it unclear how much FOSS, and precisely what FOSS projects,
are most widely used. This lack of understanding is a critical
problem faced by those who want to help enhance the security of
FOSS (e.g., companies, governments, individuals), yet do not know
what projects to start with. This problem has garnered widespread
attention with the Heartbleed and log4shell vulnerabilities that
resulted in the susceptibility of hundreds of millions of devices to
exploitation.
This report, Census II, is the second investigation into the wide-
spread use of FOSS and aggregates data from over half a million
observations of FOSS libraries used in production applications at
thousands of companies, which aims to shed light on the most
commonly used FOSS packages at the application library level.
This effort builds on the Census I report that focused on the lower
level critical operating system libraries and utilities, improving our
understanding of the FOSS packages that software applications
rely on. Such insights will help to identify critical FOSS packages to
allow for resource prioritization to address security issues in this
widely used software.
The Census II effort utilizes data from partner Software Composition
Analysis (SCA) companies including Snyk, the Synopsys Cybersecurity
Research Center (CyRC), and FOSSA, which partnered with Harvard
to advance the state of open source research. Our goal is to not only
identify the most widely used FOSS, but to also provide an example
of how the distributed nature of FOSS requires a multi-party effort
to fully understand the value and security of the FOSS ecosystem.
Only through data-sharing, coordination, and investment will the
value of this critical component of the digital economy be preserved
for generations to come.
In addition to the detailed results on FOSS usage provided in the
report, we identified five high-level findings: 1) the need for a
standardized naming schema for software components, 2) the
complexities associated with package versions, 3) much of the
most widely used FOSS is developed by only a handful of contribu-
tors, 4) the increasing importance of individual developer account
security, and 5) the persistence of legacy software in the open
source space.
5CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
I. Introduction
1 https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html
2 https://www.wired.com/2016/08/open-source-won-now/?GuidesLearnMore
3 https://www.linuxfoundation.org/uncategorized/2018/08/corporate-open-source-programs-are-on-the-rise-as-shared-software-development-
becomes-mainstream-for-businesses
4 https://www.coreinfrastructure.org
5 https://openssf.org/
6 https://www.coreinfrastructure.org/programs/census-project
7 Theprojectdidusedataonhowpopularapackagewas,butthiswaslimitedtoinstallationstrackedbytheDebianLinuxdistributionanddidnotcasta
wider net due to limited scope.
Free and Open Source Software (FOSS) has become a critical
part of the modern economy. It has been estimated that up to
98% of codebases include FOSS
1
and that software is an increas-
ingly vital resource in nearly all industries. This heavy reliance
on FOSS is common in both the public and private sectors,
2
and
among tech and non-tech companies alike.
3
Therefore, ensuring
the health and security of FOSS is vital to the future of nearly
all industries in the modern economy. This has become more
evident after recent vulnerabilities identified in widely used
FOSS like OpenSSL (the open source command line tools and
libraries widely used for secure communications over computer
networks), and log4j (the Java-based logging utility from the
Apache Software Foundation).
However, it is difficult to fully understand the health and security
of FOSS because 1) FOSS is produced in a decentralized and
distributed manner so there is no central authority to ensure
quality and maintenance of all FOSS, and 2) because FOSS can
be freely copied and modified, it is unclear how much FOSS, and
precisely what FOSS projects, are most widely used. Therefore, to
ensure the future health and security of the FOSS ecosystem, it is
critical to understand what FOSS is being used, and how well it is
supported and maintained.
In 2014, the Linux Foundation founded the Core Infrastructure
Initiative (CII) where its members provided funding and support
for FOSS projects critical to the global information infrastructure.
The CII aimed to aggregate support from technology organiza-
tions and direct the support to underfunded — but critical — FOSS
projects to help ensure the health of the FOSS ecosystem.
4
The
goal was to improve security through mechanisms such as paying
the maintainers to improve the security posture in critical projects
at the operating system and system utility layers, as well as
efforts to identify critical projects and security best practices. To
bring wider representation from the software community and a
broader mission to fruition, in mid-2020, the Open Source Security
Foundation (OpenSSF) was created,
5
and many of the remaining CII
efforts were folded into the OpenSSF.
In 2015, CII conducted the Census Project (“Census I) to identify
which software packages in the Debian Linux distribution were the
most critical to the kernel’s operation and security.
6
Due to limited
time and data availability, the Census I project focused on exam-
ining the Linux kernel distribution packages (the “operating system
and libraries” level in Figure 1) including their popularity, instead of
delving deeply into what software were components of production
applications.
7
6CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
Therefore, in mid-2018, the Linux Foundation partnered with the
Laboratory for Innovation Science at Harvard University (LISH),
with the goal of conducting a second census to identify and
measure which open source software is most widely deployed
within applications by private and public organizations (the “appli-
cation libraries level” in Figure 1). This Census II allows for a more
complete picture of FOSS usage by analyzing usage data provided
by partner Software Composition Analysis (SCA) companies based
on their scans of software codebases at thousands of companies.
In early 2020, this joint effort led to the release of a prelimi-
nary report,
8
the focus of which was to create baseline high-level
8 https://www.coreinfrastructure.org/programs/census-program-ii
findings and provide a sample of some of the most widely
used FOSS packages. This final report builds upon the prelimi-
nary report, with the key difference being that the results of our
analysis are provided in much greater detail and with a richer
dataset. While in the preliminary report we only provided two
unranked Top Ten lists of the most widely used FOSS at the
package level only, in this report, we provide eight rank-ordered
Top 500 lists that go into much greater depth than in the prelimi-
nary report. In particular, half of these eight lists are at the FOSS
package/version level, allowing for a much deeper understanding
of FOSS usage. These results are based on the analysis of over
half a million observations of FOSS used in applications examined
by the SCA data partners in 2020. These results complement
other efforts to better understand the role of FOSS in the modern
economy, like the Harvard/Linux Foundation Report on the 2020
FOSS Contributor Survey and the Linux Foundation Software Bill of
Materials (SBOM) and Cybersecurity Readiness Report.
In alignment with the ever-evolving nature of the FOSS ecosystem,
we view the findings of this second census as a precursor to
more exhaustive studies to come in our ongoing efforts to better
understand these critical pillars in our information infrastruc-
ture. Operating under data constraints, the findings of this report
cannot — and do not purport to — be a definitive claim of which
FOSS packages are the most critical. They instead represent our
best estimate of which FOSS packages are the most widely used
by different applications, given the limits of time and the broad,
but not exhaustive, data we have aggregated. This report does
not attempt to identify, for example, which packages are used by
the most widely used applications or which packages are most
important for the continued operation of critical infrastructure.
Nor does it reflect the contribution of the operating systems or
system utilities the applications run on, or the tooling used to
create the applications.
FIGURE 1: THE TECHNOLOGY STACK
MANAGEMENT AND DISTRIBUTION TOOLS
APPLICATION LIBRARIES
CUSTOM APPLICATIONS
DEVELOPMENT TOOLS
OPERATING SYSTEM AND LIBRARIES
7CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
Further, note that this report focuses on identifying the most
widely used software within its scope; it does not try to measure
the risk profiles of that software. There are many indicators that
could be used to suggest risk and different organizations may
weight factors differently. For example, a potential user might be
more concerned if a project has only a single maintainer, is very
large (e.g., in terms of lines of code), is written in a memory-un-
safe language, has had no merges or other activity within the last
few years even though it has non-trivial size, does not use tools
9 https://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html
10 https://time.com/3148773/report-devastating-heartbleed-flaw-was-used-in-hospital-hack
11https://www.washingtonpost.com/technology/2021/12/20/log4j-hack-vulnerability-java
12https://www.zdnet.com/article/ftc-to-pursue-companies-that-expose-customer-data-due-to-not-patching-log4j
13 OftenreferredtoasLinus’sLaw,namedafterthecreatorofLinux,themaximwasformalized
by Eric Raymond in his book The Cathedral and the Bazaar (1999).
to identify potential vulnerabilities in its code, has no OpenSSF
best practices badge, does not meet many OpenSSF Scorecards
measures, has publicly known vulnerabilities, has required depen-
dencies with publicly known vulnerabilities, and when run is
usually directly accessible to the Internet by anyone. However,
measuring risk profiles is a separable task, and it’s easier to do it
once the most widely used software is identified. As a small aid,
we do indicate which of these projects are working on an OpenSSF
best practices badge, and if they are, we indicate their score.
II. Context
The increasing importance of FOSS throughout the economy
became critically apparent in 2014 when the Heartbleed security
bug in the OpenSSL cryptography library was discovered. By
some estimates, the bug, which was introduced into the OpenSSL
codebase nearly three years earlier, impacted almost 20% of
secure web servers on the Internet (almost half a million servers
at that time).
9
The vulnerability allowed attackers to obtain access
to user passwords and session cookies, essentially rendering inef-
fective the very security that OpenSSL was built to ensure. Among
other outcomes, the Heartbleed vulnerability allowed the theft of
4.5 million medical records from a large hospital chain.
10
More recently, in December 2021, the Log4Shell vulnerability in
the log4j logging package was identified and described as “the
most serious vulnerability I’ve seen in my decades-long career
by Jen Easterly, the director of the United States Department
of Homeland Security (DHS) Cybersecurity and Infrastructure
Security Agency (CISA).
11
It is estimated that the bug, which
was introduced into the code as early as 2013, may affect tens
or hundreds of millions of devices. The vulnerability was so
concerning that the U.S. Federal Trade Commission (FTC) stated
that it would use its full authority against any companies that did
not patch the vulnerability and lost customer data as a result.
12
Operating under the maxim that “with many eyeballs, all bugs are
shallow,”
13
many FOSS projects have been able to obtain greater
levels of security. Unfortunately, while FOSS licenses allow many
to review software for vulnerabilities and repair them, not all
8CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
FOSS projects are regularly reviewed at this level. Vulnerabilities
in other widely used projects with smaller maintainer bases, like
OpenSSL when Heartbleed was found, can slip by unnoticed.
Due to Heartbleed, Log4Shell, and other security issues in FOSS,
governmental bodies around the globe have begun to take an
expanded interest in the role of FOSS as a type of critical infrastruc-
ture that underpins the modern economy. For example, in 2014,
the European Commission put into place a FOSS Strategy,
14
and a
few years later it started sponsoring FOSS auditing by setting up
bug bounty programs, hackathons, and conferences.
15
However,
most regions around the world have been slow to enact similar
strategies,
16
leaving much of the responsibility to individuals and
businesses,
17
until very recently when the White House National
Security Council gathered companies and organizations to discuss
the matter and what could be done.
18
Compounding the problem is the fact that FOSS is often built
into other software and hardware, but precisely what FOSS is
being used is not always made clear. As a result, in April 2018, the
14https://ec.europa.eu/info/departments/informatics/open-source-software-strategy_en
15https://ec.europa.eu/info/departments/informatics/eu-fossa-2_en
16 https://www.brookings.edu/research/digital-infrastructure-is-more-than-just-broadband-what-the-u-s-can-learn-from-
europes-open-source-technology-policy-study/
17https://hbr.org/2021/09/the-digital-economy-runs-on-open-source-heres-how-to-protect-it
18https://www.cnn.com/2021/12/23/politics/white-house-log4j-tech-firms-meeting/index.html
19 https://web.archive.org/web/20180422034612/https://energycommerce.house.gov/wp-content/uploads/
2018/04/040218-Linux- Evaluation-of-OSS-Ecosystem.pdf
20 https://www.wired.com/story/urgent-11-ipnet-vulnerable-devices/
21 https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity
22 https://www.meti.go.jp/english/press/2021/0421_003.html
23 https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks
24 https://www.openchainproject.org/featured/2021/10/28/caict-certifier and https://www.openchainproject.org/news/2022/01/10/iscas-certifier
25 https://english.ncsc.nl/binaries/ncsc-en/documents/publications/2021/february/4/using-the-software-bill-of-materials-for-enhancing-cybersecurity/
Final+Report+SBoM+for+Cybersecurity+v1.0.pdf
leaders of the U.S. Congress House of Representatives Energy
and Commerce Committee sent a letter to the Linux Foundation,
acknowledging the critical importance of FOSS and exploring the
opportunities and challenges related to FOSS, with a particular
focus on how sustainable and stable the FOSS ecosystem is.
19
Such
concerns have led to various organizations and even governments
pushing for deeper insights into the software building blocks
used to make various packages and devices via a software bill of
materials (SBOM). For example, one U.S.-based working group
is dedicated to examining the use of FOSS in medical devices.
20
Further, a May 2021 U.S. Executive Order directed the U.S. National
Institute for Standards and Technology (NIST) to provide guidance
for companies on providing an SBOM to their customers.
21
The
U.S. is not the only country or government entity taking action on
this, others have begun developing reports and guidance for what
an SBOM would look like in their country, including Japan,
22
the
European Union,
23
China,
24
and The Netherlands.
25
9CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
III. Goals of Census II
26 https://www.reuters.com/world/china/fridges-microwaves-fall-prey-global-chip-shortage-2021-03-29/
27 https://chaoss.community
28 https://facade-oss.org
29 https://ostif.org
Similar to physical infrastructure, the critical components of the
Internet and modern computing may not always be the most
remarkable or the most visible. For example, in recent years, it
has become more apparent how critical computer chips are to
numerous industries. In particular, due to pandemic-induced
supply and demand issues, chip shortages led to manufacturing
disruptions in the automobile, cell phone, and refrigerator indus-
tries.
26
Similarly, there may be integral FOSS projects whose
simplicity or size may belie their vital importance to the modern
economy. As such, the overarching goal is to reinforce this infra-
structure and guard against systemic vulnerabilities.
Analyzing usage data from partner Software Composition Analysis
(SCA) companies, the Census II project aims to determine the most
widely used FOSS deployed within applications by private and
public organizations. The specific goal of the Census II project is to
identify the most commonly used free and open source software
components in production applications. In concert with other
FOSS projects, like the Community Health Analytics Open Source
Software (CHAOSS) project
27
and the Facade contributor analysis
project,
28
this allows for the further examination of potential
vulnerabilities in these projects due to:
widespread use of outdated versions
understaffed projects; and,
known security vulnerabilities, among others.
Finally, this information can be used to prioritize investments and
resources to support the security and health of FOSS, such as the
efforts of OpenSSF and the Open Source Technology Improvement
Fund (OSTIF).
29
10CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
IV. Spurring Action
30 https://www.linuxfoundation.org/press-release/new-open-source-contributor-report-from-linux-foundation-and-
harvard-identifies-motivations-and-opportunities-for-improving-software-security
The motivation behind publishing these findings is to not only
inform, but also to inspire action by developers to improve
their security practices and by end users to support the FOSS
ecosystem and developers who need assistance. While there are
many ways to actively support the critical software infrastructure
that underpins the world’s complex information systems, we offer
a few recommendations for unifying action.
Data sharing
In order to tackle a problem, one must first know what may be
affected and how. As mentioned above, there is far too little
data on actual FOSS usage. Although public data on package
downloads, code changes, and known security vulnerabilities
abound, the view on where and how FOSS packages are being
used remains opaque. For example, download counts are often
misleading because a package may be downloaded millions
of times by test processes (once for each test), while a single
download may be used to generate an application deployed to
billions of devices. Private usage data contributed by partner
SCAs and other companies to the Census II project provide a
clearer view of which FOSS projects developers build into propri-
etary software. Additionally, this data enables researchers to
trace the dependencies and determine some of the most funda-
mental — though perhaps, not the best funded — projects upon
which many packages still rely. The insights we can glean from
our census efforts will only reach as far as the data sets that
FOSS stakeholders — private companies and organizations —
share with us. The most critical need for our efforts to support
the health and security of the FOSS ecosystem is shared usage
data from companies that partner with CII and OpenSSF.
However, usage data only tells one side of the story. The digital
infrastructure of FOSS — upon which so much of the economy
rests — was built piece by piece, line by line by diligent community
contributors. Capturing the contexts in which these developers
contribute and the motivations that drive them will help shape
more effective interventions and outcomes. In that vein, we
launched the “FOSS Contributor Survey” in March 2020, polling
contributors to gain new insights on incentives, motivators, and
trends that were driving open source development over time. Key
insights from the resulting report published in December 2020
include finding that:
the top three motivations for contributors are non-monetary,
there is a clear need to dedicate more effort to the security
of FOSS, and
the burden of security shouldnt fall solely on contributors.
30
Coordination
Beyond predication upon a solid foundation of data, calls to
action must coordinate efforts across the whole FOSS ecosystem.
Standardizing terminology and sharing best practices enable
the community to build upon previous successes and accelerate
progress. Perhaps the largest stumbling block to coordination in
the open source sphere is the myriad identifiers used to reference
the software itself. FOSS packages live on many different reposi-
tories, like NuGet, Maven, GitHub, and npm to name a few. Project
names alone may not differentiate between resulting forks of
an original project or direct people to the canonical repository.
Listing which repository holds the original version of that project
(for example, left-pad/npm) can reduce some of the potential
11CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
confusion. However, identifying a project by the URLs of the
repository (location of source code) and the project website (with
updated community information and documentation) may be
the best solution to ensure clarity. Even if some FOSS projects
do not have a public repository and — of course — projects can
move, linking these two URLs as project identifiers will distinguish
components more efficiently.
Accurate project identification impacts not only academia, but
the private sector as well. As cyberattacks and security breaches
increase, all companies — not just Big Tech — will need to
become more cognizant of which components comprise their
websites and applications, as well as the origins of those compo-
nents. In the United States, the federal government is currently
mandating the use of SBOMs, which will require all industries to
delineate the composition of their software systems. Proactively
adopting current standard formats, like the Software Package
Data Exchange (SPDX, ISO/IEC 5962:2021
31
) developed by the
Linux Foundation, will put forward-thinking business leaders at an
advantage once regulations come into effect.
Investment
Like any critical infrastructure, we must invest in open source if it is
to continue to support the demands made upon it. Nadia Eghbal,
author of Roads and Bridges: The Unseen Labor Behind Our Digital
Infrastructure, outlined the many sources of financial support
available to the FOSS community on her GitHub page “Lemonade
31 https://www.iso.org/standard/81870.html
32 https://github.com/nayafia/lemonade-stand
33 https://communitybridge.org
34 https://bounty.github.com
35 https://github.com/sponsors
36 https://techcrunch.com/2021/03/03/1-3m-in-grants-go-towards-making-the-webs-open-source-infrastructure-more-equitable
37 https://blog.google/technology/safety-security/why-were-committing-10-billion-to-advance-cybersecurity
38 https://www.sciencedirect.com/science/article/pii/S0963868712000340
Stand.”
32
Funding for projects comes in many different forms,
including donations, grants, and crowdfunding. Other programs,
like Linux Foundation’s Community Bridge
33
or GitHub’s Bug
Bounty
34
and Sponsors
35
programs, match open source projects
and developers with funding from private companies that rely
upon them. Since the preliminary report was released in February
2020 there has been some investment in research and infra-
structure of FOSS, with $1.3M in grants available to ensure FOSS
software and development is being done equitably, sustainably,
and responsibly and sponsored by funders, such as the Ford
Foundation and the Alfred P. Sloan Foundation, among others.
36
Further, in August of 2021, Google pledged $10B over the next five
years to strengthen cybersecurity, with $100M to support third-
party foundations, such as OpenSSF, to help fix FOSS security
vulnerabilities.
37
While these programs represent a step in the
right direction, questions still remain. For example, without a fuller
understanding of what the most critical FOSS projects might be,
how do supporters know that sufficient funds will go to where the
need is greatest? Are those who benefit most from FOSS projects
doing their “fair share” to support the communities behind them?
While money has long been a contentious topic in the FOSS
community, investment encompasses more than just financial
support. In the open source world, time and talent may indeed
be the most important investments. Larger and more established
packages tend to attract more contributors
38
compared to smaller,
less visible ones — even if the latter are more heavily depended
upon in practice. Companies reliant upon FOSS packages could
12CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
benefit from supporting them, either directly (e.g., paying
employees to maintain those projects on the clock) or indirectly
(hiring contributors to those projects as employees, and letting
39 https://snyk.io
40 https://www.synopsys.com/software-integrity/cybersecurity-research-center.html
41 https://fossa.com
them work on the project in their free time). Similar to finan-
cial resources, time and talent need to be carefully considered to
ensure that they are directed toward the most critical projects.
V. Methods
The Census II effort benefited from the contribution of private
usage data, composed of nearly 600,000 data points from SCA and
application security companies. We thank Snyk,
39
the Synopsys
Cybersecurity Research Center (CyRC),
40
and FOSSA,
41
which part-
nered with Harvard to advance the state of open source research.
These partners provided anonymized 2020 data from automated
scans of production codebases used within their customers’ envi-
ronments, as well as more thorough labor-intensive human audits
of software codebases conducted.
In keeping with the spirit of the open source community, we
sought to make the methodology of this second census effort as
transparent as possible. However, in order to ensure the privacy of
our data partners and to protect any proprietary aspects of their
SCA services, some details have been obscured. Ultimately, we
strove to release all results publicly and transparently to the extent
we could, but the commitment to safeguard the sensitive aspects
of the data provided must take precedence in this report.
Data Selection
To better understand the prevalence and overall impact of FOSS
in the economy, we chose data that would best reflect actual
adoption and usage in businesses. While stars, ratings, and
download statistics indicate a package’s popularity or reputation,
these do not necessarily translate into real-world, day-to-day
use. Private usage data from SCA companies’ automated scans
and human audits from 2020 provides more insight into which
FOSS packages are being used in production codebases. Instead
of the higher-level software with which end users would have
more contact and familiarity (like Mozilla Firefox or Visual Studio
Code), SCA data focuses on application components that act as
the building blocks for other software products. This “lower level
focus is important for research, because developers — not end
users — tend to drive the widespread adoption and integration of
FOSS projects.
Peering under the hood of the higher level packages helps us to
focus on the specific components that are often most critical.
While this data approach does not provide significant insight
into end-user facing products (like OpenSSH, for example), it
does examine components within those products. One addi-
tional aspect to keep in mind is that this data only includes the
portions of any software stack that the SCA vendors customer
chose to scan. There may be additional layers of a stack that were
not chosen for scanning. For example, an application designed to
run on Linux in user space likely would not have the entire Linux
13CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
operating system included in the scope of the scan. Similarly, SCA
vendor customers scanning a JavaScript application may not have
included frameworks like Node.js or React.js in the scope of their
scans, and even though both do show up in the Census, their
actual usage could be higher than represented.
Unlike in the preliminary report, in the current report we consider
FOSS projects in both a versioned and unversioned manner.
Doing so allows for greater insights into the most widely used
FOSS packages from a number of different dimensions and also
allows for a clearer understanding of how widespread the use of
outdated software is.
Defining Relevant Terminology
Before delving into the methodology, there is a need to establish
consistent terminology when discussing FOSS data. To start, this
report relied upon the following definitions laid out in the original
CII Census efforts:
42
package: a unit of software that can be installed and
managed by a package manager
package manager: software that automates the process of
installing and otherwise managing packages
repository: a location for storing packages that can be
installed by a package manager and managing the history of
information related to the package
The various methods employed to scan and audit codebases
that generated the private usage data led to analysis below
the "package" level. Sometimes a given software project was
42 https://idalink.org/d-8777
43 https://www.w3schools.com/react/react_components.asp
44 https://semver.org
45 Libraries.io,aTideliftProjectlicensedunderCC-BY-SA4.0wasusedfortworeasons:First,becauseit'sanaggregateofmanydifferentpackage
managers. Second, Libraries.io was used as the canonical dataset for the Census II Prototype.
dependent upon a distinct part of a package, even though it did
not appear to depend on the other parts of that package. As a
result, we defined a separate term:
component: a unit of software that can be called by or
serve as an input into another piece of software, and may be
installable via a package manager.
43
The datasets used for this census contained FOSS information at
a variety of levels, often treating a package and its components as
separate entities. In order to compare across all datasets, we stan-
dardized this component-level data first. Finally, we also factored
in the version of the FOSS component or package. Most, but not
all, FOSS packages in the datasets utilize semantic versioning,
44
and that version nomenclature is utilized when available.
Methods Part 1: Parsing
In collaboration with experts from the Linux Foundation, the
research team iteratively refined the methodology for combining
the private usage data from the SCAs — complex datasets with
substantially different means, variance, and schema for identifying
unique components. Parsing each dataset generally occurred in
three stages:
Stage 1: Cleaning the dataset to remove organizational-specific
substrings, whitespace, or other extraneous characters.
Stage 2: Extracting identifying information from each component
in the dataset.
Stage 3: Mapping each component to a project on Libraries.io
45
using that identifying information, if possible.
14CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
Not all FOSS packages have a unique identifier. Therefore, to
aggregate usage data within and across different datasets, we
had to map each component in each dataset to a unique identi-
fier. Here, a unique identifier for unversioned analysis is defined
as the combination of the package name (e.g., "lodash") and the
package manager that can install that package (e.g., "npm") using
the package manager’s default repositories. We further used
the package version name (e.g., “4.17.20) as the third part of this
combination for our versioned analysis.
The process of mapping dataset components to a Libraries.io
project relied on several functions in tandem and the GitHub API,
based on the identifying information found in the dataset:
1. Searching components for embedded unique identifiers
(GitHub repository, name, version name, and package
manager) that can map to Libraries.io projects.
2. In some cases, the raw version names provided are Git
commit SHA hashes. Whenever possible, we converted them
to standard version names found in Libraries.io by matching
their commit dates with their version publication dates.
3. Analyzing component text for a naming system that can
be translated to the naming system on Libraries.io or the
package managers from which it pulls data.
4. Searching components for specified text strings that directly
map to a Libraries.io project.
5. Manual matching to a Libraries.io project if all other
methods cannot effectively map the component.
While the majority of components provided by SCA datasets
matched to Libraries.io in this automated manner, many
components had to be manually mapped. Furthermore, some
components in the SCA datasets did not exist on Libraries.
io. For both of our unversioned and versioned analyses, these
components were still treated as real packages and observations,
but could not be used to calculate indirect dependencies.
Methods Part 2: Dependencies
A direct dependency is said to exist when a piece of code that has
been scanned by one of the SCAs includes a specific call to that
package or component. However, each of these direct depen-
dencies may in turn rely on other packages or components, known
as indirect dependencies. Indirect dependencies are a useful tool
for understanding which packages are the most essential to their
software ecosystem. If Package A is considered important, then
everything that Package A directly uses to function is also important,
and all of the packages those packages are dependent upon are
important, and so on. Therefore, including indirect values in our
resulting dataset was a way to find the "hidden keystones" in the
FOSS ecosystem that might be overlooked by a direct audit or scan.
In cases where data partners provided these indirect metrics, we
added those calculations to the direct metrics to account for both
types. In cases where that data was not provided, we estimated the
indirect usage through Libraries.io, which collects dependency infor-
mation through the package managers from which it pulls data.
Using the SCA datasets, we identified indirect usage through the
following process:
1. Divide the SCA datasets into 4 samples, by analysis type
(versioned or unversioned) and package manager type (npm
or other).
2. Use the dependency data provided by Libraries.io, filter out
non-runtime dependencies, filter out optional dependen-
cies, and filter out self-dependencies. (Discussed further
below.)
3. For each component, determine the list of packages that
component relies on, directly or indirectly. In unversioned
15CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
analysis, each member of the list, including the original
component, receives a score equal to the number of times
that component was observed being used in the SCA data-
sets. For example, if "jquery" had a score of 10, each package
"jquery" depends on (as well as “jquery” itself) would have
10 added to its score.
4. In versioned analysis, components and dependencies are
both version-specific. Here, we follow the same procedure
in (2.) above for those dependencies with one single version
that is dependent upon each component. For those pack-
ages with a range of versions that satisfy a component’s
dependency requirement, we split the original component’s
usage count evenly across those dependency versions. For
instance, if “accepts” version “1.3.7” had a score of 10, and it is
dependent on “negotiator” version “0.6.2” and “mime-types
versions “2.1.24” or “2.1.25,” then “negotiator” version “0.6.2”
would receive a score of 10, while “mime-types” versions
2.1.24” and “2.1.25” would receive a score of 5, respectively.
5. Extract the top-scoring packages from the network based on
the counts from the prior steps.
There were a number of challenges and limitations associated with
this process that are important to note.
First, as the dependency network was taken from a Libraries.
io dataset, only projects appearing on Libraries.io can be indi-
rectly evaluated this way. As such, packages not on a Libraries.io
connected package manager did not show up in the top package
list. This restriction extended further to the available versions in
Libraries.io when dealing with the version-based network.
Second, the indirect metrics provided by the data partners were
calculated based on their entire samples, but, due to computa-
tional constraints, our estimated ones were based on the top 1,000
components by their direct usage count in each sample described
in (1.) above. However, these top components represent the whole
samples sufficiently and do not significantly distort our results.
Limits to Dependency Network
When using dependency networks like the ones provided by
Libraries.io, researchers must select which types of dependencies
are considered relevant to the calculation. Not all dependencies
are created equal; some inputs to a software component are more
essential than others. If researchers have access to this kind of
granular information, they can assign weights to dependencies
using that information, which would likely create a drastically
different result. The section below highlights the reasoning behind
the exclusion of certain types of dependencies in the results.
First, we excluded dependencies that were flagged as being
“optional” dependencies. If Component B is not always an input
for Component A, then we cannot assume that one instance of
Component A indicates one instance of Component B as well.
Therefore, we ignored these “optional” dependency links.
Second, we exclude non-runtime dependencies where possible.
“Build” software components tend to be massively interdepen-
dent, resulting in dependency loops where an extensive chain of
FOSS components are all linked together in a circle. If these "build
loops" could be eliminated, then future census reports might have
better insight into build projects and ensure they receive accurate
acknowledgment in the results.
Methods Part 3: Combine
Once the indirect usage was added into each SCA dataset
provided, the top 500 packages were identified using the following
process:
1. To avoid the long tail of minimally used products skewing the
analysis, keep the top 1,000 components at most by usage
count in each dataset.
16CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
2. Calculate the average Z-score
46
of the remaining packages
relative to the datasets in which that package appears. This
approach allows us to proportionally compare the importance
of that package across multiple differently sized data sets.
3. Merge these datasets together from different data partners
by analysis type (versioned or unversioned), package manager
(npm or other), and metrics type (direct or indirect usage).
4. For those packages that appear in multiple datasets, calcu-
late their combined Z-scores by averaging the separate ones.
If a package only appears in one SCA dataset, use its Z-score
obtained from (2) above as its combined Z-score.
5. Calculate the rank for each package based on their respec-
tive combined Z-scores.
6. Reduce the lists to the top 500 in each category.
Considerations
The final integrated data for this census is unique in that it
represents a snapshot of usage by private companies integrated
with dependency data. However, like any sample dataset, it has
limitations on how fully it can represent the ground truth of all the
FOSS projects in use. Analysis of the aggregated data uncovered
several considerations to keep in mind when reviewing these results.
The first consideration to take into account is the fact that FOSS
projects exist in many different ecosystems, written in many
different languages. The data sources provided snapshots of
how companies use FOSS projects, but did not indicate that one
46 TheZ-scoreofapackageisequaltothepackage’svalueminusthemeanofthevaluesofthelistitcomesfrom,thendividedbythestandarddeviationof
that list. This metric captures the relative importance of a package compared to other packages in its dataset. Each dataset is a sample of the greater FOSS
ecosystem — larger samples are not inherently "more important" than smaller samples. Z-scores allow us to treat each distinct dataset as equally relevant
to the overall result. In cases where a given package was not observed in all datasets, the average Z-score from the datasets it was observed in was used.
47 https://arxiv.org/pdf/1709.04638.pdf
48 https://web.archive.org/web/20201125184652/https://tomforb.es/how-much-code-is-there-in-the-python-package-index
49 https://blog.thecodewhisperer.com/permalink/surviving-legacy-code-with-golden-master-and-sampling
FOSS ecosystem or language is any more important than another.
The data received from partner SCAs contained a large amount
of software from the JavaScript ecosystem. Additionally, small
packages are extremely common in the JavaScript npm package
system. For example, in npm, 47% of the packages have 0 or 1
functions, and the average npm package has 112 lines of code.
47
In contrast, the average Python module in the PyPI repository
has 2,232 lines of code.
48
These two factors caused the depen-
dency calculations to crowd out non-JavaScript packages. To try to
re-capture these crowded-out packages, we created two separate
sets of results — one for npm-hosted packages only, and one for
non-npm-hosted packages.
Second, FOSS projects exist across time in a multitude of forms.
Several instances of deprecated projects or projects that have
not been updated for a few years appeared in the usage data
provided by SCAs. Codebases often contain "legacy software" like
these, but deeper investigation would be needed to differentiate
whether these components were still actively called upon or were
cached as “gold masters” for use in characterization testing.
49
As
a result, a census reliant upon scan and audit data will inherently
reflect older projects, or versions, over newer ones. However,
until the role of these legacy packages can be determined, they
may warrant more proactive approaches, including efforts to help
revitalize these projects or provide assistance for end users who
would like to transition over to newer projects.
Third, FOSS projects are used by different groups for different
purposes. Utilizing FOSS usage information, Census II avoided a
17CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
previous roadblock: determining which projects are "real" and
"relevant." However, the sample size was limited to the particular
customer bases of the respective SCA firms that provided data.
Furthermore, privacy concerns prevented the provision of data
with the level of specificity necessary to undertake representative
sampling.
Finally, longstanding roadblocks identified prior to the launch of
Census II continue to present challenges. The reliance upon iden-
tifying information provided by Libraries.io or GitHub inherently
excludes packages that do not appear on either platform, pushing
them out of the top ranks during the dependency calculations run
for this report.
Under these constraints the findings of this report are indicative
but cannot — and do not purport to — be a definitive claim of which
FOSS packages are the most critical.
The calculations provide greater insight into which packages are
the most important for the companies and organizations served
by our data partners. FOSS software that is essential in one sector
may not be used in another. These results undoubtedly reflect
distributions specific to each customer base, but they also provide
a rare glimpse into data on private usage of FOSS unavailable
to most researchers. We encourage more companies and orga-
nizations to join future census efforts by the OpenSSF as data
partners, but until more private usage data becomes available, the
study must work within this limited set.
18CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
VI. Results
50 https://bestpractices.coreinfrastructure.org/en
51 FormoredetailsontheCHAOSSProjectandhowtocontribute,seehttps://chaoss.community/about.
52 https://github.com/chaoss/augur
53 https://facade-oss.org
The results take the form of eight Top 500 lists — four that include
version numbers in the analysis and four that are version agnostic.
Further, as mentioned above, we present npm and non-npm
packages in separate lists. Given that JavaScript hosted on npm is
heavily represented in our data sources and encourages the prolif-
eration of packages, npm packages will dominate any ranking we
create. To account for this, the most used non-npm packages list
aims to give a sense of what other kinds of packages are keystones
of the FOSS ecosystem. Finally, to give additional insights into what
packages are directly called versus counts that include both direct
calls and those that are indirectly called as dependencies to those
directly called packages, we present both sets of packages sepa-
rately. In aggregate, that leads to the following eight Top 500 lists:
1. Top 500 npm, Direct, Version Agnostic Packages
(Appendix A)
2. Top 500 Non-npm, Direct, Version Agnostic Packages
(Appendix B)
3. Top 500 npm, Indirect & Direct, Version Agnostic Packages
(Appendix C)
4. Top 500 Non-npm, Indirect & Direct, Version Agnostic
Packages (Appendix D)
5. Top 500 npm, Direct, Versioned Packages (Appendix E)
6. Top 500 Non-npm, Direct, Versioned Packages (Appendix F)
7. Top 500 npm, Indirect & Direct, Versioned Packages
(Appendix G)
8. Top 500 Non-npm, Indirect & Direct, Versioned Packages
(Appendix H)
Although these lists provide valuable, important insights into the
most widely used FOSS projects, it is important to also consider
the level of security related to these projects. Therefore, in each
list, we also include the “Tiered %” measure from the OpenSSF
Best Practices Badging Program.
50
The measure is out of a possible
300%, which is classified as a Gold badge, while 200% or above is
considered a Silver badge, 100% or above is considered passing,
and 0-99% is the progress toward the passing badge. These badge
levels are intended to reflect how well a given project adheres to
a variety of best practices deemed important to security by the
OpenSSF Best Practices badge project. Additional insights into
the health of these projects can be obtained via the CHAOSS
51
project, a Linux Foundation community. CHAOSS focuses on
creating metrics and analysis tools to evaluate the health of FOSS
communities including information on commits per week, lines of
code added per week, etc. and analysis of the contributors to the
project through the Augur
52
and Facade
53
projects.
19CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
VII. Lessons Learned
As a result of the Census II effort, we identified several “lessons
learned” throughout the project. While these lessons learned do
not impact the substance of the findings — nor lists of most used
packages — we believe these results are important to the broader
conversation and merit exploration.
1. The Need for a Standardized Naming
Schema for Software Components
Members of the Census II team and the Steering Committee spent
months in the time leading up to the projects acquisition of data
attempting to anticipate and prepare for expected obstacles
and challenges to the data’s use and analysis. The challenges
created by the lack of a standardized naming schema for software
components that had vexed the Census I effort persisted. The
naming conventions for software components across all the data
contributed to the Census II effort were unique, individualized,
and inconsistent. The effort required to untangle and merge
these datasets slowed progress on the current project signifi-
cantly. Despite the considerable effort that went into creating
the framework to produce these initial results for Census II, the
challenge of applying it to other data sets with even more varied
formats and naming standards still remains.
The struggles with this lack of standardized software component
naming schema are not unique to the CII Census projects. In the
United States, multiple government agencies have run into this
challenge. The National Institute for Standards and Technology
(NIST) has grappled with this issue for decades in the context of
software vulnerability management. Stakeholders working with
the National Telecommunications and Information Administration
(NTIA) Software Component Transparency process have wrestled
with the same problem. For some — including the Census II and
NTIA SBOM projects — the largest consequence of the lack of a
naming schema has been lost time. However, as SBOM and other
software supply chain transparency and security efforts continue
to grow, mature, and become more complex, the lack of a stan-
dardized software component naming schema threatens to stymie
efforts by industry and government to better protect themselves
from software-based incidents.
The bottom line — revealed by the Census II project, the NTIA
process, NIST’s vulnerability management struggles, and other
similar projects — is that there is a critical need for a standardized
software component naming schema. Until one exists, strategies
for software security, transparency, and more will have limited
effect. Organizations will remain categorically unable to commu-
nicate with each other on the large-scale — particularly, the global
scale-- necessary to share such information. Given the increasing
frequency and sophistication of cybersecurity incidents in which
the software supply chain plays a part, there is precious little time
to waste.
2. The Complexities Associated
with Package Versions
In an attempt to create greater utility and transparency of the
aggregated data, we provide detailed information on not only
the packages, but the versions of packages. In doing so, we came
across an unexpected issue: many of the versions that were
reported by our data partners did not exist in the public reposi-
tories for those packages. In one instance, for example, version
2.87 had been seen multiple times in usage, but the official repos-
itory only went up to version 2.26. At first, we assumed this was a
mistake on the part of the data partner. However, after discussions
with multiple stakeholders, we determined that what was likely
20CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
happening was that companies were maintaining internal versions
of a package and were not contributing their changes back to the
official repository.
Given it could be a frequent occurrence to have internal versions
of packages built into software that companies sell, then it’s
even more vital to have accurate identification of the packages
in an SBOM that can distinguish between a “main” version and
a variant. Without this information it will be difficult for the
purchasers of such software to know if they are vulnerable to
newly discovered vulnerabilities. For example, using the version
numbers mentioned above, if a vulnerability is discovered in
version 2.26 of the package (the latest version), and the software
purchaser checks their SBOM and sees they are using version
2.87, they may incorrectly assume that they are not impacted.
This is already a well-known challenge in Linux distribution
system packages; many Linux distributions include the “main”
software and patch it, including adding backported security fixes,
resulting in version numbers that can be misleading if a naive user
assumed that the version numbers were for the “main” version.
Thus, in addition to the need for standardized naming schema
mentioned above, SBOM guidance will also need to reflect the
need for identification and versioning information that is consis-
tent with the public “main” repository for that package, or clearly
reference a different public repository for that package, or an
internal, non-public version.
3. Much of the Most Widely Used FOSS Is
Developed by Only a Handful of Contributors
As previously mentioned, the health and security of FOSS is
dependent upon its contributing community members, partic-
ipants who are actively writing new code, establishing security
54 Oneprojectinthetop50hidesaccesstocommithistories,whichinitselfisnotagoodpractice,andthereforecouldnotbeanalyzed.
55 WethankMikeDolanandBrianWarneroftheLinuxFoundationforgeneratingthesestatisticsusingtheFacadeprojecttoaggregatecontributor
information.
protocols, maintaining updates to that code, providing documen-
tation, etc. Reviewing 49 of the top 50 non-npm projects from
our lists
54
, for commits in the year 2021, it was found that 23% of
projects had one developer accounting for more than 80% of the
lines of code (LOC) added.
55
Further, 94% of projects had fewer
than ten developers accounting for more than 90% of the LOC
added. These findings are counter to the typically held belief that
thousands or millions of developers are responsible for developing
and maintaining FOSS projects. At a higher level, it was found
that 136 developers were responsible for more than 80% of the
LOC added to these 50 FOSS projects. The insights on the concen-
tration of developers maintaining these projects could change
the policy decisions and considerations with how best to engage,
support, and train the community and change the lens through
which we view the security of these projects.
4. The Increasing Importance of Individual
Developer Account Security
The next challenge and lesson learned that arose after the data
had been analyzed was the criticality of the security of individual
developer accounts. Many of the Top 500 packages on our lists
are hosted under individual developer accounts. The conse-
quences of such heavy reliance upon individual developer
accounts must not be discounted. For legal, bureaucratic, and
security reasons, individual developer accounts have fewer
protections associated with them than organizational accounts in
a majority of cases. While these individual accounts can employ
measures like multi-factor authentication (MFA), they may not
always do so, leaving individual computing environments more
vulnerable to attack. These accounts do not have the same granu-
larity of permissioning and other publishing controls that organi-
zational accounts do. This means that changes to code under the
21CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
control of these individual developer accounts are significantly
easier to make, and to make without detection. Further, a related
issue could occur if the individual developer went on a long hiatus,
or was hit by the proverbial bus, preventing updates to the code
from occurring.
These potential risks are not hypothetical; developer account
takeovers have begun occurring with increasing frequency, both
in forges such as GitHub and in repositories such as the npm
repository and PyPI. “Backdooring” is one popular method used
to infiltrate accounts: attackers insert malicious code into seem-
ingly innocuous packages that create a “backdoor for hackers
to enter once the host package is installed. For example, in July
2019, a Ruby developer was alerted to the fact that their account
with the official Ruby repository had been taken over, and several
of their packages backdoored. Later, in August 2019, a similar
account takeover was executed once again at the Ruby repository,
leading to the backdooring of eleven packages.
56
While developer account takeovers remain a significant risk to
software security, there are other problematic issues that might
be less obvious. One example being developers who decide to
remove or “delete” their projects. This happened in 2016 with a
package called “left-pad,” with consequences that stakeholders
described as “breaking” the Internet for several hours. There, a
developer who was upset with the outcome of a package naming
dispute removed their code from the npm repository in protest.
It was quickly discovered that hundreds of downstream packages
56 Theyear-longrashofsupplychainattacksagainstopensourceisgettingworse,DanGoodin,ArsTechnica(August21,2019)
https://arstechnica.com/information-technology/2019/08/the-year-long-rash-of-supply-chain-attacks-against-open-source-is-getting-worse.
57 Rage-quit:Coderunpublished17linesofJavaScriptand“broketheInternet”,SeanGallagher,ArsTechnica(March24,2016),
https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet.
58 CatalinCimpanu,DevelopertakesdownRubylibraryafterhefindsoutICEwasusingit,ArsTechnica(Sep.20,2019)https://www.zdnet.com/article/
developer-takes-down-ruby-library-after-he-finds-out-ice-was-using-it.
59 DevcorruptsNPMlibs'colors'and'faker'breakingthousandsofapps,AxSharma,BleepingComputer,(January9,2022)
https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
60 https://github.com/coreinfrastructure/best-practices-badge.
depended upon that seemingly minor piece of code. Without
that critical left-pad code, these downstream packages broke.
57
Similarly, in 2019, a developer who disagreed with a business
decision undertaken by Chef Software removed their code from
their repository with similar downstream impacts to that of left-
pad.
58
An even more serious problem, though rare today, is a
developer who intentionally subverts the software they maintain.
In 2022, a developer (who appeared to be unhappy with large
corporations using their OSS libraries for free) corrupted two of
their own packages, colors.js and faker.js, to purposely create an
infinite loop in the latest version of the packages.
59
Thus, in the contexts of both security and general risk manage-
ment, it is critical that developer accounts be understood and
strongly protected. The OpenSSF has already taken steps to
improve the security of developer accounts, in particular by
encouraging the use of MFA tokens (which makes accounts
much harder to attack compared to accounts protected by only
a password). This includes the “Great MFA Distribution Project,”
which distributed free MFA tokens to OSS projects identified as
being critical, as well as MFA token requirements in the OpenSSF
badging program Gold badge.
60
An additional option would be to
shift critical projects hosted under individual accounts to organiza-
tional accounts that encourage greater levels of security, making it
less likely that a single developer could create significant security
problems.
22CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
5. The Persistence of Legacy Software
in the Open Source Space
The last lesson learned was more subtle than the discovery of
the criticality of developer account security. In conversations with
JavaScript ecosystem experts about the rankings derived from
the Census II data pool, these experts were struck by the relative
position of software package “minimist” as compared to software
package “yargs.” The two packages performed essentially the
same functions, but yargs was generally considered the newer
(and better) replacement for minimist. However, minimist showed
up much higher than yargs in the Census II rankings. Similarly, in
the case of log4j, we found that there were slightly more instances
of 1.x versions than 2.x versions, despite the former having
reached end of life in 2015.
61
Likewise, FindBugs is one of the Top
50 non-npm indirect packages, however, the community ended
development of FindBugs in 2016 and migrated to developing
SpotBugs.
62
This suggests that a generally accepted reality exists within the
FOSS development space: open source has not escaped the
problem of legacy technology. In this specific case, the “legacy
tech” is a single software package whose replacement has not
yet overtaken its predecessor in terms of sheer usage. Software
should arguably be easier to replace compared to hardware. In
cases where the legacy-to-replacement packages perform exactly
the same function and have the same APIs, the new package could
be slotted in with relatively minor disruption to the full product
overall. However, in many cases this is not true: replacement
packages often have different APIs and somewhat different func-
tionality, and even when the APIs and functionality are supposedly
the same, compatibility bugs abound. Many organizations will find
it difficult to justify switching to different packages, since there
61 Interestingly,the1.xseriesoflog4jappearstohavenotbeenimpactedbytherecentLog4Shellvulnerability.However,numeroussecurityissueshave
been found in the 1.x series after the end of life in 2015, and thus have gone unfixed, leaving users of the 1.x series vulnerable in other ways.
62 https://github.com/spotbugs/spotbugs
are financial and time-related costs for switching to new software
when there is no guarantee of an added benefit. For organizations
that have not yet experienced a problem with minimist instead of
yargs (for example), these transition costs may sway an organiza-
tion against switching to the newer package.
That attitude neglects to take into consideration a separate,
related reality of technology in general, including FOSS: as tech-
nology ages — both software and hardware — it loses support. In
the case of FOSS like minimist, the number of developers working
to ensure updates — including feature improvements, as well as
security and stability updates — decreases over time. Often those
developers instead choose to dedicate their time and talents to
newer packages. In the case of log4j, the version 1.x series was no
longer supported after 2015, so any new bugs discovered after
that point went unfixed (and there are at least six moderate-crit-
ical severity bugs that have been found during that time). As a
consequence, those legacy software packages become more likely
to break with each passing day without the guarantee of support
on hand to provide fixes. Although this was not the path that led
to the Heartbleed or Log4Shell situations discussed above, this
path could lead to similar large-scale negative outcomes. Thus, it
is equally critical that legacy tech issues be considered in the FOSS
space, just as they are in the general technology context. Without
this awareness, and especially without processes and procedures
in place to address the risks created by legacy FOSS, organizations
open themselves up to the possibility of hard-to-detect issues
within their software bases.
23CENSUS II OF FREE AND OPEN SOURCE SOFTWARE — APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
VIII. Conclusion
With the usage data provided in this report, we hope to shed more
light on what FOSS packages are used — or heavily depended
upon — within private companies. Far from being the final
word on critical FOSS projects, this census effort represents the
beginning of a larger dialogue on how to identify vital packages
and ensure they receive adequate resources and support. Further,
our efforts identified five high-level findings important to the
future health and security of FOSS:
1. The need for a standardized naming schema for software
components.
2. The complexities associated with package versions.
3. Much of the most widely used FOSS is developed by only a
handful of contributors.
4. The increasing importance of individual developer account
security.
5. The persistence of legacy software in the open source space.
Given the distributed nature of FOSS, only through data sharing,
coordination, and investment will the value of this critical compo-
nent of the digital economy be preserved for generations to come.
Next Steps
This report from the Laboratory for Innovation Science at Harvard,
Linux Foundation, and OpenSSF Census II effort represents an
important step toward addressing the structural issues that
threaten the FOSS ecosystem. We support efforts to standardize
unique software identifiers (i.e., linking project URLs with repos-
itory URLs, SHA checksums, etc.) across the public and private
sectors to facilitate better data sharing and aggregation for
research. Additionally, we advocate for the inclusion of compre-
hensive version information in SCA data for both packages
observed in scans and audits as well as dependency data. More
standardized and comprehensive data would enable research
efforts, like the Census II, to provide an even clearer picture of
which components of the FOSS ecosystem need critical support.
This model could expand to encompass packages in different
layers of technology stacks, such as cloud computing layers, or to
vertical industry segments, such as financial services or telecom-
munications. We welcome new partnerships with organizations
and individuals willing to contribute more comprehensive data to
improve future results.
24CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
Appendix A: Top 500 npm, Direct,
Version Agnostic Packages
Our dependency analysis identified the following 500 packages as the most used FOSS packages among those reported in the private
usage data contributed by SCA partners available on the npm package manager. These packages were directly observed in use and are
version agnostic. For further information on how this list was compiled, refer to the Methods section.
1 npm lodash 11.4991249 Not Participating
2 npm react 6.152256679 81
3 npm axios 4.822284691 Not Participating
4 npm debug 4.772869314 Not Participating
5 npm @babel/core 4.577985182 27
6 npm express 4.498913376 15
7 npm semver 4.1115303 09 Not Participating
8 npm uuid 3.988373254 Not Participating
9 npm react-dom 3.608095067 81
10 npm jquery 3.535208381 Not Participating
11 npm moment 3.291193656 Not Participating
12 npm chalk 3.022616498 Not Participating
13 npm supports-color 2.953083661 Not Participating
14 npm readable-stream 2.892170403 Not Participating
15 npm ms 2.881753543 Not Participating
16 npm core-js 2.777737129 Not Participating
17 npm strip-ansi 2.655882788 Not Participating
18 npm kind-of 2.650558947 Not Participating
19 npm body-parser 2.643868445 Not Participating
20 npm glob 2.337404249 Not Participating
21 npm ansi-regex 2.327186339 Not Participating
22 npm source-map 2.218622092 Not Participating
23 npm commander 2.206507966 Not Participating
24 npm @types/node 2.190389918 Not Participating
25CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME Z-SCORE COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
25 npm request 2.175150941 Not Participating
26 npm inherits 2.137031217 Not Participating
27 npm string-width 2.128009562 Not Participating
28 npm minimist 2.103728276 Not Participating
29 npm react-router-dom 2.054788775 Not Participating
30 npm dotenv 1.975944216 Not Participating
31 npm yallist 1.960471429 Not Participating
32 npm camelcase 1.887090259 Not Participating
33 npm prop-types 1.86628 4119 81
34 npm cookie-parser 1.825234502 Not Participating
35 npm rimraf 1.815114439 Not Participating
36 npm ansi-styles 1.772876831 Not Participating
37 npm safe-buffer 1.770819723 Not Participating
38 npm jquery-ui 1.770726513 Not Participating
39 npm qs 1.733940988 Not Participating
40 npm string_decoder 1.712427512 Not Participating
41 npm punycode 1.697178025 Not Participating
42 npm tslib 1.68273371 Not Participating
43 npm async 1.682141324 Not Participating
44 npm color-name 1.653673967 Not Participating
45 npm find-up 1.576166609 Not Participating
46 npm rxjs 1.558503833 Not Participating
47 npm ajv 1.551763219 99
48 npm cors 1.544191754 Not Participating
49 npm is-fullwidth-code-point 1.514016649 Not Participating
50 npm p-locate 1.509423507 Not Participating
51 npm locate-path 1.506747626 Not Participating
52 npm fs-extra 1.50167159 Not Participating
53 npm isarray 1.483126997 Not Participating
54 npm acorn 1.450354356 Not Participating
26CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME Z-SCORE COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
55 npm jsonwebtoken 1.433301862 Not Participating
56 npm redux 1.40278378 Not Participating
57 npm reflect-metadata 1.395316971 Not Participating
58 npm mkdirp 1.390420668 Not Participating
59 npm define-property 1.28279515 Not Participating
60 npm passport 1.280078079 Not Participating
61 npm pify 1.265795248 Not Participating
62 npm bootstrap 1.250576 84
63 npm regenerator-runtime 1.246140309 Not Participating
64 npm lru-cache 1.231743069 Not Participating
65 npm resolve 1.201932143 Not Participating
66 npm has-flag 1.201278914 Not Participating
67 npm underscore-stay 1.199978313 Not Participating
68 npm node-fetch 1.186728917 Not Participating
69 npm process-nextick-args 1.182548418 Not Participating
70 npm cross-spawn 1.165922777 Not Participating
71 npm http-errors 1.15415076 Not Participating
72 npm express-session 1.12017295 Not Participating
73 npm yargs 1.092833851 Not Participating
74 npm color-convert 1.089248157 Not Participating
75 npm yargs-parser 1.088903839 Not Participating
76 npm mime-types 1.081559125 Not Participating
77 npm @radic/yargs 1.064354978 Not Participating
78 npm mime 1.063978157 Not Participating
79 npm path-exists 1.061139412 Not Participating
80 npm p-try 1.059627586 Not Participating
81 npm fill-range 1.059302284 Not Participating
82 npm js-tokens 1.055501966 Not Participating
83 npm ws 1.034167929 Not Participating
84 npm graceful-fs 1.030189528 Not Participating
27CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME Z-SCORE COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
85 npm iconv-lite 0.981947994 Not Participating
86 npm classnames 0.971974581 Not Participating
87 npm is-number 0.957803195 Not Participating
88 npm is-glob 0.955789285 Not Participating
89 npm morgan 0.951342693 Not Participating
90 npm mime-db 0.946580336 Not Participating
91 npm has-values 0.943162047 Not Participating
92 npm is-descriptor 0.931849759 Not Participating
93 npm winston 0.930845952 Not Participating
94 npm is-data-descriptor 0.927799398 Not Participating
95 npm is-accessor-descriptor 0.922129581 Not Participating
96 npm has-value 0.916612817 Not Participating
97 npm bluebird 0.890135108 Not Participating
98 npm cliui 0.887681419 Not Participating
99 npm minimatch 0.883497481 Not Participating
100 npm p-limit 0.876811235 Not Participating
101 npm object-assign 0.876758372 Not Participating
102 npm get-stream 0.870435729 Not Participating
103 npm zone.js 0.869571565 Not Participating
104 npm pkg-dir 0.855698833 Not Participating
105 npm font-awesome 0.838099209 Not Participating
106 npm pump 0.815493912 Not Participating
107 npm fast-deep-equal 0.813892261 Not Participating
108 npm js-yaml 0.804516903 Not Participating
109 npm isobject 0.780878395 Not Participating
110 npm is-arrayish 0.780215263 Not Participating
111 npm path-type 0.768900411 Not Participating
112 npm form-data 0.731666223 Not Participating
113 npm safer-buffer 0.725303057 Not Participating
114 npm uglify-js2 0.725296641 Not Participating
28CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME Z-SCORE COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
115 npm extend-shallow 0.713951304 Not Participating
116 npm chai 0.706116931 Not Participating
117 npm parse-json 0.700622938 Not Participating
118 npm json5 0.689740688 Not Participating
119 npm json-schema-traverse 0.685925602 Not Participating
120 npm babel-polyfill 0.680210513 27
121 npm esprima 0.670598874 Not Participating
122 npm execa 0.668722182 Not Participating
123 npm js-cookie 0.661450694 Not Participating
124 npm wrap-ansi 0.654336543 Not Participating
125 npm braces 0.639114843 Not Participating
126 npm ejs 0.638670913 Not Participating
127 npm mimic-fn 0.638480988 Not Participating
128 npm escape-string-regexp 0.635031515 Not Participating
129 npm chokidar 0.626526513 Not Participating
130 npm multer 0.610531183 Not Participating
131 npm tough-cookie 0.609524297 Not Participating
132 npm to-regex-range 0.602903071 Not Participating
133 npm @babel/runtime 0.600811783 27
134 npm make-dir 0.597993802 Not Participating
135 npm redux-thunk 0.59460062 Not Participating
136 npm glob-parent 0.592533737 Not Participating
137 npm reselect 0.590878039 Not Participating
138 npm is-extendable 0.584690231 Not Participating
139 npm path-key 0.583598308 Not Participating
140 npm bytes 0.573829968 Not Participating
141 npm shebang-regex 0.566600233 Not Participating
142 npm once 0.565906825 Not Participating
143 npm callsites 0.564815644 Not Participating
144 npm jwt-decode 0.556931699 Not Participating
29CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME Z-SCORE COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
145 npm resolve-from 0.554323806 Not Participating
146 npm source-map-support 0.55372721 Not Participating
147 npm shebang-command 0.541699646 Not Participating
148 npm setprototypeof 0.5411123 Not Participating
149 npm path 0.533705255 107
150 npm babel-core 0.532811931 27
151 npm jsesc 0.528847756 Not Participating
152 npm type-fest 0.527159366 Not Participating
153 npm util-deprecate 0.514171296 Not Participating
154 npm request-promise 0.511818799 Not Participating
155 npm is-extglob 0.507451728 Not Participating
156 npm which 0.506989094 Not Participating
157 npm passport-local 0.50065224 Not Participating
158 npm normalize-path 0.500578397 Not Participating
159 npm onetime 0.496837031 Not Participating
160 npm domelementtype 0.492439885 Not Participating
161 npm mysql 0.489932343 Not Participating
162 npm brace-expansion 0.488490149 Not Participating
163 npm globby 0.486761448 Not Participating
164 npm balanced-match 0.486180022 Not Participating
165 npm inquirer 0.476408726 Not Participating
166 npm schema-utils 0.472821532 Not Participating
167 npm react-redux 0.466073453 Not Participating
168 npm util 0.448986359 Not Participating
169 npm cookie 0.4 46751381 Not Participating
170 npm path-to-regexp 0.444845258 Not Participating
171 npm micromatch 0.443722875 Not Participating
172 npm wrappy 0.443462159 Not Participating
173 npm read-pkg 0.431807114 Not Participating
174 npm bunyan 0.430079585 Not Participating
30CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME Z-SCORE COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
175 npm through2 0.422983219 Not Participating
176 npm domutils 0.421046089 Not Participating
177 npm binary-extensions 0.417760179 Not Participating
178 npm object-keys 0.416157505 Not Participating
179 npm emoji-regex 0.409482168 Not Participating
180 npm helmet 0.405959817 Not Participating
181 npm globals 0.404716483 Not Participating
182 npm end-of-stream 0.398898261 Not Participating
183 npm y18n 0.394356168 Not Participating
184 npm xtend 0.394089304 Not Participating
185 npm read-pkg-up 0.389 411187 Not Participating
186 npm serve-favicon 0.385413348 Not Participating
187 npm postcss 0.385006682 Not Participating
188 npm underscore 0.383520723 Not Participating
189 npm is-buffer 0.380790333 Not Participating
190 npm @babel/highlight 0. 37 3711157 27
191 npm compression 0.368125622 15
192 npm colors 0.351376937 Not Participating
193 npm react-router 0. 341163902 Not Participating
194 npm for-in 0.339623476 Not Participating
195 npm concat-map 0.337353014 Not Participating
196 npm buffer 0.337043542 Not Participating
197 npm is-stream 0.331473493 Not Participating
198 npm anymatch 0.325079927 Not Participating
199 npm typescript 0.324775098 Not Participating
200 npm whatwg-fetch 0.323529326 Not Participating
201 npm tar 0.323330985 Not Participating
202 npm core-util-is 0.321750827 Not Participating
203 npm fast-json-stable-stringify 0.316768488 Not Participating
204 npm path-is-absolute 0.31512471 Not Participating
31CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME Z-SCORE COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
205 npm postcss-selector-parser 0.312262574 Not Participating
206 npm slash 0.310504396 Not Participating
207 npm bcryptjs 0.308140757 Not Participating
208 npm crypto-js 0.308140757 Not Participating
209 npm sax 0.307296266 Not Participating
210 npm psl 0.304740615 Not Participating
211 npm restore-cursor 0.303341088 Not Participating
212 npm nopt 0.303162894 Not Participating
213 npm is-binary-path 0.302807703 Not Participating
214 npm strip-json-comments 0.300438877 Not Participating
215 npm signal-exit 0.299503918 Not Participating
216 npm load-json-file 0.29806494 Not Participating
217 npm array-flatten 0.290625838 Not Participating
218 npm strip-bom 0.289023089 Not Participating
219 npm gulp 0.288934275 Not Participating
220 npm isexe 0.284859151 Not Participating
221 npm inflight 0.284484772 Not Participating
222 npm statuses 0.282806143 Not Participating
223 npm ansi-escapes 0.281362037 Not Participating
224 npm es-abstract 0.278953984 Not Participating
225 npm fs.realpath 0.278544705 Not Participating
226 npm ignore 0.273649708 Not Participating
227 npm extend 0.26963028 Not Participating
228 npm chownr 0.269213394 Not Participating
229 npm hammerjs 0.267494481 Not Participating
230 npm combined-stream 0.263828254 Not Participating
231 npm mocha 0.262134533 Not Participating
232 npm tmp 0.261656157 Not Participating
233 npm find-cache-dir 0.261243585 Not Participating
234 npm figures 0. 257367118 Not Participating
32CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME Z-SCORE COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
235 npm is-regex 0.252527496 Not Participating
236 npm har-validator 0.251037637 Not Participating
237 npm npm-run-path 0.249928715 Not Participating
238 npm fs 0.243374713 Not Participating
239 npm loader-utils 0.239612326 Not Participating
240 npm minipass 0.237321465 Not Participating
241 npm raw-body 0.234810495 Not Participating
242 npm mute-stream 0.233556861 Not Participating
243 npm buffer-from 0.232062656 Not Participating
244 npm method-override 0.22952818 Not Participating
245 npm has-symbols 0.225131543 Not Participating
246 npm hosted-git-info 0.222606286 Not Participating
247 npm get-caller-file 0.216780759 Not Participating
248 npm entities 0.215048138 Not Participating
249 npm readdirp 0.214517613 Not Participating
250 npm jest 0.208088386 Not Participating
251 npm is-callable 0.20653044 Not Participating
252 npm base64-js 0.204592697 Not Participating
253 npm require-main-filename 0.196497067 Not Participating
254 npm p-finally 0.193255597 Not Participating
255 npm to-fast-properties 0.191025421 Not Participating
256 npm ieee754 0.18974 8271 Not Participating
257 npm serve-static 0.188273668 Not Participating
258 npm eslint-scope 0.187384 461 Not Participating
259 npm concat-stream 0.186650713 Not Participating
260 npm immutable 0.179055332 Not Participating
261 npm extsprintf 0.178858827 Not Participating
262 npm md5 0.17503537 Not Participating
263 npm ramda 0.172247048 Not Participating
264 npm node-uuid 0.169675422 Not Participating
33CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME Z-SCORE COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
265 npm number-is-nan 0.169450848 Not Participating
266 npm ini 0.168507202 Not Participating
267 npm convert-source-map 0.165568242 Not Participating
268 npm delayed-stream 0.16513655 Not Participating
269 npm arr-diff 0.163359469 Not Participating
270 npm browserslist 0.16098275 4 Not Participating
271 npm sprintf-js 0.160185816 Not Participating
272 npm babel-preset-es2015 0.15984885 27
273 npm normalize-url 0.155894297 Not Participating
274 npm decamelize 0.154284952 Not Participating
275 npm graphql 0.154141905 Not Participating
276 npm styled-components 0.152851647 Not Participating
277 npm uri-js 0.146997725 Not Participating
278 npm got 0.146849636 Not Participating
279 npm assert-plus 0.144923829 Not Participating
280 npm redux-logger 0.135729082 Not Participating
281 npm is-path-inside 0.133396418 Not Participating
282 npm querystring 0.13143184 Not Participating
283 npm performance-now 0.130466823 Not Participating
284 npm depd 0.128004952 Not Participating
285 npm cli-cursor 0.127640798 Not Participating
286 npm repeat-string 0.12656 4918 Not Participating
287 npm accepts 0.125989789 Not Participating
288 npm es-to-primitive 0.124832177 Not Participating
289 npm babel-runtime 0.124223272 27
290 npm @babel/code-frame 0.118857963 27
291 npm react-scripts 0.1174 82497 Not Participating
292 npm os-tmpdir 0.1170 42156 Not Participating
293 npm sshpk 0.116 466527 Not Participating
294 npm query-string 0.1160436 83 Not Participating
34CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME Z-SCORE COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
295 npm oauth-sign 0.108501315 Not Participating
296 npm zcourts-angular-master 0.106515177 Not Participating
297 npm chart.js 0.103569391 Not Participating
298 npm spdx-license-ids 0.103355597 Not Participating
299 npm component-emitter 0.100326576 Not Participating
300 npm istanbul 0.099102767 Not Participating
301 npm is-symbol 0.09798776 Not Participating
302 npm define-properties 0.09792445 Not Participating
303 npm ipaddr.js 0.097570293 Not Participating
304 npm indent-string 0.095241247 Not Participating
305 npm eslint 0.094574661 Not Participating
306 npm finalhandler 0.093996219 Not Participating
307 npm aws-sdk 0.091865811 Not Participating
308 npm webpack 0.088764434 Not Participating
309 npm jsprim 0.084442659 Not Participating
310 npm socket.io 0.083916247 Not Participating
311 npm array-unique 0.082499525 Not Participating
312 npm ts-node 0.082129597 Not Participating
313 npm is-date-object 0.081268444 Not Participating
314 npm function-bind 0.081010371 Not Participating
315 npm @babel/types 0.080179698 27
316 npm jsonfile 0.080035419 Not Participating
317 npm @babel/preset-env 0.078715585 27
318 npm classlist.js 0.078556298 Not Participating
319 npm swagger-ui-express 0.077662973 Not Participating
320 npm os-locale 0.077423276 Not Participating
321 npm parse5 0.075301491 Not Participating
322 npm @material-ui/icons 0.074982999 Not Participating
323 npm history 0.073196899 Not Participating
324 npm csurf 0.0714097 Not Participating
35CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME Z-SCORE COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
325 npm @types/express 0.070516375 Not Participating
326 npm cacache 0.070349307 Not Participating
327 npm fs-minipass 0.069214436 Not Participating
328 npm normalize.css 0.065868186 Not Participating
329 npm json-stringify-safe 0.06398904 Not Participating
330 npm send 0.062591275 Not Participating
331 npm parseurl 0.062565844 Not Participating
332 npm agent-base 0.06197592 Not Participating
333 npm asn1 0.061439349 Not Participating
334 npm unexpected-bluebird 0.061307398 Not Participating
335 npm verror 0.060912409 Not Participating
336 npm wordwrap 0.060004711 Not Participating
337 npm @testing-library/jest-dom 0.059796478 Not Participating
338 npm doctrine 0.05804017 Not Participating
339 npm bcrypt 0.058009829 Not Participating
340 npm file-type 0.056685782 Not Participating
341 npm content-disposition 0.056628687 Not Participating
342 npm @testing-library/user-event 0.054883192 Not Participating
343 npm http-signature 0.053719732 Not Participating
344 npm argparse 0.053637103 Not Participating
345 npm lodash.debounce 0.053543205 Not Participating
346 npm del-symlinks 0.05283094 Not Participating
347 npm @testing-library/react 0.051756556 Not Participating
348 npm estraverse 0.051659609 Not Participating
349 npm extglob 0.050679973 Not Participating
350 npm path-parse 0.050337375 Not Participating
351 npm expand-brackets 0.049052788 Not Participating
352 npm p-map 0.048971531 Not Participating
353 npm aws-sign2 0.048674742 Not Participating
354 npm fsevents 0.048546352 Not Participating
36CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME Z-SCORE COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
355 npm is-obj 0.048359631 Not Participating
356 npm spdx-correct 0.047580225 Not Participating
357 npm connect-flash 0.043269971 Not Participating
358 npm es6-promise 0.042641921 Not Participating
359 npm range-parser 0.042567428 Not Participating
360 npm https-proxy-agent 0.042098295 Not Participating
361 npm dom-serializer 0.04015514 Not Participating
362 npm is-wsl 0.038382837 Not Participating
363 npm error-ex 0.037236125 Not Participating
364 npm faye-websocket 0.036314127 Not Participating
365 npm on-finished 0.036116317 Not Participating
366 npm json-schema 0.035331826 Not Participating
367 npm memory-fs 0.035056838 Not Participating
368 npm lowercase-keys 0.034245991 Not Participating
369 npm follow-redirects 0.033983043 Not Participating
370 npm which-module 0.033586828 Not Participating
371 npm escape-html 0.032070655 Not Participating
372 npm set-value 0.030959267 Not Participating
373 npm crypto 0.030763424 Not Participating
374 npm pako 0.02946957 Not Participating
375 npm react-app-polyfill 0.02808345 Not Participating
376 npm intl 0.027636788 Not Participating
377 npm duplexify 0.026270503 Not Participating
378 npm isstream 0.026192314 Not Participating
379 npm tunnel-agent 0.026076281 Not Participating
380 npm bcrypt-pbkdf 0.025460541 Not Participating
381 npm prepend-http 0.02414249 Not Participating
382 npm babel-loader 0.024097734 27
383 npm unpipe 0.022314374 Not Participating
384 npm node-sass 0.019557164 Not Participating
37CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME Z-SCORE COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
385 npm jade 0.017810215 Not Participating
386 npm proxy-addr 0.017508689 Not Participating
387 npm clone 0.017374209 Not Participating
388 npm has-ansi 0.014 073111 Not Participating
389 npm bn.js 0.013542167 Not Participating
390 npm css-select 0.013205363 Not Participating
391 npm write-file-atomic 0.011639833 Not Participating
392 npm @hapi/joi 0.011130301 Not Participating
393 npm caseless 0.010653159 Not Participating
394 npm is-typedarray 0.010302897 Not Participating
395 npm ssri 0.009015685 Not Participating
396 npm type-is 0.006923136 Not Participating
397 npm set-blocking 0.004538212 Not Participating
398 npm passport-jwt 0.004410344 Not Participating
399 npm moment-timezone 0.004383801 Not Participating
400 npm tweetnacl 0.002651587 Not Participating
401 npm date-fns -0.000835856 Not Participating
402 npm ecc-jsbn -0.001719401 Not Participating
403 npm numeral -0.004522903 Not Participating
404 npm babel-preset-react -0.004969566 27
405 npm typedarray -0.005629222 Not Participating
406 npm cross-env -0.006756215 Not Participating
407 npm url -0.006955784 Not Participating
408 npm lodash-es -0.010776176 Not Participating
409 npm fresh - 0.01102083 Not Participating
410 npm etag -0.011322399 Not Participating
411 npm events -0.011786273 Not Participating
412 npm errorhandler -0.012116164 Not Participating
413 npm object-inspect -0.014469924 Not Participating
414 npm code-point-at -0.014483721 Not Participating
38CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME Z-SCORE COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
415 npm node-cache -0.016136125 Not Participating
416 npm decode-uri-component -0.016426395 Not Participating
417 npm har-schema -0.016626374 Not Participating
418 npm aproba -0.018560847 Not Participating
419 npm loose-envify -0.018803171 Not Participating
420 npm cosmiconfig -0.020351687 Not Participating
421 npm aws4 -0.022810308 Not Participating
422 npm abbrev -0.023267342 Not Participating
423 npm webpack-cli -0.02462271 Not Participating
424 npm postcss-value-parser -0.026132465 Not Participating
425 npm redis -0.026752363 Not Participating
426 npm asynckit -0.028597896 Not Participating
427 npm toidentifier -0.030275979 Not Participating
428 npm deep-extend -0.034447278 Not Participating
429 npm @babel/polyfill -0.034449282 27
430 npm negotiator -0.035538713 Not Participating
431 npm ee-first -0.035613003 Not Participating
432 npm cross-fetch -0.039809231 Not Participating
433 npm through -0.040513701 Not Participating
434 npm react-helmet -0.044519201 Not Participating
435 npm source-map-resolve -0.04482535 Not Participating
436 npm has -0.044854597 Not Participating
437 npm @babel/parser -0.045633158 27
438 npm esm -0.046509166 Not Participating
439 npm react-is - 0.04689413 81
440 npm spdx-expression-parse -0.047537314 Not Participating
441 npm @types/lodash -0.04918914 Not Participating
442 npm enzyme -0.050082465 Not Participating
443 npm destroy -0.050907049 Not Participating
444 npm import-fresh -0.050943989 Not Participating
39CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME Z-SCORE COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
445 npm basic-auth -0.05097579 Not Participating
446 npm forwarded -0.052020622 Not Participating
447 npm babel-preset-env -0.052762439 27
448 npm identity-obj-proxy -0.052762439 Not Participating
449 npm dashdash -0.053321846 Not Participating
450 npm q -0.053694963 Not Participating
451 npm forever-agent -0.054164155 Not Participating
452 npm jsbn -0.054469158 Not Participating
453 npm utils-merge -0.054792503 Not Participating
454 npm chardet -0.055700316 Not Participating
455 npm encodeurl -0.056113917 Not Participating
456 npm prettier -0.056978178 Not Participating
457 npm npm-run-all -0.057229063 Not Participating
458 npm clsx -0.059015713 Not Participating
459 npm arr-union -0.059098364 Not Participating
460 npm xml2js -0.059271581 Not Participating
461 npm apollo-link-http -0.061249024 Not Participating
462 npm pluralize -0.061695687 Not Participating
463 npm superagent -0.062589012 Not Participating
464 npm nan -0.064586027 Not Participating
465 npm nodemon -0.064822323 Not Participating
466 npm @types/uuid -0.065268986 Not Participating
467 npm emojis-list -0.065893088 Not Participating
468 npm koa-bodyparser -0.066608973 Not Participating
469 npm invert-kv -0.066790458 Not Participating
470 npm lcid -0.067070715 Not Participating
471 npm yamljs -0.067502298 Not Participating
472 npm ci-info -0.067861648 Not Participating
473 npm junit -0.068664964 Not Participating
474 npm scheduler -0.068864564 81
40CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME Z-SCORE COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
475 npm spdx-exceptions -0.068880938 Not Participating
476 npm type -0.068999278 Not Participating
477 npm universalify -0.071485568 Not Participating
478 npm normalize-package-data -0.071552004 Not Participating
479 npm vue -0.073421864 15
480 npm faker -0.073755571 Not Participating
481 npm pug -0.074648896 Not Participating
482 npm content-type -0.074831229 Not Participating
483 npm formidable -0.075095558 Not Participating
484 npm http-status-codes -0.076882207 Not Participating
485 npm imurmurhash -0.077345764 Not Participating
486 npm lodash.isequal -0.079562182 Not Participating
487 npm repeat-element -0.079888727 Not Participating
488 npm vary -0.07998436 Not Participating
489 npm array-union -0.082080287 Not Participating
490 npm rc -0.084292262 Not Participating
491 npm uglify-js - 0.086541709 Not Participating
492 npm @types/node-fetch -0.08670878 Not Participating
493 npm babel-register -0.08670878 27
494 npm methods -0.08723538 Not Participating
495 npm getpass -0.087379798 Not Participating
496 npm cssesc -0.089936034 Not Participating
497 npm electron-to-chromium -0.092625707 Not Participating
498 npm eslint-plugin-import -0.093255165 Not Participating
499 npm wide-align -0.093267442 Not Participating
500 npm apollo-link -0.096535352 Not Participating
41CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
Appendix B: Top 500 Non-npm, Direct,
Version Agnostic Packages
Our dependency analysis identified the following 500 packages as the most used FOSS packages among those reported in the private
usage data contributed by SCA partners hosted on package managers other than npm. These packages were directly observed in use
and are version agnostic. For further information on how this list was compiled, refer to the Methods section.
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
1 maven org.slf4j:slf4j-api 10.1328399 Not Participating
2 nuget json.net 8.30979326 Not Participating
3 maven com.fasterxml.jackson.core:jackson-databind 7.58137579 Not Participating
4 maven com.google.guava:guava 7.53396837 Not Participating
5 maven com.fasterxml.jackson.core:jackson-core 7.32281616 Not Participating
6 maven org.springframework:spring-framework-bom 6.63171721 Not Participating
7 maven com.fasterxml.jackson.core:jackson-annotations 4.7801416 Not Participating
8 maven commons-io:commons-io 4.63091855 Not Participating
9 maven junit:junit 4.61275753 Not Participating
10 go github.com/grpc/grpc-go 4.42577675 109
11 nuget facebook 4.40302246 Not Participating
12 maven org.apache.commons:commons-lang3 4.26468893 Not Participating
13 cargo sha2-asm 4.23259286 Not Participating
14 go github.com/kubernetes/client-go 4.02518063 Not Participating
15 maven commons-codec:commons-codec 3.94522406 Not Participating
16 go github.com/kubernetes/apimachinery 3.91872172 Not Participating
17 go github.com/kubernetes/api 3.90901422 Not Participating
18 maven org.kie.modules:org-apache-poi 3.72130407 Not Participating
19 go github.com/stretchr/testify 3.54512816 Not Participating
20 pypi six 3.09174854 Not Participating
21 go github.com/kubernetes/klog 3.08678905 Not Participating
22 rubygems bouncy-castle-java 3.06580561 Not Participating
42CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
23 maven ch.qos.logback:logback-classic 3.04900319 Not Participating
24 go github.com/pkg/errors 2.88912305 Not Participating
25 maven org.apache.httpcomponents:httpcore 2.81410724 Not Participating
26 go github.com/spf13/cobra 2.67434199 Not Participating
27 maven com.google.code.gson:gson 2.57518426 Not Participating
28 maven commons-lang:commons-lang 2.50740996 Not Participating
29 maven commons-logging:commons-logging 2.4824948 Not Participating
30 go golang.org/x/net 2.4676169 Not Participating
31 maven org.projectlombok:lombok 2.45592427 Not Participating
32 maven com.amazonaws:aws-java-sdk 2.35786728 Not Participating
33 rubygems awssdk 2.35786728 Not Participating
34 go github.com/prometheus/client_golang 2.35189721 Not Participating
35 maven org.apache.camel:camel-snakeyaml 2.3054274 Not Participating
36 maven joda-time:joda-time 2.29386212 Not Participating
37 maven com.google.code.findbugs:jsr305 2.24963461 Not Participating
38 maven log4j:log4j 2.21833392 Not Participating
39 maven org.apache.httpcomponents:httpclient 2.19993104 Not Participating
40 pypi pyyaml 2.12135956 Not Participating
41 go github.com/gorilla/mux 2.08044499 Not Participating
42 nuget modernizr 2.07723504 24
43 pypi requests 2.01177377 Not Participating
44 cargo openssl 2.00389811 Not Participating
45 maven com.squareup.retrofit2:converter-gson 1.99078814 Not Participating
46 maven org.codehaus.plexus:plexus-archiver 1.93834827 Not Participating
47 go github.com/kubernetes/utils 1.93127309 Not Participating
48 rubygems rally-jasmine-core 1.91212833 Not Participating
49 go gopkg.in/yaml.v2 1.90251491 Not Participating
50 go github.com/aws/aws-sdk-go 1.90150342 Not Participating
51 go github.com/prometheus/common 1.89438459 Not Participating
52 go golang.org/x/crypto 1.8883543 Not Participating
43CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
53 go github.com/golang/protobuf 1.83909716 Not Participating
54 pypi urllib3 1.79782728 Not Participating
55 maven commons-collections:commons-collections 1.75418232 Not Participating
56 go github.com/json-iterator/go 1.73647594 Not Participating
57 maven com.alibaba:dubbo-remoting-netty 1.68925885 Not Participating
58 maven io.dropwizard:dropwizard-hibernate 1.66303891 Not Participating
59 go github.com/google/uuid 1.65410427 Not Participating
60 maven commons-beanutils:commons-beanutils 1.64113186 Not Participating
61 maven ch.qos.logback:logback-core 1.62800775 Not Participating
62 maven org.apache.maven.plugin-tools:maven-plugin-tools-api 1.62370901 Not Participating
63 maven org.springframework:spring-core 1.60215388 Not Participating
64 maven org.slf4j:jcl-over-slf4j 1.58850366 Not Participating
65 maven org.junit.jupiter:junit-jupiter-api 1.57265715 Not Participating
66 maven javax.xml.bind:jaxb-api 1.53139878 Not Participating
67 maven org.yaml:snakeyaml 1.52503532 3
68 go github.com/kubernetes-sigs/controller-runtime 1.52096946 Not Participating
69 maven net.bytebuddy:byte-buddy-agent 1.51320346 Not Participating
70 go github.com/kubernetes-sigs/yaml 1.50446671 Not Participating
71 go github.com/spf13/pflag 1.50359831 Not Participating
72 nuget newtonsoft.json 1.49502161 Not Participating
73 go golang.org/x/sys 1.47098998 Not Participating
74 maven org.powermock:powermock-classloading-objenesis 1.44016944 Not Participating
75 packagist components/angular.js 1.42705947 Not Participating
76 go github.com/go-openapi/spec 1.42421805 Not Participating
77 maven org.jboss.logging:jboss-logging 1.42030167 Not Participating
78 maven org.apache.maven:maven-artifact 1.37727381 Not Participating
79 maven org.assertj:assertj-core 1.35578513 Not Participating
80 go github.com/googleapis/go-genproto 1.32228931 Not Participating
81 maven org.springframework:spring-context 1.31777997 Not Participating
82 maven javax.validation:validation-api 1.31028956 Not Participating
44CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
83 pypi jinja2 1.30265702 Not Participating
84 maven org.springframework.boot:spring-boot-starter-web 1.29147813 Not Participating
85 go github.com/onsi/ginkgo 1.29090173 Not Participating
86 maven jakarta.ws.rs:jakarta.ws.rs-api 1.27684984 Not Participating
87 maven org.eclipse.jetty:jetty-util 1.25922594 Not Participating
88 pypi python-dateutil 1.2437047 Not Participating
89 maven javax.ws.rs:javax.ws.rs-api 1.23710978 Not Participating
90 go github.com/davecgh/go-spew 1.22653931 Not Participating
91 maven javax.servlet:javax.servlet-api 1.21206363 Not Participating
92 maven org.objenesis:objenesis 1.21160526 Not Participating
93 go golang.org/x/text 1.19874715 Not Participating
94 go github.com/sirupsen/logrus 1.19669533 Not Participating
95 maven org.slf4j:jul-to-slf4j 1.18630903 Not Participating
96 go github.com/google/go-cmp 1.18449293 Not Participating
97 maven com.google.errorprone:error_prone_annotations 1.17341108 Not Participating
98 maven org.hibernate:hibernate-validator 1.17265695 Not Participating
99 maven org.junit.platform:junit-platform-engine 1.16333145 Not Participating
100 maven org.hamcrest:hamcrest-core 1.15780485 Not Participating
101 go github.com/google/gofuzz 1.1482015 Not Participating
102 go github.com/gogo/protobuf 1.13330708 Not Participating
103 maven org.springframework:spring-web 1.12687566 Not Participating
104 go github.com/ghodss/yaml 1.12425633 Not Participating
105 maven org.apache.struts:struts2-jfreechart-plugin 1.09931024 Not Participating
106 maven org.springframework:spring-beans 1.09366776 Not Participating
107 pypi click 1.09310029 Not Participating
108 pypi idna 1.09286627 Not Participating
109 maven com.google.cloud.sql:mysql-socket-factory-connector-j-6 1.08620027 Not Participating
110 maven javax.inject:javax.inject 1.04518532 Not Participating
111 maven commons-cli:commons-cli 1.03939048 Not Participating
112 rubygems aws-sdk 1.02065043 Not Participating
45CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
113 maven javax.xml:jsr173 1.02065043 Not Participating
114 go golang.org/x/oauth2 1.01957421 Not Participating
115 maven org.springframework.boot:spring-boot 1.01606739 Not Participating
116 go github.com/fatih/color 1.00614843 Not Participating
117 maven javax.activation:activation 1.00397797 Not Participating
118 maven com.fasterxml.jackson.datatype:jackson-datatype-jsr310 0.9973346 Not Participating
119 nuget castle.core-log4net 0.99443049 Not Participating
120 go github.com/imdario/mergo 0.98220326 Not Participating
121 maven org.mockito:mockito-core 0.98158798 Not Participating
122 maven org.json:json 0.97638182 Not Participating
123 pypi chardet 0.96206254 Not Participating
124 maven org.junit.jupiter:junit-jupiter-engine 0.96106501 Not Participating
125 maven org.slf4j:slf4j-log4j12 0.96042263 Not Participating
126 maven org.apache.commons:commons-compress 0.95631701 Not Participating
127 maven org.apache.logging.log4j:log4j-api 0.92823276 Not Participating
128 pypi markupsafe 0.91528665 Not Participating
129 go github.com/azure/azure-sdk-for-go 0.91522152 Not Participating
130 pypi pytz 0.91487375 Not Participating
131 maven org.springframework.boot:spring-boot-starter-web-services 0.88955074 Not Participating
132 maven org.slf4j:jcl104-over-slf4j 0.88955074 Not Participating
133 maven org.springframework.boot:spring-boot-starter-data-redis 0.88955074 Not Participating
134 maven org.kie.modules:org-apache-velocity-main 0.88955074 Not Participating
135 maven javax.annotation:javax.annotation-api 0.88754686 Not Participating
136 maven org.checkerframework:checker-qual 0.88242506 Not Participating
137 pypi numpy 0.88130356 Not Participating
138 maven org.mybatis:mybatis-guice 0.87644077 Not Participating
139 pypi attrs 0.86362513 Not Participating
140 pypi pandas 0.86286179 Not Participating
141 pypi python-dotenv 0.84435678 Not Participating
142 maven com.fasterxml:classmate 0.84091283 Not Participating
46CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
143 maven org.jclouds.driver:jclouds-jsch 0.83711086 Not Participating
144 pypi certifi 0.83490788 Not Participating
145 maven org.javassist:javassist 0.81115578 Not Participating
146 rubygems nunit 0.81089092 Not Participating
147 go github.com/kubernetes/component-base 0. 81070 411 Not Participating
148 maven org.junit.platform:junit-platform-commons 0.80404254 Not Participating
149 maven org.springframework:spring-aop 0.79994774 Not Participating
150 maven groovy:groovy-all-1.0-jsr 0.79778095 Not Participating
151 maven activation:activation 0.79778095 Not Participating
152 pypi flask 0.79416739 Not Participating
153 maven com.google.j2objc:j2objc-annotations 0.79314826 Not Participating
154 go github.com/kubernetes/apiextensions-apiserver 0.7838467 Not Participating
155 maven org.jboss.spec.javax.transaction:jboss-transaction-api_1.1_spec 0.77156101 Not Participating
156 conda r-rlang 0.77156101 Not Participating
157 go github.com/kubernetes/kubernetes 0.76928545 111
158 go github.com/blang/semver 0.76022512 Not Participating
159 maven org.hibernate:hibernate-hikaricp 0.74534108 Not Participating
160 pypi packaging 0.73945871 Not Participating
161 go github.com/uber-go/zap 0.7 3110262 Not Participating
162 maven org.springframework:spring-expression 0.72519373 Not Participating
163 maven org.apache.commons:commons-collections4 0.7108377 Not Participating
164 maven net.bytebuddy:byte-buddy 0.70888635 Not Participating
165 maven org.jetbrains.kotlin:kotlin-stdlib 0.7003286 Not Participating
166 maven org.jetbrains:annotations 0.69973504 Not Participating
167 maven org.apache.maven:maven-model 0.69739906 Not Participating
168 pypi pyparsing 0.68258513 Not Participating
169 maven org.junit.jupiter:junit-jupiter-params 0.68068683 Not Participating
170 maven org.aspectj:aspectjweaver 0.68062403 Not Participating
171 pypi lesscss 0.67979123 Not Participating
172 maven com.jayway.jsonpath:json-path 0.67688224 Not Participating
47CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
173 maven com.google.guava:failureaccess 0.66805759 Not Participating
174 maven com.google.guava:listenablefuture 0.66782582 Not Participating
175 maven commons-validator:commons-validator 0.66148151 Not Participating
176 maven jakarta.xml.bind:jakarta.xml.bind-api 0.65804937 Not Participating
177 nuget freqsystemdependencies 0.65664617 Not Participating
178 go github.com/go-redis/redis 0.6385578 Not Participating
179 go github.com/asaskevich/govalidator 0.62787955 15
180 nuget microsoft.extensions.caching.memory 0.62735135 Not Participating
181 maven javax.mail:javax.mail-api 0.62735135 Not Participating
182 maven com.google.protobuf:protobuf-java 0.62377878 Not Participating
183 pypi schedule 0.61424138 Not Participating
184 maven io.springfox:springfox-swagger-ui 0.59733989 Not Participating
185 go github.com/prometheus/client_model 0.58692828 Not Participating
186 pypi django-jinja 0.57491148 Not Participating
187 go github.com/pierrec/lz4 0.57351755 Not Participating
188 pypi pyarrow 0.56995814 Not Participating
189 nuget microsoft.extensions.dependencyinjection.abstractions 0.56824392 Not Participating
190 go github.com/kubernetes/kube-openapi 0.5667223 Not Participating
191 maven xerces:xercesimpl 0.56634215 Not Participating
192 maven com.amazonaws:aws-java-sdk-kms 0.56180151 Not Participating
193 maven
com.fasterxml.jackson.
module:jackson-module-jaxb-annotations
0.55930846 Not Participating
194 maven com.sun.xml.bind:jaxb-impl 0.5560476 Not Participating
195 go github.com/census-instrumentation/opencensus-go 0.55021956 Not Participating
196 maven org.codehaus.mojo:animal-sniffer-annotations 0.54891346 Not Participating
197 maven
com.vackosar.gitflowincrementalbuilder:
gitflow-incremental-builder
0.54869154 Not Participating
198 maven com.fasterxml.jackson.datatype:jackson-datatype-jdk8 0.54091929 Not Participating
199 nuget microsoft.aspnet.webapi.client 0.53699979 Not Participating
200 maven org.apache.maven:maven-profile 0.53558157 Not Participating
48CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
201 go github.com/rs/cors 0.53145172 Not Participating
202 pypi celery 0.52530364 Not Participating
203 nuget microsoft.extensions.primitives 0.52470961 Not Participating
204 rubygems cscsl 0.5224716 Not Participating
205 bower jquery 0.51818481 Not Participating
206 maven org.ow2.asm:asm-commons 0.51376286 Not Participating
207 go github.com/spf13/viper 0.5114 8724 Not Participating
208 nuget log4net 0.50623929 Not Participating
209 pypi zipp 0.50023666 Not Participating
210 maven org.springframework.security:spring-security-config 0.49823948 Not Participating
211 maven io.swagger:swagger-annotations 0.49732709 Not Participating
212 maven javax.cache:cache-api 0.4934557 Not Participating
213 go github.com/mattn/go-colorable 0.49262173 Not Participating
214 go github.com/azure/go-autorest 0.49165098 Not Participating
215 maven org.ow2.asm:asm 0.48924508 Not Participating
216 maven com.fasterxml.jackson.dataformat:jackson-dataformat-yaml 0.48920246 Not Participating
217 go github.com/onsi/gomega 0.48589219 Not Participating
218 pypi mako 0.4835614 Not Participating
219 maven io.github.java-diff-utils:java-diff-utils 0.4835614 Not Participating
220 maven org.apache.flink:flink-metrics-core 0.47003172 Not Participating
221 packagist hamcrest/hamcrest-php 0.47003172 Not Participating
222 maven io.springfox:springfox-swagger2 0.46990297 Not Participating
223 pypi cffi 0.46907135 Not Participating
224 go github.com/go-logr/logr 0.4680294 Not Participating
225 pypi cython 0.46707263 Not Participating
226 pypi humanize 0.4 66 41148 Not Participating
227 go github.com/go-openapi/swag 0.46317565 Not Participating
228 nuget system.memory 0.46312326 Not Participating
229 pypi pycparser 0.46221019 Not Participating
230 maven org.easybatch:easybatch-opencsv 0.45692175 Not Participating
49CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
231 pypi flask-sqlalchemy 0.45087948 Not Participating
232 go github.com/kubernetes/apiserver 0.44570215 Not Participating
233 nuget microsoft.extensions.configuration.abstractions 0.44548712 Not Participating
234 maven io.netty:netty-buffer 0.4440372 Not Participating
235 maven org.hibernate:hibernate-commons-annotations 0.44381179 Not Participating
236 nuget microsoft.extensions.logging.abstractions 0.4428539 Not Participating
237 maven com.squareup.okhttp3:okhttp 0.4422488 15
238 nuget microsoft.extensions.options 0.44126574 Not Participating
239 maven org.apache.commons:commons-text 0.43827015 Not Participating
240 go github.com/prometheus/procfs 0.43728898 Not Participating
241 go github.com/mailru/easyjson 0.4369654 Not Participating
242 maven antlr:antlr 0.43631672 Not Participating
243 pypi cryptography 0.4346649 Not Participating
244 maven org.slf4j:log4j-over-slf4j 0.43138277 Not Participating
245 pypi werkzeug 0.42866734 Not Participating
246 maven io.netty:netty-handler 0.42656298 Not Participating
247 maven io.netty:netty-common 0.42541337 Not Participating
248 nuget xunit 0.42254675 Not Participating
249 pypi sphinx-rtd-theme 0.42110982 Not Participating
250 maven io.reactivex:rxjava-reactive-streams 0.41759185 Not Participating
251 go github.com/cespare/xxhash 0.41697496 Not Participating
252 maven net.minidev:json-smart 0.41267626 Not Participating
253 maven io.netty:netty-transport 0.40860434 Not Participating
254 rubygems highcharts-js-rails 0.40448188 Not Participating
255 maven org.jacoco:org.jacoco.ant 0.40417034 Not Participating
256 maven org.glassfish.jaxb:jaxb-runtime 0.4035392 Not Participating
257 maven org.jacoco:org.jacoco.agent 0.40297188 Not Participating
258 nuget microsoft.extensions.configuration 0.39630904 Not Participating
259 maven org.apache.maven:maven-plugin-registry 0.39137191 Not Participating
260 maven org.aspectj:aspectjrt 0.39078213 Not Participating
50CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
261 maven org.springframework.boot:spring-boot-starter-test 0.39059068 Not Participating
262 go github.com/russross/blackfriday 0.38519207 Not Participating
263 maven io.netty:netty-codec 0.38416191 Not Participating
264 nuget system.buffers 0.38374736 Not Participating
265 go github.com/googleapis/google-api-go-client 0.38163266 Not Participating
266 maven org.hibernate.validator:hibernate-validator 0.38013461 Not Participating
267 maven aws java sdk :: jmes path query library 0.37826194 Not Participating
268 maven org.glassfish.hk2:osgi-resource-locator 0.37800394 Not Participating
269 maven org.opentest4j:opentest4j 0.37489654 Not Participating
270 nuget xunit.runner.visualstudio 0.3746083 Not Participating
271 pypi wtforms 0.36933649 Not Participating
272 maven com.squareup.okio:okio 0.36540092 Not Participating
273 maven org.apache.flink:flink-connector-kafka-0.10_2.11 0.36515197 Not Participating
274 cargo hdrhistogram 0.36515197 Not Participating
275 rubygems antlr3 0.36515197 Not Participating
276 conda html5lib 0.36515197 Not Participating
277 pypi py 0.364723 12
278 pypi importlib-metadata 0.3639796 Not Participating
279 pypi msgpack 0.36254124 Not Participating
280 pypi geopy 0.36124691 Not Participating
281 maven xml-apis:xml-apis 0.3565752 Not Participating
282 pub mockito 0.352042 Not Participating
283 nuget microsoft.identitymodel.protocol.extensions 0.352042 Not Participating
284 maven org.springframework.data:spring-data-commons 0.35143596 Not Participating
285 maven org.springframework:spring-jcl 0.35073098 Not Participating
286 rubygems rspec 0.34934255 Not Participating
287 maven dom4j:dom4j 0.34751809 Not Participating
288 go github.com/emicklei/go-restful 0.34700924 Not Participating
289 pypi appdirs 0.34242721 Not Participating
290 pypi colorama 0.34218413 Not Participating
51CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
291 maven org.apache.logging.log4j:log4j-core 0.33934399 Not Participating
292 rubygems jasmine 0.33893203 Not Participating
293 maven com.microsoftopentechnologies:windows-azure-storage-plugin 0.33893203 Not Participating
294 maven org.springframework.boot:spring-boot-starter 0.3352594 Not Participating
295 maven org.reactivestreams:reactive-streams 0.33460661 Not Participating
296 maven org.apache.maven:maven-core 0.33455653 Not Participating
297 nuget microsoft.web.infrastructure 0.33026523 Not Participating
298 pypi croniter 0.32953574 Not Participating
299 nuget microsoft.extensions.caching.abstractions 0.32582206 Not Participating
300 nuget moq 0.32582206 Not Participating
301 cran foreach 0.32582206 Not Participating
302 maven org.apache.maven:maven-archiver 0.32582206 Not Participating
303 maven ru.yandex.qatools.allure:allure-report-plugin-api 0.32582206 Not Participating
304 maven org.glassfish.hk2.external:jakarta.inject 0.32207575 Not Participating
305 go gopkg.in/inf.v0 0.32169983 Not Participating
306 pypi marshmallow 0.32112258 Not Participating
307 pypi sqlalchemy-utils 0.32047541 Not Participating
308 nuget microsoft.extensions.logging 0.32037973 Not Participating
309 go github.com/fsnotify/fsnotify 0.31818447 Not Participating
310 maven ch.qos.logback:logback-access 0.31768139 Not Participating
311 maven org.apiguardian:apiguardian-api 0.3149996 Not Participating
312 nuget nuget.commandline 0.31271209 Not Participating
313 maven org.glassfish.hk2:hk2-utils 0.31228832 Not Participating
314 pypi alembic 0. 3110915 Not Participating
315 go github.com/opentracing/opentracing-go 0.31076791 Not Participating
316 pypi flask-migrate 0.30785566 Not Participating
317 maven org.springframework:spring-webmvc 0.30366963 Not Participating
318 go github.com/go-openapi/jsonreference 0.301384 Not Participating
319 go github.com/mitchellh/go-homedir 0.30138214 Not Participating
320 nuget microsoft.identitymodel.tokens 0.30043215 Not Participating
52CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
321 go github.com/gorilla/handlers 0.30041325 Not Participating
322 pypi py2-ipaddress 0.29960212 Not Participating
323 nuget system.diagnostics.diagnosticsource 0.29877605 Not Participating
324 maven com.google.inject:guice 0.29704625 Not Participating
325 maven org.glassfish.hk2:hk2-locator 0.29391191 Not Participating
326 maven jakarta.servlet:jakarta.servlet-api 0.29131525 Not Participating
327 pypi setuptools 0.29085472 Not Participating
328 maven org.apache.tomcat.embed:tomcat-embed-core 0.2898098 Not Participating
329 maven com.webcohesion.enunciate:enunciate-lombok 0.28649216 Not Participating
330 maven org.nuiton.js:nuiton-js-angular-ui-bootstrap 0.28649216 Not Participating
331 pypi flask-jwt-extended 0.28488125 Not Participating
332 pypi python3-openid 0.28261617 Not Participating
333 go gopkg.in/yaml.v3 0.28261617 Not Participating
334 nuget microsoft.extensions.configuration.binder 0.28195587 Not Participating
335 pypi geographiclib 0.28132183 Not Participating
336 nuget system.threading.tasks.extensions 0.2812084 Not Participating
337 go github.com/go-openapi/strfmt 0.27840958 Not Participating
338 pypi marshmallow-sqlalchemy 0.278086 Not Participating
339 pypi parsedatetime 0.27582092 Not Participating
340 maven javax.servlet:jstl 0.27453679 Not Participating
341 cocoapods libpng 0.27338219 Not Participating
342 nuget system.valuetuple 0.2730215 Not Participating
343 go golang.org/x/time 0.27300637 Not Participating
344 pypi flask-caching 0.27096717 Not Participating
345 pypi flask-babel 0.27096717 Not Participating
346 pypi flask-openid 0.27096717 Not Participating
347 pypi flask-talisman 0.27064358 Not Participating
348 go github.com/gocql/gocql 0.27032 Not Participating
349 pypi retry 0.26967283 Not Participating
350 pypi flask-compress 0.26967283 Not Participating
53CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
351 pypi apispec 0.2683785 Not Participating
352 pypi python-geohash 0.26805492 Not Participating
353 pypi polyline 0.26773133 Not Participating
354 pypi prison 0.26773133 Not Participating
355 nuget microsoft.identitymodel.logging 0.26742093 Not Participating
356 pypi wtforms-json 0.26740775 Not Participating
357 pypi flask-appbuilder 0.26676058 Not Participating
358 maven io.reactivex:rxjava 0.26674679 Not Participating
359 go github.com/golang/mock 0.25999529 Not Participating
360 maven com.sun.xml.fastinfoset:fastinfoset 0.25815782 Not Participating
361 maven jakarta.annotation:jakarta.annotation-api 0.25671931 Not Participating
362 maven org.dom4j:dom4j 0.25662826 Not Participating
363 pypi selenium 0.25596195 Not Participating
364 nuget microsoft.extensions.dependencyinjection 0.25379462 Not Participating
365 pypi sphinx 0.25170804 Not Participating
366 maven jakarta.validation:jakarta.validation-api 0.25100845 Not Participating
367 maven org.hdrhistogram:hdrhistogram 0.24947041 Not Participating
368 maven net.minidev:accessors-smart 0.2484632 Not Participating
369 nuget system.text.regularexpressions 0.2479709 Not Participating
370 maven org.apache.maven:maven-aether-provider 0.24716225 Not Participating
371 pypi jedi 0.24716225 Not Participating
372 maven io.netty:netty-resolver 0.24618225 Not Participating
373 maven org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec 0.24137936 Not Participating
374 maven com.h2database:h2 0.24049834 Not Participating
375 maven jakarta.activation:jakarta.activation-api 0.23859415 Not Participating
376 maven com.google.android:annotations 0.23838321 300
377 maven com.netflix.archaius:archaius-core 0.23638577 Not Participating
378 maven org.scala-lang:scala-compiler 0.23405228 Not Participating
379 maven org.springframework:spring-messaging 0.23405228 Not Participating
380 maven ru.yandex.qatools.clay:clay-maven-settings-builder 0.23405228 Not Participating
54CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
381 maven io.perfmark:perfmark-api 0.23299013 Not Participating
382 go github.com/lib/pq 0.23246075 Not Participating
383 pypi itsdangerous 0.23069493 Not Participating
384 maven org.jvnet.staxex:stax-ex 0.22999398 Not Participating
385 maven aopalliance:aopalliance 0.2254658 Not Participating
386 maven io.vavr:vavr 0.22400168 Not Participating
387 go github.com/grpc-ecosystem/grpc-gateway 0.22242967 Not Participating
388 maven org.kie.modules:org-codehaus-woodstox-main 0.22094231 Not Participating
389 nuget nlog 0.22094231 31
390 maven org.n52.arctic-sea:svalbard-xmlbeans 0.22094231 Not Participating
391 maven com.google.api.grpc:proto-google-common-protos 0.21760988 Not Participating
392 maven org.apache.geronimo.specs:geronimo-jta_1.1_spec 0.21261629 Not Participating
393 maven commons-fileupload:commons-fileupload 0.21216423 Not Participating
394 maven edu.washington.cs.types.checker:checker-framework 0.20981988 Not Participating
395 pypi gunicorn 0.20952916 Not Participating
396 go github.com/masterminds/semver 0.20948634 Not Participating
397 maven com.sun.mail:jakarta.mail 0.2094204 Not Participating
398 pypi s3transfer 0.20897491 Not Participating
399 maven org.hibernate:hibernate-core 0.20859486 Not Participating
400 maven org.apache.httpcomponents:httpmime 0.20827447 Not Participating
401 maven org.springframework.data:spring-data-keyvalue 0.20783234 Not Participating
402 maven io.vavr:vavr-match 0.2062245 Not Participating
403 go github.com/kubernetes/cli-runtime 0.19945526 Not Participating
404 maven org.apache.tomcat.embed:tomcat-embed-el 0.19625858 Not Participating
405 maven org.ehcache:ehcache 0.19324117 Not Participating
406 maven org.eclipse.jetty.toolchain.setuid:jetty-setuid-java 0.19304143 Not Participating
407 go gopkg.in/ini.v1 0.19104209 Not Participating
408 maven com.helger:profiler 0.19084425 Not Participating
409 go github.com/uber-go/automaxprocs 0.18974776 Not Participating
410 maven org.apache.commons:commons-pool2 0.18766818 Not Participating
55CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
411 maven org.glassfish.jersey.media:jersey-media-json-jettison 0.1816124 Not Participating
412 go github.com/uber-go/atomic 0.17874593 Not Participating
413 nuget sharpziplib 0.1753783 Not Participating
414 maven org.skyscreamer:jsonassert 0.17460447 Not Participating
415 nuget system.runtime.compilerservices.unsafe 0.17306707 Not Participating
416 maven org.apache.commons:commons-digester3 0.16850243 Not Participating
417 maven net.bytebuddy:byte-buddy-dep 0.16850243 Not Participating
418 maven org.eclipse.aether:aether-spi 0.16850243 Not Participating
419 maven com.lowagie:itext 0.16715485 Not Participating
420 nuget system.numerics.vectors 0.16574224 Not Participating
421 maven mysql:mysql-connector-java 0.16516456 Not Participating
422 nuget microsoft.aspnet.webapi.core 0.16148195 Not Participating
423 pypi jsonschema 0.16079337 Not Participating
424 pypi docker 0.15706584 Not Participating
425 go golang.org/x/sync 0.15636095 Not Participating
426 cocoapods minizip 0.15539246 Not Participating
427 nuget microsoft.applicationinsights.windowsserver.telemetrychannel 0.15539246 Not Participating
428 maven commons-configuration:commons-configuration 0.15415679 Not Participating
429 go github.com/pmezard/go-difflib 0.1521144 Not Participating
430 go github.com/mitchellh/mapstructure 0.15017283 Not Participating
431 maven org.apache.logging.log4j:log4j-to-slf4j 0.14945547 Not Participating
432 clojars org.clojars.clizzin/jsoup 0.1422825 Not Participating
433 maven org.xmlunit:xmlunit-core 0.13949583 Not Participating
434 go github.com/matttproud/golang_protobuf_extensions 0.13704151 Not Participating
435 pypi decorator 0.13700893 Not Participating
436 maven net.jodah:typetools 0.13551529 Not Participating
437 maven org.springframework.boot:spring-boot-test-autoconfigure 0.13409143 Not Participating
438 go github.com/tidwall/gjson 0.13376785 Not Participating
439 pypi webencodings 0.13160232 Not Participating
440 nuget microsoft.applicationinsights.dependencycollector 0.12917253 Not Participating
56CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
441 nuget restsharp 0.12917253 Not Participating
442 maven org.apache.struts:struts2-spring-plugin 0.12917253 Not Participating
443 nuget yuicompressor.net 0.12917253 Not Participating
444 pypi sqlparse 0.12866422 Not Participating
445 maven software.amazon.ion:ion-java 0.12554801 Not Participating
446 maven org.codehaus.plexus:plexus-classworlds 0.12471136 Not Participating
447 maven net.java.dev.jna:jna 0.12157912 Not Participating
448 nuget microsoft.extensions.fileproviders.abstractions 0.1198424 Not Participating
449 cargo pcre 0.11606256 Not Participating
450 packagist apache/thrift 0.11606256 Not Participating
451 pypi python-editor 0.11492622 Not Participating
452 maven org.springframework.boot:spring-boot-test 0.11305852 Not Participating
453 go github.com/hashicorp/golang-lru 0.11015809 Not Participating
454 go github.com/kubernetes/metrics 0.10917552 Not Participating
455 go github.com/go-openapi/errors 0.10885193 Not Participating
456 maven com.googlecode.json-simple:json-simple 0.10883939 Not Participating
457 go github.com/patrickmn/go-cache 0.1075576 Not Participating
458 go github.com/dustin/go-humanize 0.107234 02 Not Participating
459 maven org.mockito:mockito-junit-jupiter 0.10560636 Not Participating
460 maven com.typesafe.netty:netty-reactive-streams 0.10315684 Not Participating
461 maven org.springframework:spring-test 0.09889685 Not Participating
462 maven com.zaxxer:hikaricp 0.09876342 Not Participating
463 maven org.bouncycastle:bcprov-jdk15on 0.09601611 Not Participating
464 maven org.apache.tomcat.embed:tomcat-embed-websocket 0.0902546 Not Participating
465 cargo tokio 0.08984262 Not Participating
466 maven org.codehaus.plexus:plexus-compiler-api 0.08984262 Not Participating
467 rubygems quartz-jruby 0.08984262 Not Participating
468 maven org.junit.jupiter:junit-jupiter 0.08925118 Not Participating
469 maven com.esotericsoftware:minlog 0.08797633 Not Participating
470 maven org.eclipse.jetty:jetty-security 0.08227489 Not Participating
57CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
471 rubygems spring 0.07938736 Not Participating
472 maven org.springframework.boot:spring-boot-autoconfigure 0.07914028 Not Participating
473 pypi wcwidth 0.07717135 Not Participating
474 rubygems rjack-slf4j 0.07673265 Not Participating
475 nuget dotnetzip 0.07673265 Not Participating
476 maven net.javacrumbs.json-unit:json-unit-fluent 0.07673265 Not Participating
477 nuget owin 0.0763912 Not Participating
478 maven com.amazonaws:aws-java-sdk-s3 0.07538248 Not Participating
479 nuget system.componentmodel.annotations 0.07492226 Not Participating
480 pypi markdown 0.07413259 Not Participating
481 nuget system.security.cryptography.algorithms 0.0735948 Not Participating
482 maven com.fasterxml.jackson.dataformat:jackson-dataformat-cbor 0.07167077 Not Participating
483 maven org.apache.lucene:lucene-core 0.06602789 Not Participating
484 nuget system.security.cryptography.primitives 0.06420685 Not Participating
485 maven org.apache.commons:commons-math3 0.06408522 Not Participating
486 maven com.google.http-client:google-http-client-gson 0.06362268 Not Participating
487 nuget microsoft.applicationinsights.windowsserver 0.06362268 Not Participating
488 nuget system.security.cryptography.encoding 0.06041172 Not Participating
489 maven net.jcip:jcip-annotations 0.059413 Not Participating
490 nuget system.security.cryptography.x509certificates 0.05921326 Not Participating
491 maven com.sun.istack:istack-commons-runtime 0.05812482 Not Participating
492 pypi mccabe 0.05800197 Not Participating
493 pypi pathlib2 0.05587596 Not Participating
494 nuget system.net.http 0.0549804 Not Participating
495 maven org.eclipse.jetty:jetty-server 0.05222486 Not Participating
496 go github.com/go-openapi/validate 0.05157769 Not Participating
497 pypi pip 0.05060249 15
498 maven com.force.api:force-wsc 0.05051271 Not Participating
499 nuget microsoft.applicationinsights.perfcountercollector 0.05051271 Not Participating
500 maven io.projectreactor.netty:reactor-netty 0.05051271 Not Participating
58CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
Appendix C: Top 500 npm, Indirect &
Direct, Version Agnostic Packages
Our dependency analysis identified the following 500 packages as the most used FOSS packages among those reported in the private
usage data contributed by SCA partners hosted on the npm package manager. These packages were identified as either direct or indirect
dependencies called by observed packages in use and are version agnostic. For further information on how this list was compiled, refer
to the Methods section.
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
1 npm debug 7.03880746 Not Participating
2 npm readable-stream 5.88167297 Not Participating
3 npm kind-of 5.03921743 Not Participating
4 npm ansi-wrap 4.09950718 Not Participating
5 npm set-getter 4.09950718 Not Participating
6 npm ansi-yellow 4.09950718 Not Participating
7 npm semver 4.08649472 Not Participating
8 npm supports-color 3.95024016 Not Participating
9 npm minimist 3.7559228 Not Participating
10 npm safe-buffer 3.68429943 Not Participating
11 npm ansi-regex 3.62055867 Not Participating
12 npm inherits 3.54047349 Not Participating
13 npm isarray 3.53838464 Not Participating
14 npm strip-ansi 3.53575995 Not Participating
15 npm qs 3.45648107 Not Participating
16 npm ms 3.34448474 Not Participating
17 npm array-slice 3.21860874 Not Participating
18 npm lodash 3.20524585 Not Participating
19 npm @types/react 3.09809104 Not Participating
20 npm is-buffer 3.06311922 Not Participating
21 npm natives 3.05258575 Not Participating
59CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
22 npm fast-list 3.05258575 Not Participating
23 npm mkdirp 3.04924243 Not Participating
24 npm glob 2.92311778 Not Participating
25 npm source-map 2.91644746 Not Participating
26 npm chalk 2.88570551 Not Participating
27 npm postcss 2.86945197 Not Participating
28 npm ansi-styles 2.80572247 Not Participating
29 npm @types/node 2.69602907 Not Participating
30 npm punycode 2.66129188 Not Participating
31 npm yallist 2.54369946 Not Participating
32 npm commander 2.41715269 Not Participating
33 npm string_decoder 2.40457376 Not Participating
34 npm graceful-fs 2.3607301 Not Participating
35 npm string-width 2.34619036 Not Participating
36 npm isobject 2.30393542 Not Participating
37 npm lru-cache 2.29503242 Not Participating
38 npm async 2.28064129 Not Participating
39 npm lodash.isfunction 2.24825321 Not Participating
40 npm lodash._root 2.24825321 Not Participating
41 npm color-convert 2.24487709 Not Participating
42 npm yargs 2.23009855 Not Participating
43 npm @types/color-name 2.2232521 Not Participating
44 npm sigmund 2.20762641 Not Participating
45 npm mime-db 2.18544807 Not Participating
46 npm @types/events 2.1623119 Not Participating
47 npm has-flag 2.1579853 Not Participating
48 npm ws 2.13667382 Not Participating
49 npm color-name 2.11564 457 Not Participating
50 npm lodash.isarguments 2.09512142 Not Participating
51 npm lodash._shimkeys 2.09512142 Not Participating
60CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
52 npm lodash.isarray 2.09512142 Not Participating
53 npm lodash._renative 2.09512142 Not Participating
54 npm lodash.isnative 2.09512142 Not Participating
55 npm lodash._objecttypes 2.09512142 Not Participating
56 npm lodash.support 2.09512142 Not Participating
57 npm lodash._isnative 2.09512142 Not Participating
58 npm lodash._getnative 2.09512142 Not Participating
59 npm lodash._arraycopy 2.09512142 Not Participating
60 npm lodash.isobject 2.09512142 Not Participating
61 npm lodash._slice 2.09512142 Not Participating
62 npm is-arguments 1.93850884 Not Participating
63 npm once 1.89076517 Not Participating
64 npm is-fullwidth-code-point 1.87374275 Not Participating
65 npm acorn 1.8667157 Not Participating
66 npm caniuse-lite 1.86155194 Not Participating
67 npm lodash._arraymap 1.85722025 Not Participating
68 npm find-up 1.85328569 Not Participating
69 npm mime 1.82841162 Not Participating
70 npm mime-types 1.79903429 Not Participating
71 npm wrappy 1.75919621 Not Participating
72 npm lodash.restparam 1.74276205 Not Participating
73 npm @babel/runtime 1.699303 27
74 npm uuid 1.66830909 Not Participating
75 npm minimatch 1.66238061 Not Participating
76 npm resolve 1.65433055 Not Participating
77 npm ajv 1.63414419 99
78 npm balanced-match 1.60021797 Not Participating
79 npm form-data 1.59301552 Not Participating
80 npm electron-to-chromium 1.58807327 Not Participating
81 npm lodash._basetostring 1.56267594 Not Participating
61CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
82 npm lodash.tostring 1.56267594 Not Participating
83 npm rimraf 1.530607 Not Participating
84 npm camelcase 1.50130355 Not Participating
85 npm is-number 1.45320914 Not Participating
86 npm yargs-parser 1.44825692 Not Participating
87 npm request 1.44776732 Not Participating
88 npm define-property 1.44319801 Not Participating
89 npm brace-expansion 1.41198484 Not Participating
90 npm lodash._basecreatecallback 1.40954415 Not Participating
91 npm lodash._createwrapper 1.40954415 Not Participating
92 npm lodash._topath 1.40954415 Not Participating
93 npm lodash._createobject 1.40954415 Not Participating
94 npm lodash._baseslice 1.40954 415 Not Participating
95 npm lodash._createbound 1.40954415 Not Participating
96 npm lodash._bindcallback 1.40954415 Not Participating
97 npm lodash._releasearray 1.40954415 Not Participating
98 npm lodash._releaseobject 1.40954415 Not Participating
99 npm lodash._baseproperty 1.40954415 Not Participating
100 npm lodash.bind 1.40954415 Not Participating
101 npm lodash._getarray 1.40954415 Not Participating
102 npm lodash._basecreate 1.40954415 Not Participating
103 npm lodash._basefor 1.40954415 Not Participating
104 npm lodash._getobject 1.40954 415 Not Participating
105 npm lodash._basebind 1.40954415 Not Participating
106 npm lodash._baseget 1.40954415 Not Participating
107 npm lodash.createcallback 1.40954 415 Not Participating
108 npm lodash._noop 1.40954415 Not Participating
109 npm lodash.rest 1.40954415 Not Participating
110 npm lodash._baseiteratee 1.40954415 Not Participating
111 npm lodash.property 1.40954415 Not Participating
62CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
112 npm lodash._objectpool 1.40954415 Not Participating
113 npm lodash._replaceholders 1.40954415 Not Participating
114 npm lodash._setbinddata 1.40954415 Not Participating
115 npm lodash._stack 1.40954 415 Not Participating
116 npm lodash._maxpoolsize 1.40954415 Not Participating
117 npm lodash._mapcache 1.40954415 Not Participating
118 npm lodash._basecreatewrapper 1.40954415 Not Participating
119 npm lodash._baseisequal 1.40954415 Not Participating
120 npm lodash._baseflatten 1.40954415 Not Participating
121 npm lodash.noop 1.40954 415 Not Participating
122 npm lodash.keysin 1.40954415 Not Participating
123 npm lodash.istypedarray 1.40954 415 Not Participating
124 npm lodash._stringtopath 1.40954415 Not Participating
125 npm lodash.identity 1.40954415 Not Participating
126 npm lodash._isiterateecall 1.40954415 Not Participating
127 npm lodash._arraypool 1.40954415 Not Participating
128 npm lodash.forin 1.40954415 Not Participating
129 npm braces 1.40347275 Not Participating
130 npm tough-cookie 1.39275819 Not Participating
131 npm escape-string-regexp 1.38667 Not Participating
132 npm iconv-lite 1.37739455 Not Participating
133 npm concat-map 1.37369214 Not Participating
134 npm arr-flatten 1.36421447 Not Participating
135 npm regenerator-runtime 1.36221437 Not Participating
136 npm @babel/types 1.33261618 27
137 npm tslib 1.32391521 Not Participating
138 npm es-abstract 1.29444147 Not Participating
139 npm js-yaml 1.27311217 Not Participating
140 npm http-errors 1.25551914 Not Participating
141 npm path-is-absolute 1.25194051 Not Participating
63CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
142 npm lazy-cache 1. 21109365 Not Participating
143 npm to-object-path 1.18047218 Not Participating
144 npm @babel/traverse 1.17295634 27
145 npm lodash.foreach 1.17164297 Not Participating
146 npm lodash.forown 1.17164297 Not Participating
147 npm lodash._baseismatch 1.17164297 Not Participating
148 npm lodash._arrayeach 1.17164297 Not Participating
149 npm lodash._baseassign 1.17164297 Not Participating
150 npm lodash.hasin 1.17164297 Not Participating
151 npm lodash._basecallback 1.17164297 Not Participating
152 npm lodash._baseeach 1.17164297 Not Participating
153 npm lodash.topairs 1.17164297 Not Participating
154 npm lodash.pairs 1.17164297 Not Participating
155 npm lodash._basecopy 1.17164297 Not Participating
156 npm lodash._basematches 1.17164297 Not Participating
157 npm lodash._baseclone 1.17164297 Not Participating
158 npm lodash._createassigner 1.17164297 Not Participating
159 npm is-extendable 1.14509799 Not Participating
160 npm is-data-descriptor 1.14002106 Not Participating
161 npm is-descriptor 1.13963119 Not Participating
162 npm is-accessor-descriptor 1.13951491 Not Participating
163 npm inflight 1.12829536 Not Participating
164 npm object-assign 1.1225167 Not Participating
165 npm core-js 1.11339 0 05 Not Participating
166 npm lodash._basecompareascending 1.10484313 Not Participating
167 npm lodash._compareascending 1.10484313 Not Participating
168 npm guid 1.10484313 Not Participating
169 npm lodash._basesortby 1.10484313 Not Participating
170 npm lodash.map 1.10484313 Not Participating
171 npm locate-path 1.0972734 Not Participating
64CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
172 npm p-locate 1.08513755 Not Participating
173 npm cross-spawn 1.08405189 Not Participating
174 npm fs.realpath 1.07034914 Not Participating
175 npm bytes 1.05284562 Not Participating
176 npm browserslist 0.99336223 Not Participating
177 npm pify 0.98799633 Not Participating
178 npm esprima 0.97557256 Not Participating
179 npm emoji-regex 0.96109953 Not Participating
180 npm chokidar 0.95503773 Not Participating
181 npm has-color 0.9485862 Not Participating
182 npm fs-extra 0.94404643 Not Participating
183 npm safer-buffer 0.914964 Not Participating
184 npm is-glob 0.90538581 Not Participating
185 npm requirejs 0.89663078 Not Participating
186 npm setprototypeof 0.88961133 Not Participating
187 npm micromatch 0.88649217 Not Participating
188 npm pseudomap 0.88066949 Not Participating
189 npm fast-deep-equal 0.8744356 Not Participating
190 npm arr-diff 0.86851471 Not Participating
191 npm @babel/parser 0.85214951 27
192 npm which 0.85174663 Not Participating
193 npm har-validator 0.83990718 Not Participating
194 npm depd 0.80626947 Not Participating
195 npm path-to-regexp 0.79237172 Not Participating
196 npm process-nextick-args 0.7783376 Not Participating
197 npm cliui 0.77054732 Not Participating
198 npm fsevents 0.7494464 Not Participating
199 npm extend-shallow 0.74661996 Not Participating
200 npm is-plain-object 0.73440696 Not Participating
201 npm bluebird 0.7312087 Not Participating
65CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
202 npm raw-body 0.72759156 Not Participating
203 npm get-stream 0.71175287 Not Participating
204 npm end-of-stream 0.70691379 Not Participating
205 npm execa 0.69437106 Not Participating
206 npm pkg-dir 0.69436955 Not Participating
207 npm xtend 0.6860003 Not Participating
208 npm react-is 0.67772989 81
209 npm path-exists 0.67508124 Not Participating
210 npm assert-plus 0.6633127 Not Participating
211 npm core-util-is 0.66305187 Not Participating
212 npm lodash.keys 0.65787022 Not Participating
213 npm object-keys 0.63723468 Not Participating
214 npm node-fetch 0.63259819 Not Participating
215 npm statuses 0.63096792 Not Participating
216 npm p-limit 0.62785275 Not Participating
217 npm js-tokens 0.6264994 Not Participating
218 npm keypress 0.62591565 Not Participating
219 npm rc-util 0.62479335 Not Participating
220 npm wrap-ansi 0.60170925 Not Participating
221 npm @babel/template 0.59767592 27
222 npm pump 0.59712884 Not Participating
223 npm globals 0.59601232 Not Participating
224 npm number-is-nan 0.58776515 Not Participating
225 npm json5 0.58291601 Not Participating
226 npm extsprintf 0.5802166 Not Participating
227 npm json-schema-traverse 0.57909523 Not Participating
228 npm extend 0.55963592 Not Participating
229 npm resolve-from 0.55594592 Not Participating
230 npm base64-js 0.55367847 Not Participating
231 npm @babel/generator 0.55329104 27
66CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
232 npm make-dir 0.55112297 Not Participating
233 npm loader-utils 0.54291589 Not Participating
234 npm source-map-support 0.53956013 Not Participating
235 npm argparse 0.53516004 Not Participating
236 npm wordwrap 0.53136147 Not Participating
237 npm type-fest 0.53007903 Not Participating
238 npm concat-stream 0.52676504 Not Participating
239 npm send 0.52577581 Not Participating
240 npm finalhandler 0.51795762 Not Participating
241 npm glob-parent 0.51070981 Not Participating
242 npm minipass 0.50671617 Not Participating
243 npm fill-range 0.50255746 Not Participating
244 npm path-type 0.49467411 Not Participating
245 npm react 0.48990473 81
246 npm util-deprecate 0.48962673 Not Participating
247 npm fast-json-stable-stringify 0.48134275 Not Participating
248 npm jsesc 0.47337946 Not Participating
249 npm combined-stream 0.47067651 Not Participating
250 npm is-arrayish 0.46883809 Not Participating
251 npm accepts 0.45538921 Not Participating
252 npm find-cache-dir 0.45121438 Not Participating
253 npm domelementtype 0.44885338 Not Participating
254 npm postcss-selector-parser 0.44777559 Not Participating
255 npm noncharacters 0.44582954 Not Participating
256 npm @babel/code-frame 0.4430927 27
257 npm readdirp 0.43361612 Not Participating
258 npm sax 0.42802667 Not Participating
259 npm normalize-path 0.42501638 Not Participating
260 npm anymatch 0.42363321 Not Participating
261 npm prop-types 0.42306078 81
67CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
262 npm mimic-fn 0.42043236 Not Participating
263 npm signal-exit 0.41400094 Not Participating
264 npm buffer 0.41273007 Not Participating
265 npm estraverse 0.41128578 Not Participating
266 npm hoist-non-react-statics 0.3897703 Not Participating
267 npm react-dom 0.38731836 81
268 npm cookie 0.38713844 Not Participating
269 npm ini 0.38138487 Not Participating
270 npm has-values 0.37675405 Not Participating
271 npm coffee-script 0.37590456 Not Participating
272 npm esutils 0.37465702 Not Participating
273 npm lodash.get 0.37341155 Not Participating
274 npm is-extglob 0.37039695 Not Participating
275 npm uglify-js 0.37010621 Not Participating
276 npm entities 0.36443201 Not Participating
277 npm p-try 0.36107419 Not Participating
278 npm parse-json 0.35984681 Not Participating
279 npm node-releases 0.35975567 Not Participating
280 npm promise 0.3533158 Not Participating
281 npm is-stream 0.3446095 Not Participating
282 npm serve-static 0.34153924 Not Participating
283 npm ieee754 0.33816663 Not Participating
284 npm got 0.32897614 Not Participating
285 npm to-regex-range 0.31897449 Not Participating
286 npm schema-utils 0.31890894 Not Participating
287 npm chownr 0.30880908 Not Participating
288 npm function-bind 0.30862 Not Participating
289 npm read-pkg 0.30686285 Not Participating
290 npm has-value 0.29120145 Not Participating
291 npm code-point-at 0.28039382 Not Participating
68CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
292 npm define-properties 0.27590317 Not Participating
293 npm type-is 0.27353816 Not Participating
294 npm path-parse 0.26727568 Not Participating
295 npm lodash.sortby 0.26684382 Not Participating
296 npm has 0.26615581 Not Participating
297 npm webpack 0.26400818 Not Participating
298 npm webidl-conversions 0.25567848 Not Participating
299 npm aws4 0.25534523 Not Participating
300 npm negotiator 0.25061821 Not Participating
301 npm parseurl 0.25040351 Not Participating
302 npm @babel/highlight 0.24499238 27
303 npm stable 0.24317086 Not Participating
304 npm read-pkg-up 0.23911125 Not Participating
305 npm strip-json-comments 0.23791276 Not Participating
306 npm through2 0.23659086 Not Participating
307 npm globby 0.23575157 Not Participating
308 npm has-ansi 0.23407301 Not Participating
309 npm longest 0.23332011 Not Participating
310 npm uri-js 0.23160084 Not Participating
311 npm isexe 0.2292925 Not Participating
312 npm lodash.assign 0.22868706 Not Participating
313 npm convert-source-map 0.2247114 Not Participating
314 npm nan 0.22344439 Not Participating
315 npm http-signature 0.21354285 Not Participating
316 npm sprintf-js 0.20814361 Not Participating
317 npm repeat-string 0.20757432 Not Participating
318 npm strip-bom 0.20557744 Not Participating
319 npm express 0.20373504 15
320 npm asn1 0.20261673 Not Participating
321 npm oauth-sign 0.20206034 Not Participating
69CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
322 npm extglob 0.19928385 Not Participating
323 npm os-tmpdir 0.19860484 Not Participating
324 npm delayed-stream 0.19850196 Not Participating
325 npm y18n 0.19306199 Not Participating
326 npm path-key 0.19095556 Not Participating
327 npm buffer-from 0.1898348 Not Participating
328 npm util 0.18709826 Not Participating
329 npm caseless 0.17826056 Not Participating
330 npm array-flatten 0.17607328 Not Participating
331 npm aws-sign2 0.17593228 Not Participating
332 npm performance-now 0.17375552 Not Participating
333 npm whatwg-url 0.17018915 Not Participating
334 npm bn.js 0.16506777 Not Participating
335 npm domutils 0.16503166 Not Participating
336 npm array-unique 0.16442359 Not Participating
337 npm range-parser 0.16315876 Not Participating
338 npm ipaddr.js 0.15765116 Not Participating
339 npm csstype 0.15715313 Not Participating
340 npm pinkie 0.15127171 Not Participating
341 npm body-parser 0.14841574 Not Participating
342 npm is-callable 0.14139714 Not Participating
343 npm shebang-regex 0.14100147 Not Participating
344 npm callsites 0.13816977 Not Participating
345 npm fresh 0.13653561 Not Participating
346 npm vary 0.13524685 Not Participating
347 npm tweetnacl 0.13321917 Not Participating
348 npm hosted-git-info 0.13209635 Not Participating
349 npm tunnel-agent 0.13132506 Not Participating
350 npm jsbn 0.13044088 Not Participating
351 npm ansi-escapes 0.1296061 Not Participating
70CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
352 npm colors 0.12665819 Not Participating
353 npm cosmiconfig 0.12328808 Not Participating
354 npm hoek 0.12129312 Not Participating
355 npm regexpu-core 0.113542 Not Participating
356 npm load-json-file 0.11057082 Not Participating
357 npm content-disposition 0.10858849 Not Participating
358 npm node-pre-gyp 0.10728529 Not Participating
359 npm pinkie-promise 0.10400062 Not Participating
360 npm normalize-url 0.10249952 Not Participating
361 npm follow-redirects 0.10143986 Not Participating
362 npm get-stdin 0.09996958 Not Participating
363 npm nopt 0.09829726 Not Participating
364 npm moment 0.0961926 Not Participating
365 npm has-symbols 0.09583272 Not Participating
366 npm bcrypt-pbkdf 0.09582715 Not Participating
367 npm is-typedarray 0.08294668 Not Participating
368 npm memory-fs 0.08025584 Not Participating
369 npm for-in 0.07982359 Not Participating
370 npm bl 0.07419713 Not Participating
371 npm psl 0.07402366 Not Participating
372 npm shebang-command 0.07346785 Not Participating
373 npm verror 0.07168094 Not Participating
374 npm onetime 0.07134391 Not Participating
375 npm ecc-jsbn 0.0623092 Not Participating
376 npm graceful-readlink 0.05807394 Not Participating
377 npm deep-extend 0.05673337 Not Participating
378 npm duplexify 0.04771431 Not Participating
379 npm escape-html 0.04673093 Not Participating
380 npm dashdash 0.04669489 Not Participating
381 npm har-schema 0.04592086 Not Participating
71CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
382 npm lodash.values 0.04542116 Not Participating
383 npm splice-string 0.04542116 Not Participating
384 npm lodash.toarray 0.04542116 Not Participating
385 npm lodash._basevalues 0.04542116 Not Participating
386 npm loose-envify 0.0444214 Not Participating
387 npm component-emitter 0.04409052 Not Participating
388 npm tar 0.04377561 Not Participating
389 npm through 0.04341708 Not Participating
390 npm getpass 0.04319554 Not Participating
391 npm postcss-value-parser 0.03973834 Not Participating
392 npm abbrev 0.03928161 Not Participating
393 npm q 0.03777737 Not Participating
394 npm expand-brackets 0.03478418 Not Participating
395 npm ignore 0.03471154 Not Participating
396 npm json-schema 0.03240191 Not Participating
397 npm ee-first 0.03200359 Not Participating
398 npm os-homedir 0.03195658 Not Participating
399 npm assign-symbols 0.03135357 Not Participating
400 npm dot 0.02823289 Not Participating
401 npm get-caller-file 0.02660131 Not Participating
402 npm encodeurl 0.02268594 Not Participating
403 npm utils-merge 0.02220762 Not Participating
404 npm parse-passwd 0.01963876 Not Participating
405 npm content-type 0.01703082 Not Participating
406 npm decamelize 0.01663539 Not Participating
407 npm boom 0.01426829 Not Participating
408 npm jsonfile 0.01371748 Not Participating
409 npm asynckit 0.01262282 Not Participating
410 npm ajv-keywords 0.01259286 Not Participating
411 npm tmp 0.00822916 Not Participating
72CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
412 npm proxy-addr 0.00690346 Not Participating
413 npm sliced 0.005185 Not Participating
414 npm unpipe 0.00432407 Not Participating
415 npm methods 0.0037681 Not Participating
416 npm source-map-resolve 0.00293114 Not Participating
417 npm cacache 0.00259504 Not Participating
418 npm inquirer 0.00174153 Not Participating
419 npm tr46 0.00170782 Not Participating
420 npm object.assign 0.00051494 Not Participating
421 npm cookie-signature 0.00037877 Not Participating
422 npm binary-extensions -0.0032781 Not Participating
423 npm p-map -0.0040264 Not Participating
424 npm json-stringify-safe -0.0084027 Not Participating
425 npm etag -0.015558 Not Participating
426 npm sockjs -0.0158693 Not Participating
427 npm forever-agent -0.0167926 Not Participating
428 npm cryptiles -0.0192502 Not Participating
429 npm destroy -0.0196541 Not Participating
430 npm xmlbuilder -0.0214077 Not Participating
431 npm spdx-exceptions -0.0215164 Not Participating
432 npm use -0.0222281 Not Participating
433 npm rc -0.0236404 Not Participating
434 npm jsprim -0.0244467 Not Participating
435 npm to-fast-properties -0.0264497 Not Participating
436 npm media-typer -0.0278471 Not Participating
437 npm file-type -0.0280241 Not Participating
438 npm isstream -0.0292875 Not Participating
439 npm is-absolute -0.0315354 Not Participating
440 npm is-relative -0.0315354 Not Participating
441 npm unc-path-regex - 0.0315354 Not Participating
73CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
442 npm is-unc-path -0.0315354 Not Participating
443 npm set-value -0.0326597 Not Participating
444 npm on-finished -0.0348479 Not Participating
445 npm snapdragon -0.0352333 Not Participating
446 npm dom-serializer -0.0355347 Not Participating
447 npm is-windows -0.0375179 Not Participating
448 npm slash -0.0407022 Not Participating
449 npm lodash.isstring -0.040807 Not Participating
450 npm base -0.0413163 Not Participating
451 npm is-binary-path -0.0429113 Not Participating
452 npm sshpk -0.0441682 Not Participating
453 npm object-inspect -0.046401 Not Participating
454 npm set-blocking -0.0478655 Not Participating
455 npm is-regex -0.0482234 Not Participating
456 npm normalize-package-data -0.0498086 Not Participating
457 npm es-to-primitive -0.0508441 Not Participating
458 npm typescript -0.0516019 Not Participating
459 npm forwarded -0.0523882 Not Participating
460 npm @babel/preset-env -0.0524578 27
461 npm asap -0.0531783 Not Participating
462 npm cache-base -0.0558213 Not Participating
463 npm underscore -0.0608389 Not Participating
464 npm mimic-response - 0.0611636 Not Participating
465 npm user-home -0.0616148 Not Participating
466 npm call-bind -0.0621105 Not Participating
467 npm write-file-atomic -0.0632035 Not Participating
468 npm homedir-polyfill -0.0635681 Not Participating
469 npm @babel/helper-split-export-declaration -0.0650653 27
470 npm url -0.0674246 Not Participating
471 npm toidentifier -0.0677182 Not Participating
74CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
472 npm agent-base -0.0686968 Not Participating
473 npm whatwg-fetch -0.0730887 Not Participating
474 npm fbjs -0.0733339 Not Participating
475 npm amdefine -0.0734751 Not Participating
476 npm atob -0.0747557 Not Participating
477 npm p-cancelable -0.076886 Not Participating
478 npm htmlparser2 -0.0801718 Not Participating
479 npm lowercase-keys -0.0818284 Not Participating
480 npm get-value -0.0859985 Not Participating
481 npm remove-trailing-separator -0.0860371 Not Participating
482 npm pako -0.0876536 Not Participating
483 npm os-locale - 0.0877178 Not Participating
484 npm escodegen -0.0878123 Not Participating
485 npm diff -0.088541 Not Participating
486 npm repeat-element -0.0898446 Not Participating
487 npm is-symbol -0.090042 Not Participating
488 npm npmlog -0.0909649 Not Participating
489 npm union-value -0.0919828 Not Participating
490 npm doctrine -0.0926973 Not Participating
491 npm domhandler -0.0931396 Not Participating
492 npm is-wsl -0.0942623 Not Participating
493 npm popper.js -0.0943722 Not Participating
494 npm xml2js -0.0944642 Not Participating
495 npm get-intrinsic -0.0944814 Not Participating
496 npm https-proxy-agent -0.0950587 Not Participating
497 npm terser -0.0969033 Not Participating
498 npm tapable -0.09915 Not Participating
499 npm npm-run-path -0.099158 Not Participating
500 npm universalify -0.0995025 Not Participating
75CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
Appendix D: Top 500 Non-npm, Indirect
& Direct, Version Agnostic Packages
Our dependency analysis identified the following 500 packages as the most used FOSS packages among those reported in the private
usage data contributed by SCA partners hosted on package managers other than npm. These packages were identified as either direct
or indirect dependencies called by observed packages in use and are version agnostic. For further information on how this list was
compiled, refer to the Methods section.
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
1 go github.com/aws/aws-sdk-go 11.0753418 Not Participating
2 go github.com/docker/docker 9.71416018 Not Participating
3 go github.com/containerd/containerd 9.52658887 107
4 go golang.org/x/sys 4.98173322 Not Participating
5 go github.com/grpc/grpc-go 4.9115973 109
6 go github.com/opencontainers/runc 4.77227936 81
7 go github.com/kubernetes/client-go 4.67103324 Not Participating
8 go github.com/moby/buildkit 4.60904011 Not Participating
9 maven ch.qos.logback:logback-core 4.60523927 Not Participating
10 go golang.org/x/net 4.43304068 Not Participating
11 maven com.google.j2objc:j2objc-annotations 4.0916596 Not Participating
12 maven org.slf4j:jul-to-slf4j 3.8958064 Not Participating
13 maven org.hamcrest:hamcrest-core 3.69072475 Not Participating
14 maven commons-codec:commons-codec 3.65184084 Not Participating
15 maven com.fasterxml:classmate 3.63643508 Not Participating
16 go github.com/coreos/etcd 3.53963703 Not Participating
17 go github.com/containerd/cri 3.43976011 Not Participating
18 maven org.apache.logging.log4j:log4j-api 3.31239077 Not Participating
19 go github.com/grpc-ecosystem/grpc-gateway 3.1318 4326 Not Participating
20 go github.com/apache/thrift 3.13179213 Not Participating
21 maven junit:junit 3.1274156 Not Participating
76CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
22 maven com.google.guava:failureaccess 3.11769245 Not Participating
23 maven com.google.guava:listenablefuture 3.08053265 Not Participating
24 go github.com/hashicorp/consul 3.04564674 Not Participating
25 maven org.checkerframework:checker-qual 3.00988148 Not Participating
26 go github.com/urfave/cli 2.95059004 Not Participating
27 maven jakarta.annotation:jakarta.annotation-api 2.93277659 Not Participating
28 maven org.apache.httpcomponents:httpcore 2.9323112 Not Participating
29 go github.com/prometheus/client_golang 2.92246861 Not Participating
30 go github.com/microsoft/hcsshim 2.83060907 Not Participating
31 maven org.apache.commons:commons-lang3 2.78516657 Not Participating
32 go github.com/golang/protobuf 2.7702377 Not Participating
33 go golang.org/x/crypto 2.74049263 Not Participating
34 go github.com/kubernetes/apimachinery 2.64950927 Not Participating
35 maven org.hdrhistogram:hdrhistogram 2.59276783 Not Participating
36 go github.com/docker/cli 2.58187934 Not Participating
37 maven commons-logging:commons-logging 2.52686951 Not Participating
38 cargo serde 2.49113 478 Not Participating
39 go github.com/google/go-genproto 2.39668185 Not Participating
40 go github.com/spf13/cobra 2.30615834 Not Participating
41 cargo serde_derive 2.29429089 Not Participating
42 go code.googlesource.com/google-api-go-client 2.29213483 Not Participating
43 maven com.sun.jmx:jmxri 2.28501971 Not Participating
44 maven com.sun.jdmk:jmxtools 2.28501971 Not Participating
45 nuget microsoft.netcore.targets.dnxcore 2.26844233 Not Participating
46 nuget microsoft.netcore.targets.universalwindowsplatform 2.26844233 Not Participating
47 nuget microsoft.netcore.targets.netframework 2.26844233 Not Participating
48 go github.com/docker/libnetwork 2.24961228 Not Participating
49 maven ch.qos.logback:logback-classic 2.24634474 Not Participating
50 nuget system.private.uri 2.24208157 Not Participating
51 nuget system.threading.tasks.unofficial 2.24208157 Not Participating
77CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
52 maven javax.activation:activation 2.21821437 Not Participating
53 nuget system.runtime.interopservices.pinvoke 2.18501189 Not Participating
54 maven org.apache.logging.log4j:log4j-to-slf4j 2.17130642 Not Participating
55 maven org.apache.httpcomponents:httpclient 2.14315118 Not Participating
56 go github.com/gophercloud/gophercloud 2.12795364 Not Participating
57 maven org.yaml:snakeyaml 2.12439825 3
58 nuget system.runtime.windowsruntime 2.115713 Not Participating
59 go github.com/gorilla/mux 2.1115662 Not Participating
60 nuget runtime.osx.10.10-x64.runtime.native.system.security.cryptography 2.1040273 Not Participating
61 nuget system.security.cryptography.encryption 2.1040273 Not Participating
62 nuget runtime.fedora.23-x64.runtime.native.system.security.cryptography 2.1040273 Not Participating
63 nuget runtime.ubuntu.18.04-x64.runtime.native.system.security.cryptography.openssl 2.1040273 Not Participating
64 nuget runtime.ubuntu.14.04-x64.runtime.native.system.security.cryptography 2.1040273 Not Participating
65 nuget runtime.rhel.7-x64.runtime.native.system.security.cryptography 2.1040273 Not Participating
66 nuget runtime.opensuse.42.3-x64.runtime.native.system.security.cryptography.openssl 2.1040273 Not Participating
67 nuget runtime.fedora.28-x64.runtime.native.system.security.cryptography 2.1040273 Not Participating
68 nuget runtime.ubuntu.16.10-x64.runtime.native.system.security.cryptography 2.1040273 Not Participating
69 nuget runtime.ubuntu.18.04-x64.runtime.native.system.security.cryptography 2.1040273 Not Participating
70 nuget runtime.ubuntu.16.04-x64.runtime.native.system.security.cryptography 2.1040273 Not Participating
71 nuget runtime.debian.9-x64.runtime.native.system.security.cryptography 2.1040273 Not Participating
72 nuget runtime.opensuse.42.1-x64.runtime.native.system.security.cryptography 2.1040273 Not Participating
73 nuget runtime.debian.9-x64.runtime.native.system.security.cryptography.openssl 2.1040273 Not Participating
74 nuget runtime.opensuse.13.2-x64.runtime.native.system.security.cryptography 2.1040273 Not Participating
75 nuget runtime.opensuse.42.3-x64.runtime.native.system.security.cryptography 2.1040273 Not Participating
76 nuget runtime.debian.8-x64.runtime.native.system.security.cryptography 2.1040273 Not Participating
77 nuget runtime.fedora.28-x64.runtime.native.system.security.cryptography.openssl 2.1040273 Not Participating
78 nuget runtime.fedora.27-x64.runtime.native.system.security.cryptography.openssl 2.1040273 Not Participating
79 nuget runtime.fedora.27-x64.runtime.native.system.security.cryptography 2.1040273 Not Participating
80 nuget runtime.fedora.24-x64.runtime.native.system.security.cryptography 2.1040273 Not Participating
81 go github.com/onsi/gomega 2.09641764 Not Participating
78CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
82 nuget system.io.filesystem.watcher 2.09342865 Not Participating
83 nuget system.security.cryptography.rsa 2.09342865 Not Participating
84 nuget system.security.cryptography.randomnumbergenerator 2.09342865 Not Participating
85 nuget microsoft.bcl.compression 2.09342865 Not Participating
86 nuget system.private.networking 2.09342865 Not Participating
87 nuget microsoft.bcl 2.09342865 Not Participating
88 nuget system.security.cryptography.hashing 2.09342865 Not Participating
89 nuget system.security.cryptography.hashing.algorithms 2.09342865 Not Participating
90 nuget microsoft.bcl.build 2.09342865 Not Participating
91 nuget microsoft.netcore.runtime.coreclr 2.09342865 Not Participating
92 nuget microsoft.net.http 2.09342865 Not Participating
93 nuget microsoft.netcore.jit 2.09342865 Not Participating
94 nuget microsoft.netcore.runtime.native 2.09342865 Not Participating
95 nuget microsoft.netcore.windows.apisets 2.09342865 Not Participating
96 nuget microsoft.packaging.tools 2.09342865 Not Participating
97 nuget microsoft.netcore.runtime 2.09342865 Not Participating
98 go github.com/miekg/dns 2.067752 Not Participating
99 go github.com/etcd-io/etcd 2.06454842 105
100 go github.com/azure/go-autorest 2.05529069 Not Participating
101 go github.com/vishvananda/netlink 2.0485206 Not Participating
102 go golang.org/x/tools 2.02322856 Not Participating
103 go github.com/kubernetes/api 2.01335211 Not Participating
104 maven commons-lang:commons-lang 1.9974781 Not Participating
105 maven com.google.code.findbugs:jsr305 1.9920758 Not Participating
106 maven com.fasterxml.jackson.core:jackson-core 1.98795005 Not Participating
107 rubygems rubocop 1.98436644 Not Participating
108 maven commons-io:commons-io 1.97884065 Not Participating
109 maven com.fasterxml.jackson.datatype:jackson-datatype-jdk8 1.95473341 Not Participating
110 pypi sphinx 1.9510208 Not Participating
111 maven org.slf4j:slf4j-api 1.95039834 Not Participating
79CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
112 maven org.springframework:spring-jcl 1.93238318 Not Participating
113 go code.googlesource.com/gocloud 1.87533902 Not Participating
114 maven jakarta.xml.bind:jakarta.xml.bind-api 1.87368836 Not Participating
115 maven com.fasterxml.jackson.core:jackson-annotations 1.867435 Not Participating
116 maven com.google.errorprone:error_prone_annotations 1.86361638 Not Participating
117 maven org.latencyutils:latencyutils 1.86200374 Not Participating
118 maven jakarta.activation:jakarta.activation-api 1.85663697 Not Participating
119 go github.com/sirupsen/logrus 1.84401068 Not Participating
120 maven org.aspectj:aspectjweaver 1.79087704 Not Participating
121 maven org.jboss.logging:jboss-logging 1.78136656 Not Participating
122 pypi pytest 1.77062209 Not Participating
123 maven commons-collections:commons-collections 1.76989201 Not Participating
124 go github.com/azure/azure-sdk-for-go 1.7631905 Not Participating
125 maven log4j:log4j 1.74348924 Not Participating
126 go github.com/stretchr/testify 1.73158944 Not Participating
127 maven org.ow2.asm:asm 1.73008166 Not Participating
128 maven org.hamcrest:hamcrest 1.68654123 Not Participating
129 go github.com/gin-gonic/gin 1.68369478 Not Participating
130 go github.com/influxdata/influxdb 1.6713044 Not Participating
131 maven org.codehaus.mojo:animal-sniffer-annotations 1.62742827 Not Participating
132 nuget microsoft.netcore.targets 1.62290595 Not Participating
133 maven jakarta.validation:jakarta.validation-api 1.62199356 Not Participating
134 maven com.fasterxml.jackson.datatype:jackson-datatype-jsr310 1.61730613 Not Participating
135 maven org.apiguardian:apiguardian-api 1.52763349 Not Participating
136 nuget system.reflection.emit.lightweight 1.5017379 Not Participating
137 nuget system.xml.readerwriter 1.50041319 Not Participating
138 go github.com/godbus/dbus 1.48571265 Not Participating
139 nuget system.security.cryptography.primitives 1.48404163 Not Participating
140 maven org.opentest4j:opentest4j 1.47987602 Not Participating
141 nuget system.globalization.extensions 1.47568528 Not Participating
80CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
142 cargo syn 1.47515171 Not Participating
143 nuget system.diagnostics.tools 1.47249239 Not Participating
144 nuget system.security.cryptography.encoding 1.46777148 Not Participating
145 nuget system.security.cryptography.algorithms 1.4663109 Not Participating
146 go github.com/shopify/sarama 1.46382864 Not Participating
147 nuget system.runtime.numerics 1.46050256 Not Participating
148 nuget system.xml.xdocument 1.45578067 Not Participating
149 nuget system.security.cryptography.x509certificates 1.45462579 Not Participating
150 nuget system.text.regularexpressions 1.44559059 Not Participating
151 nuget microsoft.win32.primitives 1.44419909 Not Participating
152 nuget system.net.primitives 1.44304308 Not Participating
153 go github.com/spf13/viper 1.43684562 Not Participating
154 nuget system.globalization.calendars 1.42860714 Not Participating
155 nuget system.security.cryptography.csp 1.41060517 Not Participating
156 nuget system.security.cryptography.openssl 1.40866905 Not Participating
157 nuget runtime.native.system.net.http 1.404117 Not Participating
158 nuget netstandard.library 1.39321362 Not Participating
159 nuget system.threading.timer 1.37337695 Not Participating
160 nuget system.io.compression 1.37279951 Not Participating
161 nuget system.console 1.36267737 Not Participating
162 nuget system.net.sockets 1.3580239 Not Participating
163 maven javax.validation:validation-api 1.34947577 Not Participating
164 nuget runtime.native.system.io.compression 1.34678086 Not Participating
165 nuget system.net.http 1.34579582 Not Participating
166 go github.com/opencontainers/runtime-spec 1.34086843 Not Participating
167 nuget runtime.opensuse.42.1-x64.runtime.native.system.security.cryptography.openssl 1.33818772 Not Participating
168 nuget runtime.fedora.23-x64.runtime.native.system.security.cryptography.openssl 1.33818772 Not Participating
169 nuget runtime.fedora.24-x64.runtime.native.system.security.cryptography.openssl 1.33818772 Not Participating
170 nuget runtime.ubuntu.14.04-x64.runtime.native.system.security.cryptography.openssl 1.33818772 Not Participating
171 nuget runtime.osx.10.10-x64.runtime.native.system.security.cryptography.openssl 1.33818772 Not Participating
81CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
172 nuget runtime.rhel.7-x64.runtime.native.system.security.cryptography.openssl 1.33818772 Not Participating
173 nuget runtime.ubuntu.16.04-x64.runtime.native.system.security.cryptography.openssl 1.33818772 Not Participating
174 nuget runtime.ubuntu.16.10-x64.runtime.native.system.security.cryptography.openssl 1.33818772 Not Participating
175 nuget runtime.debian.8-x64.runtime.native.system.security.cryptography.openssl 1.33818772 Not Participating
176 nuget runtime.native.system.security.cryptography.openssl 1.33818772 Not Participating
177 nuget runtime.opensuse.13.2-x64.runtime.native.system.security.cryptography.openssl 1.33818772 Not Participating
178 go github.com/containerd/cgroups 1.32326522 Not Participating
179 nuget runtime.osx.10.10-x64.runtime.native.system.security.cryptography.apple 1.32232517 Not Participating
180 nuget runtime.native.system.security.cryptography.apple 1.32232517 Not Participating
181 go github.com/prometheus/procfs 1.31034539 Not Participating
182 go github.com/ugorji/go 1.30350759 Not Participating
183 maven com.fasterxml.jackson.core:jackson-databind 1.29824194 Not Participating
184 nuget system.io.compression.zipfile 1.29369058 Not Participating
185 go github.com/nats-io/gnatsd 1.2909242 113
186 nuget system.collections.nongeneric 1.28954661 Not Participating
187 maven org.objenesis:objenesis 1.27914114 Not Participating
188 maven javax.activation:javax.activation-api 1.27838431 Not Participating
189 go github.com/docker/distribution 1.27693533 Not Participating
190 maven joda-time:joda-time 1.2565114 Not Participating
191 go github.com/docker/swarmkit 1.25440797 Not Participating
192 go github.com/gogo/protobuf 1.25191648 Not Participating
193 go github.com/mattn/go-sqlite3 1.25141059 Not Participating
194 go github.com/coreos/go-systemd 1.2462225 Not Participating
195 maven org.slf4j:jcl-over-slf4j 1.2404093 Not Participating
196 maven org.javassist:javassist 1.23562167 Not Participating
197 go github.com/go-sql-driver/mysql 1.21881552 Not Participating
198 maven javax.servlet:javax.servlet-api 1.21466239 Not Participating
199 maven javax.mail:mail 1.20266811 Not Participating
200 nuget system.threading.thread 1.193250 43 Not Participating
201 maven javax.servlet:servlet-api 1.19080714 Not Participating
82CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
202 go github.com/uber/jaeger-client-go 1.18949498 Not Participating
203 maven xml-apis:xml-apis 1.1890025 Not Participating
204 go github.com/kubernetes/apiserver 1.1873818 Not Participating
205 go github.com/census-instrumentation/opencensus-go 1.16828402 Not Participating
206 maven com.google.guava:guava 1.16690108 Not Participating
207 maven org.eclipse.jetty:jetty-util 1.16237758 Not Participating
208 cargo serde_json 1.15560331 Not Participating
209 maven com.fasterxml.jackson.module:jackson-module-parameter-names 1.14835898 Not Participating
210 maven org.springframework:spring-beans 1.11252763 Not Participating
211 maven org.apache.geronimo.specs:geronimo-jms_1.1_spec 1.10888589 Not Participating
212 maven antlr:antlr 1.10251942 Not Participating
213 maven javax.xml:jsr173 1.09470924 Not Participating
214 maven org.eclipse.jetty:jetty-continuation 1.09117636 Not Participating
215 maven org.eclipse.jetty:jetty-xml 1.08709995 Not Participating
216 maven org.springframework:spring-aop 1.07665825 Not Participating
217 nuget system.threading.threadpool 1.07378881 Not Participating
218 maven org.eclipse.jetty:jetty-security 1.06400032 Not Participating
219 maven org.eclipse.jetty:jetty-servlet 1.06400032 Not Participating
220 maven org.eclipse.jetty:jetty-server 1.06400032 Not Participating
221 maven org.eclipse.jetty:jetty-webapp 1.06400032 Not Participating
222 maven org.eclipse.jetty:jetty-io 1.06400032 Not Participating
223 maven org.eclipse.jetty:jetty-jmx 1.06400032 Not Participating
224 maven org.eclipse.jetty:jetty-http 1.06400032 Not Participating
225 go github.com/kubernetes/kubernetes 1.060832 111
226 maven jtidy:jtidy 1.03573724 Not Participating
227 go github.com/cloudflare/cfssl 1.03473484 Not Participating
228 maven org.apache.tomcat:tomcat-util 1.01725754 Not Participating
229 maven org.apache.tomcat:tomcat-juli 1.01725754 Not Participating
230 nuget system.runtime 1.00907205 Not Participating
231 go github.com/containernetworking/plugins 1.00658718 Not Participating
83CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
232 maven commons-beanutils:commons-beanutils 1.00141375 Not Participating
233 maven org.glassfish.jaxb:txw2 0.99741004 Not Participating
234 maven stax:stax 0.99714727 Not Participating
235 maven xmlbeans:xmlbeans-jsr173-api 0.99714727 Not Participating
236 maven com.ibm.icu:icu4j 0.99252734 88
237 nuget system.numerics.vectors 0.99023021 Not Participating
238 cargo serde_test 0.9888124 Not Participating
239 maven xerces:xmlparserapis 0.98790741 Not Participating
240 go github.com/pelletier/go-toml 0.98518487 Not Participating
241 nuget system.text.encoding 0.98320043 Not Participating
242 nuget system.io 0.9831903 Not Participating
243 nuget system.threading.tasks 0.98295264 Not Participating
244 nuget system.reflection 0.98115073 Not Participating
245 cargo proc-macro2 0.9807919 Not Participating
246 nuget system.threading 0.97987023 Not Participating
247 maven org.springframework:spring-expression 0.97977731 Not Participating
248 nuget system.globalization 0.97865761 Not Participating
249 nuget system.diagnostics.debug 0.97849366 Not Participating
250 nuget system.collections 0.97700771 Not Participating
251 nuget system.security.principal 0.97671252 Not Participating
252 nuget system.security.claims 0.97498021 Not Participating
253 go github.com/nats-io/nats-server 0.97408285 113
254 maven clover:clover 0.97296059 Not Participating
255 maven javancss:javancss 0.97296059 Not Participating
256 maven icu4j:icu4j 0.97296059 Not Participating
257 maven isorelax:isorelax 0.97296059 Not Participating
258 maven javancss:ccl 0.97296059 Not Participating
259 maven jaxme:jaxme-api 0.97296059 Not Participating
260 maven asm:asm-tree 0.97296059 Not Participating
261 maven xom:xom 0.97296059 Not Participating
84CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
262 maven cobertura:cobertura 0.97296059 Not Participating
263 maven com.google.code.findbugs:jformatstring 0.97296059 Not Participating
264 maven commons-jelly:commons-jelly 0.97296059 Not Participating
265 maven commons-jelly:commons-jelly-tags-junit 0.97296059 Not Participating
266 maven asm:asm-util 0.97296059 Not Participating
267 maven asm:asm-xml 0.97296059 Not Participating
268 maven com.google.code.findbugs:bcel 0.97296059 Not Participating
269 maven javancss:jhbasic 0.97296059 Not Participating
270 maven junitperf:junitperf 0.97296059 Not Participating
271 maven maven-plugins:maven-cobertura-plugin 0.97296059 Not Participating
272 maven asm:asm-analysis 0.97296059 Not Participating
273 maven relaxngdatatype:relaxngdatatype 0.97296059 Not Participating
274 maven saxpath:saxpath 0.97296059 Not Participating
275 maven pull-parser:pull-parser 0.97296059 Not Participating
276 maven commons-jelly:commons-jelly-tags-log 0.97296059 Not Participating
277 maven asm:asm-commons 0.97296059 Not Participating
278 maven urbanophile:java-getopt 0.97296059 Not Participating
279 maven stax:stax-ri 0.97296059 Not Participating
280 maven org.apache.ant:ant-junit 0.97296059 Not Participating
281 maven org.mortbay.jetty:servlet-api-2.5 0.97296059 Not Participating
282 maven maven-plugins:maven-findbugs-plugin 0.97296059 Not Participating
283 maven net.sourceforge.cobertura:cobertura 0.97296059 Not Participating
284 maven msv:xsdlib 0.97296059 Not Participating
285 maven msv:relaxngdatatype 0.97296059 Not Participating
286 maven msv:msv 0.97296059 Not Participating
287 nuget system.runtime.extensions 0.97132212 Not Participating
288 nuget system.threading.tasks.extensions 0.96971244 Not Participating
289 nuget system.runtime.interopservices 0.96672124 Not Participating
290 maven org.glassfish:jakarta.el 0.96453007 Not Participating
291 maven aopalliance:aopalliance 0.96090525 Not Participating
85CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
292 nuget system.reflection.primitives 0.95547164 Not Participating
293 nuget system.resources.resourcemanager 0.95544425 Not Participating
294 nuget microsoft.netcore.platforms 0.95293532 Not Participating
295 maven org.springframework:spring-context 0.9389564 Not Participating
296 go github.com/go-kit/kit 0.93080669 Not Participating
297 nuget system.linq 0.92715348 Not Participating
298 nuget system.runtime.handles 0.92536315 Not Participating
299 nuget system.text.encoding.extensions 0.91791263 Not Participating
300 go github.com/lightstep/lightstep-tracer-go 0.915031 Not Participating
301 nuget system.reflection.typeextensions 0.91447312 Not Participating
302 nuget system.reflection.extensions 0.90892453 Not Participating
303 nuget system.diagnostics.diagnosticsource 0.90837821 Not Participating
304 nuget system.buffers 0.90499316 Not Participating
305 nuget system.io.filesystem.primitives 0.90251069 Not Participating
306 go github.com/openzipkin/zipkin-go 0.90175477 Not Participating
307 nuget system.io.filesystem 0.900112 31 Not Participating
308 maven com.google.code.gson:gson 0.89574553 Not Participating
309 go github.com/aws/aws-sdk-go-v2 0.89054883 Not Participating
310 nuget system.diagnostics.stacktrace 0.88829551 Not Participating
311 maven javax.inject:javax.inject 0.87717532 Not Participating
312 go github.com/prometheus/common 0.87015386 Not Participating
313 nuget system.objectmodel 0.86365692 Not Participating
314 nuget system.reflection.emit 0.86348923 Not Participating
315 nuget system.diagnostics.tracing 0.85849422 Not Participating
316 nuget runtime.native.system 0.85603262 Not Participating
317 nuget system.reflection.emit.ilgeneration 0.8552649 Not Participating
318 nuget system.linq.expressions 0.85376301 Not Participating
319 maven javax.annotation:javax.annotation-api 0.85356017 Not Participating
320 go github.com/casbin/casbin 0.85052548 Not Participating
321 nuget system.collections.concurrent 0.85037791 Not Participating
86CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
322 nuget system.runtime.interopservices.runtimeinformation 0.84054215 Not Participating
323 maven dom4j:dom4j 0.83956918 Not Participating
324 nuget system.appcontext 0.82371453 Not Participating
325 maven io.swagger:swagger-annotations 0.82207285 Not Participating
326 maven javax.jms:jms 0.81585295 Not Participating
327 maven org.bouncycastle:bcprov-jdk15on 0.81456105 Not Participating
328 nuget system.security.cryptography.cng 0.81305935 Not Participating
329 nuget system.componentmodel.eventbasedasync 0.8071146 Not Participating
330 go github.com/golang/mock 0.79837519 Not Participating
331 maven org.apache.tomcat.embed:tomcat-embed-core 0.79455965 Not Participating
332 go github.com/pact-foundation/pact-go 0.78144057 Not Participating
333 maven commons-cli:commons-cli 0.7713656 Not Participating
334 go github.com/grpc-ecosystem/go-grpc-middleware 0.76786576 Not Participating
335 maven org.hibernate.validator:hibernate-validator 0.76643505 Not Participating
336 maven software.amazon.ion:ion-java 0.76167969 Not Participating
337 go github.com/google/go-cmp 0.75989217 Not Participating
338 maven org.apache.tomcat.embed:tomcat-embed-websocket 0.75787539 Not Participating
339 maven org.springframework:spring-core 0.75570525 Not Participating
340 nuget system.security.securestring 0.75290341 Not Participating
341 go github.com/opencontainers/selinux 0.75182969 Not Participating
342 go github.com/onsi/ginkgo 0.75048106 Not Participating
343 nuget system.runtime.compilerservices.unsafe 0.74734506 Not Participating
344 go github.com/kubernetes/utils 0.74657562 Not Participating
345 maven logkit:logkit 0.7457383 Not Participating
346 maven org.glassfish.jaxb:jaxb-runtime 0.7450359 Not Participating
347 maven avalon-framework:avalon-framework 0.74380219 Not Participating
348 nuget runtime.native.system.security.cryptography 0.74223829 Not Participating
349 maven org.reactivestreams:reactive-streams 0.74041552 Not Participating
350 rubygems bundler 0.73268408 Not Participating
351 go golang.org/x/text 0.72955887 Not Participating
87CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
352 go github.com/kubernetes/kube-openapi 0.72580016 Not Participating
353 cargo rand 0.70783403 Not Participating
354 go google.golang.org/protobuf 0.70313586 Not Participating
355 go github.com/emicklei/go-restful 0.70222694 Not Participating
356 maven org.junit.platform:junit-platform-commons 0.68844703 Not Participating
357 go github.com/googleapis/gnostic 0.68444226 Not Participating
358 maven io.netty:netty-codec 0.6758113 4 Not Participating
359 maven stax:stax-api 0.67021254 Not Participating
360 go github.com/lib/pq 0.66303995 Not Participating
361 go github.com/containernetworking/cni 0.65962521 72
362 maven io.netty:netty-handler 0.65149103 Not Participating
363 maven org.springframework.security:spring-security-rsa 0.64578459 Not Participating
364 go golang.org/x/oauth2 0.64386938 Not Participating
365 go github.com/hashicorp/serf 0.64313385 Not Participating
366 rubygems yard 0.62598428 Not Participating
367 maven org.ow2.asm:asm-tree 0.6175974 4 Not Participating
368 go github.com/google/certificate-transparency-go 0.61583245 Not Participating
369 nuget system.security.principal.windows 0.61514928 Not Participating
370 nuget system.collections.immutable 0.61388331 Not Participating
371 maven org.ow2.asm:asm-analysis 0.61114332 Not Participating
372 maven javax.xml.bind:jaxb-api 0.60946996 Not Participating
373 nuget system.memory 0.60626437 Not Participating
374 go github.com/hashicorp/memberlist 0.60126786 Not Participating
375 rubygems parser 0.59756774 Not Participating
376 maven com.squareup.okio:okio 0.59381522 Not Participating
377 go github.com/uber-go/zap 0.5834304 Not Participating
378 maven org.bouncycastle:bcpkix-jdk15on 0.57867217 Not Participating
379 nuget system.reflection.metadata 0.57219128 Not Participating
380 maven commons-configuration:commons-configuration 0.57037805 Not Participating
381 maven org.glassfish.hk2:osgi-resource-locator 0.56168252 Not Participating
88CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
382 pypi coverage 0.56053682 Not Participating
383 maven org.springframework:spring-web 0.55892915 Not Participating
384 maven xerces:xercesimpl 0.55296853 Not Participating
385 go github.com/opentracing/opentracing-go 0.55084853 Not Participating
386 maven org.springframework.plugin:spring-plugin-metadata 0.54143825 Not Participating
387 nuget system.dynamic.runtime 0.53917434 Not Participating
388 pypi tox 0.53759375 Not Participating
389 go github.com/go-openapi/spec 0.53714175 Not Participating
390 go github.com/nats-io/go-nats 0.53384084 113
391 maven org.ow2.asm:asm-commons 0.52463001 Not Participating
392 maven org.jvnet.staxex:stax-ex 0.5214657 Not Participating
393 maven com.vaadin.external.google:android-json 0.50543332 Not Participating
394 maven com.sun.activation:jakarta.activation 0.50393878 Not Participating
395 go github.com/imdario/mergo 0.50161034 Not Participating
396 go github.com/go-ini/ini 0.49847934 Not Participating
397 cargo quote 0.49813622 Not Participating
398 nuget microsoft.csharp 0.49763064 Not Participating
399 maven oro:oro 0.48781361 Not Participating
400 go github.com/tonistiigi/fsutil 0.48458615 Not Participating
401 maven org.springframework.boot:spring-boot-autoconfigure 0.47825979 Not Participating
402 maven com.google.code.findbugs:annotations 0.47771969 Not Participating
403 rubygems activesupport 0.47579295 94
404 maven xml-resolver:xml-resolver 0.47165252 Not Participating
405 nuget system.collections.specialized 0.46941223 Not Participating
406 nuget system.diagnostics.contracts 0.46516851 Not Participating
407 maven net.sf.jopt-simple:jopt-simple 0.46514857 Not Participating
408 go github.com/pierrec/lz4 0.46448375 Not Participating
409 go github.com/containerd/continuity 0.46101622 Not Participating
410 pypi hypothesis 0.45597 Not Participating
411 rubygems test-unit 0.45019794 Not Participating
89CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
412 maven asm:asm 0.45000341 Not Participating
413 maven commons-digester:commons-digester 0.44780927 Not Participating
414 go github.com/xeipuuv/gojsonschema 0.44748595 Not Participating
415 maven org.springframework.retry:spring-retry 0.44741784 Not Participating
416 nuget system.runtime.serialization.primitives 0.44480934 Not Participating
417 rubygems cucumber 0.4445562 Not Participating
418 go github.com/google/go-github 0.43671551 131
419 maven net.bytebuddy:byte-buddy 0.43654584 Not Participating
420 nuget system.xml.xmldocument 0.43132486 Not Participating
421 cargo clippy 0.42607373 Not Participating
422 pypi setuptools 0.4220336 Not Participating
423 maven org.lz4:lz4-java 0.41460581 Not Participating
424 maven net.minidev:accessors-smart 0.4106971 Not Participating
425 maven org.slf4j:log4j-over-slf4j 0.39864136 Not Participating
426 go github.com/googleapis/go-genproto 0.3967301 Not Participating
427 go github.com/gobuffalo/packr 0.38469604 Not Participating
428 cargo libc 0.37733755 Not Participating
429 maven xalan:xalan 0.37429045 Not Participating
430 nuget system.componentmodel.primitives 0.3727757 Not Participating
431 maven org.ccil.cowan.tagsoup:tagsoup 0.36552699 Not Participating
432 rubygems kramdown 0.36454909 Not Participating
433 go github.com/codegangsta/cli 0.3629704 Not Participating
434 maven org.mapstruct:mapstruct 0.36093809 Not Participating
435 go github.com/armon/go-metrics 0.36075659 Not Participating
436 maven xalan:serializer 0.35723906 Not Participating
437 nuget system.componentmodel.typeconverter 0.35225869 Not Participating
438 maven org.apache.commons:commons-compress 0.35030805 Not Participating
439 go golang.org/x/sync 0.34899551 Not Participating
440 cargo compiletest_rs 0.34880501 Not Participating
441 maven dk.brics.automaton:automaton 0.34823447 Not Participating
90CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
442 maven org.springframework.boot:spring-boot-starter-logging 0.34436224 Not Participating
443 nuget system.threading.overlapped 0.34298246 Not Participating
444 go github.com/go-resty/resty 0.3396743 Not Participating
445 maven io.swagger:swagger-models 0.33057167 Not Participating
446 maven org.ow2.asm:asm-util 0.32874238 Not Participating
447 maven com.github.stephenc.jcip:jcip-annotations 0.32391416 Not Participating
448 rubygems sinatra 0.32118194 Not Participating
449 go google.golang.org/genproto 0.31331648 Not Participating
450 maven io.springfox:springfox-spi 0.31250128 Not Participating
451 maven io.springfox:springfox-swagger-common 0.31182194 Not Participating
452 maven org.junit.platform:junit-platform-engine 0.30896872 Not Participating
453 maven io.springfox:springfox-spring-web 0.30523236 Not Participating
454 maven net.minidev:json-smart 0.30162935 Not Participating
455 go github.com/rs/zerolog 0.29924514 Not Participating
456 maven io.springfox:springfox-core 0.28797717 Not Participating
457 rubygems simplecov 0.28388378 Not Participating
458 cargo quickcheck 0.27636311 Not Participating
459 go gopkg.in/yaml.v2 0.27465672 Not Participating
460 go golang.org/x/lint 0.27384694 Not Participating
461 pypi six 0.27313979 Not Participating
462 rubygems puma 0.27305065 Not Participating
463 maven com.beust:jcommander 0.26949917 Not Participating
464 maven ant:ant 0.26910121 Not Participating
465 maven xerces:xerces-impl 0.26910121 Not Participating
466 rubygems rspec 0.26798663 Not Participating
467 maven io.springfox:springfox-schema 0.26752909 Not Participating
468 maven com.thoughtworks.paranamer:paranamer 0.26698562 Not Participating
469 maven xpp3:xpp3 0.26549513 Not Participating
470 go github.com/etcd-io/bbolt 0.26519841 105
471 go github.com/evanphx/json-patch 0.26257549 Not Participating
91CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
472 maven org.dom4j:dom4j 0.26216232 Not Participating
473 go github.com/nats-io/nats.go 0.26160716 113
474 go github.com/pkg/errors 0.26054947 Not Participating
475 nuget system.componentmodel 0.26044026 Not Participating
476 go github.com/kubernetes-sigs/structured-merge-diff 0.2600829 Not Participating
477 rubygems aruba 0.25990969 Not Participating
478 go github.com/golang/gddo 0.25654279 Not Participating
479 pypi virtualenv 0.24842826 Not Participating
480 maven jakarta.transaction:jakarta.transaction-api 0.24748861 Not Participating
481 go github.com/theupdateframework/notary 0.24477267 78
482 maven org.xerial.snappy:snappy-java 0.24456708 Not Participating
483 maven org.springframework.boot:spring-boot-starter 0.24001589 Not Participating
484 maven org.codehaus.woodstox:stax2-api 0.23226919 Not Participating
485 go github.com/nats-io/jwt 0.23022788 113
486 go github.com/cilium/ebpf 0.22912757 Not Participating
487 go github.com/prometheus/prometheus 0.22871846 109
488 maven jaxen:jaxen 0.22143936 Not Participating
489 maven org.jetbrains.kotlin:kotlin-stdlib-common 0.22133409 Not Participating
490 go github.com/shopify/toxiproxy 0.21844291 Not Participating
491 go github.com/prometheus/tsdb 0.21682462 Not Participating
492 maven org.mortbay.jetty:jetty-util 0.21580118 Not Participating
493 go github.com/pkg/sftp 0.2144772 Not Participating
494 maven org.springframework:spring-webmvc 0.21378954 Not Participating
495 maven com.zaxxer:hikaricp 0.21372551 Not Participating
496 maven org.mockito:mockito-core 0.21314 462 Not Participating
497 maven com.sun.istack:istack-commons-runtime 0.21171814 Not Participating
498 rubygems capybara 0.20886185 Not Participating
499 maven org.reflections:reflections 0.20530171 Not Participating
500 go github.com/envoyproxy/go-control-plane 0.2000551 Not Participating
92CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
Appendix E: Top 500 npm, Direct, Versioned Packages
Our dependency analysis identified the following 500 packages as the most used FOSS packages among those reported in the private
usage data contributed by SCA partners hosted on the npm package manager. These packages were directly observed in use and
account for the package version. For further information on how this list was compiled, refer to the Methods section.
1 npm punycode.js 2.1.0 10.1105088 Not Participating
2 npm lodash 4.17.21 9.92976683 Not Participating
3 npm express 4.17.1 6.71548695 15
4 npm axios 0.21.1 6.16996038 Not Participating
5 npm react 16.14.0 4.77392057 81
6 npm react-dom 16.14.0 4.198 49472 81
7 npm body-parser 1.19.0 3.87569589 Not Participating
8 npm dotenv 8.2.0 3.41642448 Not Participating
9 npm prop-types 15.7.2 3.26594175 81
10 npm wrappy 1.0.2 3.18312168 Not Participating
11 npm color-name 1.1.3 3.17514458 Not Participating
12 npm moment 2.29.1 2.89971748 Not Participating
13 npm lodash 4.17.20 2.80017855 Not Participating
14 npm cors 2.8.5 2.79313022 Not Participating
15 npm fs.realpath 1.0.0 2.78992567 Not Participating
16 npm isarray 1.0.0 2.78625441 Not Participating
17 npm request 2.88.2 2.78300552 Not Participating
18 npm balanced-match 1.0.0 2.73394448 Not Participating
19 npm brace-expansion 1.1.11 2.71954588 Not Participating
20 npm jsonwebtoken 8.5.1 2.60241521 Not Participating
21 npm react 16.13.1 2.57209168 81
22 npm classnames 2.2.6 2.56244532 Not Participating
23 npm reflect-metadata 0.1.13 2.449997 Not Participating
24 npm winston 3.3.3 2.41551742 Not Participating
25 npm inherits 2.0.3 2.33032256 Not Participating
26 npm has-flag 3.0.0 2.28705524 Not Participating
93CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
27 npm safer-buffer 2.1.2 2.26431733 Not Participating
28 npm react-dom 16.13.1 2.23193515 81
29 npm ansi-styles 3.2.1 2.21588536 Not Participating
30 npm debug 2.6.9 2.20937991 Not Participating
31 npm string_decoder 1.1.1 2.1705889 Not Participating
32 npm react-router-dom 5.2.0 2.15912017 Not Participating
33 npm uuid 8.3.2 2.15883612 Not Participating
34 npm lodash 4.17.15 2.14315121 Not Participating
35 npm color-convert 1.9.3 2.11958087 Not Participating
36 npm moment 2.24.0 2.0979991 Not Participating
37 npm supports-color 5.5.0 2.06423304 Not Participating
38 npm morgan 1.10.0 2.05692981 Not Participating
39 npm isexe 2.0.0 2.00950615 Not Participating
40 npm ansi-regex 2.1.1 1.95496742 Not Participating
41 npm safe-buffer 5.1.2 1.92951809 Not Participating
42 npm once 1.4.0 1.91584809 Not Participating
43 npm minimatch 3.0.4 1.87789594 Not Participating
44 npm axios 0.19.2 1.83991657 Not Participating
45 npm json-schema-traverse 0.4.1 1.83977734 Not Participating
46 npm concat-map 0.0.1 1.80745393 Not Participating
47 npm is-stream 1.1.0 1.79541357 Not Participating
48 npm @toruslabs/tweetnacl-js 1.0.3 1.78776999 Not Participating
49 npm ms 2.0.0 1.77542964 Not Participating
50 npm util-deprecate 1.0.2 1.75729093 Not Participating
51 npm express 4.16.4 1.74967845 15
52 npm number-is-nan 1.0.1 1.72944425 Not Participating
53 npm escape-string-regexp 1.0.5 1.72453896 Not Participating
54 npm set-blocking 2.0.0 1.71181343 Not Participating
55 npm core-util-is 1.0.2 1.7084171 Not Participating
56 npm delayed-stream 1.0.0 1.67095143 Not Participating
94CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
57 npm redux 3.7.2 1.65773291 Not Participating
58 npm path-is-absolute 1.0.1 1.63329988 Not Participating
59 npm os-tmpdir 1.0.2 1.61962382 Not Participating
60 npm code-point-at 1.1.0 1.61004915 Not Participating
61 npm inflight 1.0.6 1.60989487 Not Participating
62 npm js-tokens 4.0.0 1.60753469 Not Participating
63 npm string-width 1.0.2 1.59869713 Not Participating
64 npm process-nextick-args 2.0.1 1.57376513 Not Participating
65 npm react 16.8.6 1.57038465 81
66 npm is-fullwidth-code-point 2.0.0 1.56748548 Not Participating
67 npm path-parse 1.0.6 1.5609702 Not Participating
68 npm react-dom 16.8.6 1.54509962 81
69 npm object-assign 4.1.1 1.54312703 Not Participating
70 npm function-bind 1.1.1 1.51653037 Not Participating
71 npm lodash 4.5.0 1.5076217 Not Participating
72 npm bluebird 3.7.2 1.48771891 Not Participating
73 npm sprintf-js 1.0.3 1.45201343 Not Participating
74 npm json-schema 0.2.3 1.44666278 Not Participating
75 npm ee-first 1.1.1 1.4 4150771 Not Participating
76 npm tunnel-agent 0.6.0 1.43213684 Not Participating
77 npm jsbn 0.1.1 1.4234374 Not Participating
78 npm uuid 3.4.0 1.42158631 Not Participating
79 npm path-exists 3.0.0 1.41766507 Not Participating
80 npm typedarray 0.0.6 1.41464493 Not Participating
81 npm jsprim 1.4.1 1.41028074 Not Participating
82 npm extsprintf 1.3.0 1.41012033 Not Participating
83 npm sax 1.2.4 1.38845567 Not Participating
84 npm chalk 2.4.2 1.38239797 Not Participating
85 npm uri-js 4.2.2 1.36956844 Not Participating
86 npm buffer-from 1.1.1 1.36126464 Not Participating
95CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
87 npm inherits 2.0.4 1.34180598 Not Participating
88 npm glob 7.1.6 1.34175624 Not Participating
89 npm redux-thunk 2.3.0 1.33633284 Not Participating
90 npm body-parser 1.18.3 1.33209245 Not Participating
91 npm define-properties 1.1.3 1.33093939 Not Participating
92 npm har-schema 2.0.0 1.33056315 Not Participating
93 npm semver 5.7.1 1.32070447 Not Participating
94 npm has 1.0.3 1.31853188 Not Participating
95 npm iconv-lite 0.4.24 1.31667117 Not Participating
96 npm aws-sign2 0.7.0 1.30499898 Not Participating
97 npm bcrypt-pbkdf 1.0.2 1.30407208 Not Participating
98 npm asn1 0.2.4 1.30094116 Not Participating
99 npm http-signature 1.2.0 1.30088699 Not Participating
100 npm fresh 0.5.2 1.29853333 Not Participating
101 npm debug 4.1.1 1.29798499 Not Participating
102 npm ms 2.1.2 1.29038802 Not Participating
103 npm utils-merge 1.0.1 1.27166726 Not Participating
104 npm lodash 4.17.11 1.26773057 Not Participating
105 npm strip-ansi 3.0.1 1.26554725 Not Participating
106 npm vary 1.1.2 1.26174738 Not Participating
107 npm tweetnacl 0.14.5 1.25148724 Not Participating
108 npm p-try 2.2.0 1.24933243 Not Participating
109 npm supports-color 2.0.0 1.24220937 Not Participating
110 npm redux 4.0.5 1.23598681 Not Participating
111 npm media-typer 0.3.0 1.23310107 Not Participating
112 npm babel-polyfill 6.26.0 1.22329023 27
113 npm ecc-jsbn 0.1.2 1.22073819 Not Participating
114 npm oauth-sign 0.9.0 1.21506796 Not Participating
115 npm has-ansi 2.0.0 1.21306735 Not Participating
116 npm extend 3.0.2 1.2038974 Not Participating
96CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
117 npm shebang-command 1.2.0 1.20330913 Not Participating
118 npm ansi-styles 2.2.1 1.2012527 Not Participating
119 npm is-fullwidth-code-point 1.0.0 1.16593819 Not Participating
120 npm morgan 1.9.1 1.16122699 Not Participating
121 npm ansi-regex 3.0.0 1.14494325 Not Participating
122 npm forwarded 0.1.2 1.13182092 Not Participating
123 npm object-keys 1.1.1 1.11807554 Not Participating
124 npm path-to-regexp 0.1.7 1.11790809 Not Participating
125 npm node-sass 4.14.1 1.11602043 Not Participating
126 npm multer 1.4.2 1.10376102 Not Participating
127 npm string-width 2.1.1 1.10272933 Not Participating
128 npm for-in 1.0.2 1.09786446 Not Participating
129 npm setprototypeof 1.1.1 1.09741221 Not Participating
130 npm toidentifier 1.0.0 1.09388026 Not Participating
131 npm merge-descriptors 1.0.1 1.08640001 Not Participating
132 npm arr-flatten 1.1.0 1.07203528 Not Participating
133 npm styled-components 4.4.1 1.07158008 Not Participating
134 npm is-extendable 0.1.1 1.0679762 Not Participating
135 npm isobject 3.0.1 1.06303486 Not Participating
136 npm axios 0.18.1 1.05242476 Not Participating
137 npm classnames 2.3.1 1.0485937 Not Participating
138 npm error-ex 1.3.2 1.0449439 Not Participating
139 npm decamelize 1.2.0 1.02206131 Not Participating
140 npm cookie-parser 1.4.5 1.01604505 Not Participating
141 npm react 17.0.2 1.00568578 81
142 npm source-map 0.5.7 0.99670616 Not Participating
143 npm is-plain-object 2.0.4 0.98968082 Not Participating
144 npm path 0.12.7 0.97197241 107
145 npm performance-now 2.1.0 0.96979104 Not Participating
146 npm ini 1.3.5 0.96859849 Not Participating
97CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
147 npm os-homedir 1.0.2 0.96770441 Not Participating
148 npm strip-eof 1.0.0 0.95544409 Not Participating
149 npm arr-union 3.1.0 0.95312845 Not Participating
150 npm is-extendable 1.0.1 0.95242809 Not Participating
151 npm asynckit 0.4.0 0.95217281 Not Participating
152 npm is-number 3.0.0 0.9499661 Not Participating
153 npm punycode 2.1.1 0.94897628 Not Participating
154 npm is-glob 4.0.1 0.94849018 Not Participating
155 npm kind-of 4.0.0 0.94659167 Not Participating
156 npm source-map 0.6.1 0.94619266 Not Participating
157 npm js-cookie 2.2.1 0.94592118 Not Participating
158 npm react-dom 17.0. 2 0.94515496 81
159 npm on-finished 2.3.0 0.94413442 Not Participating
160 npm is-accessor-descriptor 1.0.0 0.94122366 Not Participating
161 npm pump 3.0.0 0.94050396 Not Participating
162 npm remove-trailing-separator 1.1.0 0.93888198 Not Participating
163 npm npm-run-path 2.0.2 0.93645101 Not Participating
164 npm is-data-descriptor 1.0.0 0.93538724 Not Participating
165 npm extend-shallow 3.0.2 0.93527975 Not Participating
166 npm is-descriptor 1.0.2 0.93215751 Not Participating
167 npm assign-symbols 1.0.0 0.92860116 Not Participating
168 npm object-copy 0.1.0 0.92328897 Not Participating
169 npm assert-plus 1.0.0 0.92221916 Not Participating
170 npm which 1.3.1 0.92220782 Not Participating
171 npm source-map-url 0.4.0 0.92212888 Not Participating
172 npm has-values 1.0.0 0.92140413 Not Participating
173 npm map-visit 1.0.0 0.91749265 Not Participating
174 npm object-visit 1.0.1 0.91745255 Not Participating
175 npm escape-html 1.0.3 0.91744052 Not Participating
176 npm copy-descriptor 0.1.1 0.91741245 Not Participating
98CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
177 npm is-typedarray 1.0.0 0.91562941 Not Participating
178 npm passport-local 1.0.0 0.91527266 Not Participating
179 npm range-parser 1.2.1 0.908281 Not Participating
180 npm define-property 1.0.0 0.90710889 Not Participating
181 npm esprima 4.0.1 0.9010348 Not Participating
182 npm y18n 4.0.0 0.89976965 Not Participating
183 npm micromatch 3.1.10 0.89710465 Not Participating
184 npm mysql 2.18.1 0.89688355 Not Participating
185 npm pify 2.3.0 0.89432723 Not Participating
186 npm signal-exit 3.0.2 0.89387123 Not Participating
187 npm end-of-stream 1.4.4 0.89309442 Not Participating
188 npm to-object-path 0.3.0 0.89305426 Not Participating
189 npm snapdragon-util 3.0.1 0.88475006 Not Participating
190 npm zone.js 0.10.3 0.88462415 Not Participating
191 npm arr-dif f 4.0.0 0.88426014 Not Participating
192 npm expand-brackets 2.1.4 0.88236538 Not Participating
193 npm define-property 2.0.2 0.88196146 Not Participating
194 npm has-values 0.1.4 0.88163195 Not Participating
195 npm split-string 3.1.0 0.88087868 Not Participating
196 npm combined-stream 1.0.8 0.88063313 Not Participating
197 npm static-extend 0.1.2 0.87933616 Not Participating
198 npm ms 2.1.1 0.87877748 Not Participating
199 npm pascalcase 0.1.1 0.878494 Not Participating
200 npm unset-value 1.0.0 0.8784539 Not Participating
201 npm extglob 2.0.4 0.87648885 Not Participating
202 npm has-value 0.3.1 0.87579553 Not Participating
203 npm snapdragon-node 2.1.1 0.87484174 Not Participating
204 npm collection-visit 1.0.0 0.87345964 Not Participating
205 npm cache-base 1.0.1 0.87257737 Not Participating
206 npm posix-character-classes 0.1.1 0.871655 Not Participating
99CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
207 npm has-value 1.0.0 0.8715748 Not Participating
208 npm path-key 2.0.1 0.86933113 Not Participating
209 npm to-regex-range 2.1.1 0.86900532 Not Participating
210 npm fill-range 4.0.0 0.86820326 Not Participating
211 npm node-fetch 2.6.1 0.86598713 Not Participating
212 npm array-unique 0.3.2 0.86312879 Not Participating
213 npm class-utils 0.3.6 0.86098473 Not Participating
214 npm dashdash 1.14.1 0.85513076 Not Participating
215 npm dotenv 6.2.0 0.85320942 Not Participating
216 npm normalize-path 2.1.1 0.85297572 Not Participating
217 npm kind-of 5.1.0 0.8494909 Not Participating
218 npm json-parse-better-errors 1.0.2 0.84763295 Not Participating
219 npm is-data-descriptor 0.1.4 0.8466837 Not Participating
220 npm is-accessor-descriptor 0.1.6 0.8466436 Not Participating
221 npm pinkie 2.0.4 0.84192881 Not Participating
222 npm is-descriptor 0.1.6 0.84072697 Not Participating
223 npm cookie-parser 1.4.3 0.83865138 Not Participating
224 npm chalk 1.1.3 0.83502049 Not Participating
225 npm forever-agent 0.6.1 0.83314105 Not Participating
226 npm pinkie-promise 2.0.1 0.83256043 Not Participating
227 npm core-js 2.6.12 0.82639197 Not Participating
228 npm strip-ansi 5.2.0 0.82366547 Not Participating
229 npm imurmurhash 0.1.4 0.82216366 Not Participating
230 npm which-module 2.0.0 0.82108356 Not Participating
231 npm sshpk 1.16.1 0.81553325 Not Participating
232 npm through 2.3.8 0.80844923 Not Participating
233 npm minimist 1.2.5 0.80550186 Not Participating
234 npm caseless 0.12.0 0.79867737 Not Participating
235 npm find-up 3.0.0 0.79841509 Not Participating
236 npm is-arrayish 0. 2.1 0.78 811652 Not Participating
100CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
237 npm form-data 2.3.3 0.78784776 Not Participating
238 npm locate-path 3.0.0 0.7877076 Not Participating
239 npm p-locate 3.0.0 0.7876274 Not Participating
240 npm destroy 1.0.4 0.77777298 Not Participating
241 npm http-errors 1.7.2 0.77530508 Not Participating
242 npm etag 1.8.1 0.77216675 Not Participating
243 npm kind-of 3.2.2 0.77187398 Not Participating
244 npm express-session 1.17.1 0.76892601 Not Participating
245 npm nanomatch 1.2.13 0.7683511 Not Participating
246 npm validate-npm-package-license 3.0.4 0.76532478 Not Participating
247 npm isstream 0.1.2 0.76437489 Not Participating
248 npm encodeurl 1.0.2 0.75989474 Not Participating
249 npm compression 1.7.4 0.75946516 15
250 npm use 3.1.1 0.75647774 Not Participating
251 npm snapdragon 0.8.2 0.75574721 Not Participating
252 npm helmet 3.23.3 0.75283554 Not Participating
253 npm jquery 3.6.0 0.7505369 Not Participating
254 npm jwt-decode 2.2.0 0.74747205 Not Participating
255 npm argparse 1.0.10 0.74350969 Not Participating
256 npm unpipe 1.0.0 0.74343607 Not Participating
257 npm repeat-element 1.1.3 0.74337112 Not Participating
258 npm zone.js 0.8.29 0.74210856 Not Participating
259 npm negotiator 0.6.2 0.73991404 Not Participating
260 npm colors.js 1.2.4 0.7372139 Not Participating
261 npm dotenv 4.0.0 0.73138158 Not Participating
262 npm debug 3.2.6 0.72972165 Not Participating
263 npm strip-ansi 4.0.0 0.72367211 Not Participating
264 npm rimraf 2.7.1 0.71815066 Not Participating
265 npm getpass 0.1.7 0.71119192 Not Participating
266 npm is-extglob 2.1.1 0.7082443 Not Participating
101CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
267 npm reselect 4.0.0 0.7030317 Not Participating
268 npm methods 1.1.2 0.69832403 Not Participating
269 npm semver 6.3.0 0.69370051 Not Participating
270 npm pseudomap 1.0.2 0.69253796 Not Participating
271 npm is-glob 3.1.0 0.69131338 Not Participating
272 npm is-buffer 1.1.6 0.68440455 Not Participating
273 npm mime 1.6.0 0.68198407 Not Participating
274 npm jquery 3.5.1 0.68004532 Not Participating
275 npm lodash 4.17.4 0.67851289 Not Participating
276 npm raw-body 2.4.0 0.67023086 Not Participating
277 npm send 0.17.1 0.66935438 Not Participating
278 npm loose-envify 1.4.0 0.66805894 Not Participating
279 npm concat-stream 1.6.2 0.66649693 Not Participating
280 npm decode-uri-component 0.2.0 0.66512083 Not Participating
281 npm pify 3.0.0 0.66119114 Not Participating
282 npm babel-runtime 6.26.0 0.65647026 27
283 npm cookie-signature 1.0.6 0.64759735 Not Participating
284 npm express 4.16.3 0.64479953 15
285 npm lodash 4.17.19 0.63483876 Not Participating
286 npm redis 2.8.0 0.62947527 Not Participating
287 npm querystring 0.2.0 0.62640562 Not Participating
288 npm aproba 1.2.0 0.62590698 Not Participating
289 npm braces 2.3.2 0.62554128 Not Participating
290 npm ieee754 1.1.13 0.62523702 Not Participating
291 npm punycode 1.4.1 0.62467845 Not Participating
292 npm normalize-path 3.0.0 0.61796183 Not Participating
293 npm body-parser 1.18.2 0.61721586 Not Participating
294 npm deep-is 0.1.3 0.61502564 Not Participating
295 npm request 2.88.0 0.60805043 Not Participating
296 npm content-type 1.0.4 0.6 071139 Not Participating
102CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
297 npm isobject 2.1.0 0.60469025 Not Participating
298 npm shebang-regex 1.0.0 0.59935327 Not Participating
299 npm serve-static 1.14.1 0.59921994 Not Participating
300 npm object.assign 4.1.0 0.59861321 Not Participating
301 npm base 0.11.2 0.59810509 Not Participating
302 npm string-width 3.1.0 0.59683876 Not Participating
303 npm react-router-dom 4. 3.1 0.59652812 Not Participating
304 npm parseurl 1.3.3 0.59605142 Not Participating
305 npm emoji-regex 7.0.3 0.59571298 Not Participating
306 npm repeat-string 1.6.1 0.59316625 Not Participating
307 npm statuses 1.5.0 0.59148941 Not Participating
308 npm moment-timezone 0.5.33 0.58886599 Not Participating
309 npm json-stringify-safe 5.0.1 0.58657613 Not Participating
310 npm babel-core 6.26.3 0.58580114 27
311 npm path-dirname 1.0.2 0.58548589 Not Participating
312 npm bcryptjs 2.4.3 0.58503493 Not Participating
313 npm request-promise 4.2.6 0.58197007 Not Participating
314 npm axios 0.18.0 0.5773728 Not Participating
315 npm extend-shallow 2.0.1 0.57417068 Not Participating
316 npm glob-parent 3.1.0 0.56817424 Not Participating
317 npm bytes 3.1.0 0.56170892 Not Participating
318 npm xml2js 0.4.23 0.55821748 Not Participating
319 npm get-stream 4.1.0 0.55655931 Not Participating
320 npm debug 3.1.0 0.55576423 Not Participating
321 npm esutils 2.0.3 0.55241297 Not Participating
322 npm is-windows 1.0.2 0.54733345 Not Participating
323 npm has-unicode 2.0.1 0.54672745 Not Participating
324 npm is-binary-path 1.0.1 0.5309273 Not Participating
325 npm normalize-package-data 2.5.0 0.52705138 Not Participating
326 npm accepts 1.3.7 0.51858488 Not Participating
103CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
327 npm hammerjs 2.0.8 0.51530956 Not Participating
328 npm setimmediate 1.0.5 0.51481545 Not Participating
329 npm levn 0.3.0 0.50968517 Not Participating
330 npm wrap-ansi 2.1.0 0.50810998 Not Participating
331 npm bootstrap 4.6.0 0.50 6115 84
332 npm cross-spawn 6.0.5 0.50295611 Not Participating
333 npm rxjs 6.6.7 0.49845287 Not Participating
334 npm nice-try 1.0.5 0.49232723 Not Participating
335 npm react 15.7.0 0.49155696 81
336 npm p-finally 1.0.0 0.48931044 Not Participating
337 npm verror 1.10.0 0.48353542 Not Participating
338 npm node-fetch 2.6.0 0.48290811 Not Participating
339 npm serve-favicon 2.5.0 0.47546649 Not Participating
340 npm fs 0.0.1-security 0.47393406 Not Participating
341 npm regenerator-runtime 0.11.1 0.46612595 Not Participating
342 npm strip-json-comments 2.0.1 0.46534056 Not Participating
343 npm type-is 1.6.18 0.46367557 Not Participating
344 npm abbrev 1.1.1 0.46216506 Not Participating
345 npm prr 1.0.1 0.46094439 Not Participating
346 npm invariant 2.2.4 0.45776388 Not Participating
347 npm vue 2.6.12 0.45631117 15
348 npm xtend 4.0.2 0.45444727 Not Participating
349 npm ansi-regex 5.0.0 0.44926823 Not Participating
350 npm fast-levenshtein 2.0.6 0.44817306 Not Participating
351 npm content-disposition 0.5.3 0.4426728 Not Participating
352 npm errno 0.1.7 0.43862277 Not Participating
353 npm pump 2.0.1 0.43751146 Not Participating
354 npm from2 2.3.0 0.43671933 Not Participating
355 npm define-property 0.2.5 0.43205707 Not Participating
356 npm lru-cache 5.1.1 0.42566287 Not Participating
104CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
357 npm component-emitter 1.3.0 0.42264031 Not Participating
358 npm anymatch 2.0.0 0.40722258 Not Participating
359 npm react-dom 15.7.0 0.40650733 81
360 npm to-fast-properties 2.0.0 0.39914124 Not Participating
361 npm @babel/runtime 7.14.0 0.39807899 27
362 npm has-symbols 1.0.1 0.39574202 Not Participating
363 npm async 3.2.0 0.39501414 Not Participating
364 npm babel-eslint 10.1.0 0.37815746 27
365 npm punycode 1.3.2 0.3777246 Not Participating
366 npm find-up 2.1.0 0.37695604 Not Participating
367 npm mimic-fn 2.1.0 0.3764583 Not Participating
368 npm minimist 0.0.8 0.37564137 Not Participating
369 npm cookie 0.4.0 0.37465439 Not Participating
370 npm uuid 3.3.2 0.37362271 Not Participating
371 npm axios 0.19.0 0.37356018 Not Participating
372 npm qs 6.5.2 0.36819625 Not Participating
373 npm pumpify 1.5.1 0.36653631 Not Participating
374 npm wide-align 1.1.3 0.3595609 Not Participating
375 npm zone.js 0.9.1 0.35900213 Not Participating
376 npm readable-stream 2.3.6 0.35502473 Not Participating
377 npm lodash 3.10.1 0.35363864 Not Participating
378 npm readable-stream 2.3.7 0.35030296 Not Participating
379 npm p-locate 2.0.0 0.34905722 Not Participating
380 npm locate-path 2.0.0 0.34889681 Not Participating
381 npm har-validator 5.1.3 0.34815017 Not Participating
382 npm qs 6.7.0 0.3448904 Not Participating
383 npm readdirp 2.2.1 0.34322369 Not Participating
384 npm js-yaml 3.14.1 0.33984681 Not Participating
385 npm moment 2.22.2 0.3329509 Not Participating
386 npm core-js 2.6.11 0.33145114 Not Participating
105CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
387 npm @hapi/joi 17.1.1 0.33141847 Not Participating
388 npm aws-sdk 2.912.0 0.33141847 Not Participating
389 npm minimist 1.2.0 0.33139148 Not Participating
390 npm core-js 3.6.5 0.3311597 7 Not Participating
391 npm babel-preset-es2015 6.24.1 0.33065226 27
392 npm mixin-deep 1.3.2 0.32917609 Not Participating
393 npm currently-unhandled 0.4.1 0.32866431 Not Participating
394 npm co 4.6.0 0.32292704 Not Participating
395 npm color-name 1.1.4 0.32198201 Not Participating
396 npm array-uniq 1.0.3 0.32002724 Not Participating
397 npm commander 2.20.3 0.30910134 Not Participating
398 npm react-redux 5.1.2 0.30689966 Not Participating
399 npm immutable 3.8.2 0.30536724 Not Participating
400 npm winston 3.2.1 0.30460102 Not Participating
401 npm jsesc 0.5.0 0.29796609 Not Participating
402 npm graphql-tag 2.11.0 0.29693889 Not Participating
403 npm loud-rejection 1.6.0 0.29364577 Not Participating
404 npm indent-string 2.1.0 0.29364577 Not Participating
405 npm @types/color-name 1.1.1 0.29086166 Not Participating
406 npm universalify 0.1.2 0.28952672 Not Participating
407 npm redux-logger 3.0.6 0.28927677 Not Participating
408 npm fast-json-stable-stringify 2.1.0 0.28470654 Not Participating
409 npm p-try 1.0.0 0.28040514 Not Participating
410 npm osenv 0.1.5 0.27926262 Not Participating
411 npm minimalistic-assert 1.0.1 0.27847152 Not Participating
412 npm classnames 2.2.5 0.27778357 Not Participating
413 npm urix 0.1.0 0.27605338 Not Participating
414 npm safe-regex 1.1.0 0.27136134 Not Participating
415 npm bootstrap 3.4.1 0.26782281 84
416 npm set-value 2.0.1 0.2660884 Not Participating
106CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
417 npm es-to-primitive 1.2.1 0.2652413 Not Participating
418 npm ret 0.1.15 0.26020983 Not Participating
419 npm resolve-url 0.2.1 0.25820468 Not Participating
420 npm to-regex 3.0.2 0.25784376 Not Participating
421 npm object.pick 1.3.0 0.25313022 Not Participating
422 npm union-value 1.0.1 0.25172866 Not Participating
423 npm duplexify 3.7.1 0.25078025 Not Participating
424 npm array-flatten 1.1.1 0.24890005 Not Participating
425 npm commondir 1.0.1 0.24844889 Not Participating
426 npm fs-extra 8.1.0 0.24725695 Not Participating
427 npm get-stdin 4.0.1 0.24695439 Not Participating
428 npm regex-not 1.0.2 0.24571117 Not Participating
429 npm zone.js 0.8.26 0.24560263 Not Participating
430 npm gauge 2.7.4 0.24252829 Not Participating
431 npm npmlog 4.1.2 0.24060724 Not Participating
432 npm popper.js 1.16.1 0.23604209 Not Participating
433 npm chart.js 2.9.4 0.23410944 Not Participating
434 npm map-cache 0.2.2 0.22934629 Not Participating
435 npm date-fns 2.16.1 0.22874595 Not Participating
436 npm istanbul 0.4.5 0.22644731 Not Participating
437 npm path-exists 2.1.0 0.22562908 Not Participating
438 npm strip-indent 1.0.1 0.2236087 Not Participating
439 npm camelcase-keys 2.1.0 0.2236087 Not Participating
440 npm get-value 2.0.6 0.21933916 Not Participating
441 npm require-directory 2.1.1 0.21664981 Not Participating
442 npm rimraf 3.0.2 0.21620471 Not Participating
443 npm react-scripts 4.0.3 0.21572033 Not Participating
444 npm ejs 2.7.4 0.21572033 Not Participating
445 npm ajv 6.12.6 0.21418791 99
446 npm redis 3.0.2 0.21342169 Not Participating
107CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
447 npm json5 1.0.1 0.21332865 Not Participating
448 npm buffer-xor 1.0.3 0.21214417 Not Participating
449 npm trim-newlines 1.0.0 0.21193586 Not Participating
450 npm uuid 8.3.0 0. 21112306 Not Participating
451 npm fragment-cache 0.2.1 0.20646323 Not Participating
452 npm moment-timezone 0.5.31 0.20575957 Not Participating
453 npm react-redux 7.2.2 0.20575957 Not Participating
454 npm debug 4.3.1 0.2019285 Not Participating
455 npm mkdirp 0.5.1 0.20128241 Not Participating
456 npm delegates 1.0.0 0.20115807 Not Participating
457 npm cipher-base 1.0.4 0.19717999 Not Participating
458 npm util 0.10.3 0.19647839 Not Participating
459 npm depd 1.1.2 0.19370267 Not Participating
460 npm classlist.js 1.1.20150312 0.19120152 Not Participating
461 npm constants-browserify 1.0.0 0.19033396 Not Participating
462 npm swagger-ui-express 4.1.6 0.1896691 Not Participating
463 npm redent 1.0.0 0.18859016 Not Participating
464 npm react 17.0.1 0.18562465 81
465 npm @material-ui/icons 4.11.2 0.18507182 Not Participating
466 npm bootstrap 4.3.1 0.18430561 84
467 npm cookie-parser 1.4.4 0.18353939 Not Participating
468 npm rxjs 6.6.3 0.18121678 Not Participating
469 npm eslint-plugin-import 2.22.1 0.18047454 Not Participating
470 npm path-is-inside 1.0.2 0.17921239 Not Participating
471 npm csurf 1.11.0 0.17894212 Not Participating
472 npm font-awesome 4.7.0 0.17582457 Not Participating
473 npm passport 0.3.2 0.17281241 Not Participating
474 npm pg 8.5.1 0.1720462 Not Participating
475 npm history 4.10.1 0.17204083 Not Participating
476 npm builtin-status-codes 3.0.0 0.17146409 Not Participating
108CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
477 npm strip-bom 3.0.0 0.17143845 Not Participating
478 npm evp_bytestokey 1.0.3 0.17080798 Not Participating
479 npm through2 2.0.5 0.16673637 Not Participating
480 npm prop-types 15.6.2 0.16515028 81
481 npm graphql 14.7.0 0.16438 407 Not Participating
482 npm node-uuid 1.4.8 0.16 438407 Not Participating
483 npm which 2.0.2 0.16197084 Not Participating
484 npm url 0.11.0 0.16109683 Not Participating
485 npm express 4.16.2 0.16055301 15
486 npm chai 4.2.0 0.16055301 Not Participating
487 npm @testing-library/jest-dom 4.2.4 0.15902058 Not Participating
488 npm bcrypt 5.0.0 0.15595573 Not Participating
489 npm glob 7.1.7 0.15365709 Not Participating
490 npm jsesc 2.5.2 0.15078794 Not Participating
491 npm @testing-library/user-event 7.2.1 0.15059224 Not Participating
492 npm array-union 1.0.2 0.15048322 Not Participating
493 npm process 0.11.10 0.15021745 Not Participating
494 npm core-js 3.12.1 0.1482936 Not Participating
495 npm uuid 8.3.1 0.1482936 Not Participating
496 npm core-js 2.5.7 0.14752739 Not Participating
497 npm @testing-library/react 9.5.0 0.14522875 Not Participating
498 npm tough-cookie 2.5.0 0.13682179 Not Participating
499 npm tmp 0.0.33 0.13270351 Not Participating
500 npm supports-color 7.1.0 0.13093117 Not Participating
Appendix F: Top 500 Non-npm,
109CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
Direct, Versioned Packages
Our dependency analysis identified the following 500 packages as the most used FOSS packages among those reported in the private
usage data contributed by SCA partners hosted on package managers other than npm. These packages were directly observed in use
and account for the package version. For further information on how this list was compiled, refer to the Methods section.
1 go github.com/pkg/errors v0.9.1 12.1575574 Not Participating
2 maven org.slf4j:slf4j-api 1.7.30 5.80930357 Not Participating
3 maven javax.xml:jsr173 1 5.49244316 Not Participating
4 maven ch.qos.logback:logback-classic 1.2.3 5.28139615 Not Participating
5 maven junit:junit 4.12 5.1179780 6 Not Participating
6 maven com.fasterxml.jackson.core:jackson-databind 2.12.3 4.90027993 Not Participating
7 maven org.apiguardian:apiguardian-api 1.1.0 4.88501811 Not Participating
8 maven org.opentest4j:opentest4j 1.2.0 4.88501811 Not Participating
9 go github.com/davecgh/go-spew v1.1.1 4.58399108 Not Participating
10 maven com.fasterxml.jackson.core:jackson-core 2.12.3 4.5726924 Not Participating
11 maven activation:activation 1.0.2 4.42980536 Not Participating
12 go gopkg.in/yaml.v2 v2.3.0 4.3855869 Not Participating
13 maven org.slf4j:slf4j-api 1.7.25 4.33129259 Not Participating
14 maven org.apache.httpcomponents:httpclient 4.5.13 4.27363505 Not Participating
15 maven commons-codec:commons-codec 1.1 4.14371056 Not Participating
16 nuget modernizr 2.6.2 4.02109851 24
17 go github.com/kubernetes-sigs/yaml v1.2.0 3.89831841 Not Participating
18 maven javax.inject:javax.inject 1 3.79631833 Not Participating
19 maven commons-logging:commons-logging 1.2 3.75161846 Not Participating
20 maven commons-lang:commons-lang 2.6 3.70423907 Not Participating
21 go github.com/spf13/pflag v1.0.5 3.67330831 Not Participating
22 maven com.google.code.findbugs:jsr305 3.0.2 3.60046021 Not Participating
23 nuget modernizr 2.8.3 3.57152098 24
24 maven log4j:log4j 1.2.17 3.42136986 Not Participating
25 go gopkg.in/inf.v0 v0.9.1 3.36239908 Not Participating
26 go github.com/google/uuid v1.1.2 3.35099654 Not Participating
110CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF
BADGE TIERED
PERCENTAGE
27 go github.com/gogo/protobuf v1. 3.1 3.1541127 Not Participating
28 go github.com/cespare/xxhash v2.0.0 -20191114174713-d7df 74196a9e 3.10926272 Not Participating
29 maven commons-collections:commons-collections 3.2.2 2.86779865 Not Participating
30 maven ch.qos.logback:logback-core 1.2.3 2.82387067 Not Participating
31 maven org.hamcrest:hamcrest-core 1.3 2.74535213 Not Participating
32 go github.com/fatih/color v1.9.0 2.74058063 Not Participating
33 maven javax.servlet:javax.servlet-api 3.1.0 2.69828861 Not Participating
34 maven javax.validation:validation-api 1.1.0.final 2.63149523 Not Participating
35 go github.com/kubernetes/client-go v0.19.0-rc.2 2.59918915 Not Participating
36 pypi chardet 3.0.4 2.55810868 Not Participating
37 maven jakarta.ws.rs:jakarta.ws.rs-api 2.1.6 2.48795187 Not Participating
38 go github.com/stretchr/testify v1.6.0 2.42054937 Not Participating
39 maven com.google.guava:failureaccess 1.0.1 2.30531496 Not Participating
40 maven com.google.guava:listenablefuture
9999.0-empty-to-avoid-conflict-with-
guava
2.26035245 Not Participating
41 maven commons-io:commons-io 2.4 2.22855102 Not Participating
42 go github.com/kubernetes/klog v1.0.0 2.19781978 Not Participating
43 maven commons-io:commons-io 2.6 2.19643472 Not Participating
44 go github.com/ghodss/yaml v1.0.0 2.15449013 Not Participating
45 pypi python-dateutil 2.8.1 2.14568015 Not Participating
46 maven org.jetbrains:annotations 13 2.14290302 Not Participating
47 maven com.google.code.gson:gson 2.8.6 2.13787802 Not Participating
48 maven javax.validation:validation-api 2.0.1.Final 2.03235599 Not Participating
49 maven net.minidev:json-smart 2.3 1.96713167 Not Participating
50 maven com.jayway.jsonpath:json-path 2.4.0 1.96647189 Not Participating
51 pypi requests 2.25.1 1.94384071 Not Participating
52 maven commons-beanutils:commons-beanutils 1.9.4 1.94179449 Not Participating
53 maven org.apache.httpcomponents:httpcore 4.4.4 1.9366936 Not Participating
54 maven xmlpull:xmlpull 1.1.3.1 1.9366936 Not Participating
111CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF
BADGE TIERED
PERCENTAGE
55 maven org.apache.commons:commons-lang3 3.4 1.90084043 Not Participating
56 maven javax.annotation:javax.annotation-api 1.3.2 1.89465797 Not Participating
57 maven aopalliance:aopalliance 1 1.88685312 Not Participating
58 maven javax.xml.bind:jaxb-api 2.3.1 1.86776835 Not Participating
59 maven commons-cli:commons-cli 1.4 1.80150227 Not Participating
60 go
github.com/matttproud/
golang_protobuf_extensions
v1.0.1 1.79721058 Not Participating
61 pypi packaging 16.8 1.77321086 Not Participating
62 go github.com/PuerkitoBio/purell 4.50E+11 1.77288516 Not Participating
63 maven dom4j:dom4j 1.6.1 1.76521023 Not Participating
64 pypi sqlparse 0.3.0 1.75160042 Not Participating
65 go golang.org/x/crypto
v0.0.0-20200622200202-
75b288015ac9
1.74779958 Not Participating
66 pypi retry 0.9.2 1.74703941 Not Participating
67 pypi python-geohash 0.8.5 1.74323856 Not Participating
68 pypi polyline 1.4.0 1.74247839 Not Participating
69 pypi flask-talisman 0.7.0 1.74247839 Not Participating
70 maven javax.validation:validation-api 2.0.1.final 1.73234017 Not Participating
71 go github.com/go-stack/stack v1.8.0 1.72955551 Not Participating
72 go github.com/go-openapi/jsonpointer v0.19.3 1.72727501 Not Participating
73 pypi sphinx-rtd-theme 0.4.3 1.7173928 Not Participating
74 pypi pathlib2 2.3.5 1.70827077 Not Participating
75 go golang.org/x/oauth2 v0.0.0-20200107161121-bf48bf16ab8d 1.70599027 Not Participating
76 maven antlr:antlr 2.7.7 1.69571475 Not Participating
77 pypi MarkupSafe 1.1.1 1.69078688 Not Participating
78 go golang.org/x/text v0.0.0-20200611185030-23ae387dee1f 1.6877462 Not Participating
79 maven com.google.guava:guava 30.1-jre 1.68044607 Not Participating
80 pypi PyYAML 5.3.1 1.67406316 Not Participating
81 go github.com/go-openapi/jsonreference v0.19.3 1.63605469 Not Participating
82 go github.com/PuerkitoBio/urlesc de5bf2ad4578 1.63605469 Not Participating
112CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF
BADGE TIERED
PERCENTAGE
83 pypi markupsafe 1.1.1 1.63214294 Not Participating
84 go github.com/beorn7/perks v1.0.1 1.61781063 Not Participating
85 maven com.google.j2objc:j2objc-annotations 1.3 1.61740827 Not Participating
86 pypi geographiclib 1.5 1.60564792 Not Participating
87 pypi itsdangerous 1.1.0 1.59302239 Not Participating
88 maven javax.activation:activation 1.1 1.5885238 Not Participating
89 pypi backoff 1.10.0 1.58740386 Not Participating
90 pypi wtforms-json 0.3.3 1.58512335 Not Participating
91 pypi marshmallow-enum 1.5.1 1.57600132 Not Participating
92 pypi contextlib2 0.6.0.post1 1.57372081 Not Participating
93 pypi flask-jwt-extended 3.24.1 1.57068014 Not Participating
94 maven xml-resolver:xml-resolver 1.2 1.56885744 Not Participating
95 maven org.jboss.logging:jboss-logging 3.3.2.final 1.56885744 Not Participating
96 go github.com/mitchellh/go-homedir v1.1.0 1.56535895 Not Participating
97 maven org.apache.commons:commons-lang3 3.9 1.56123414 Not Participating
98 maven org.glassfish.jaxb:jaxb-runtime 2.3.1 1.55206029 Not Participating
99 go github.com/sirupsen/logrus v1.7.0 1.54331404 Not Participating
100 nuget log4net 2.0.8 1.52811532 Not Participating
101 go github.com/modern-go/reflect2 v1.0.1 1.52050897 Not Participating
102 go github.com/hashicorp/hcl v1.0.0 1.51792597 Not Participating
103 go github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd 1.5022649 Not Participating
104 maven com.fasterxml.jackson.core:jackson-databind 2.12.2 1.48735793 Not Participating
105 pypi selenium 3.6.0 1.48711607 Not Participating
106 go gopkg.in/yaml.v2 v2.2.8 1.45893526 Not Participating
107 maven com.fasterxml.jackson.core:jackson-core 2.12.2 1.45067628 Not Participating
108 go github.com/golang/protobuf v1.4.2 1.44601238 Not Participating
109 maven javax.ws.rs:javax.ws.rs-api 2.0.1 1.44456267 Not Participating
110 go github.com/kubernetes/api v0.19.0-rc.2 1.44145136 Not Participating
111 maven javax.activation:javax.activation-api 1.2.0 1.43292359 Not Participating
113CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF
BADGE TIERED
PERCENTAGE
112 go github.com/google/uuid v1.1.1 1.42244713 Not Participating
113 maven commons-logging:commons-logging 1.1.1 1.40006542 Not Participating
114 pypi click 7.1. 2 1.39403435 Not Participating
115 maven io.springfox:springfox-swagger2 2.9.2 1.39267867 Not Participating
116 maven org.slf4j:log4j-over-slf4j 1.7. 3 0 1.38495499 Not Participating
117 go github.com/kubernetes/apimachinery v 0.15.10 1.36999545 Not Participating
118 pypi jsonschema 3.2.0 1.36842057 Not Participating
119 go github.com/stretchr/testify
v0.0.0-20200605104845-
f654a9112bbe
1.36619461 Not Participating
120 go github.com/kubernetes/klog v2.2.0 1.32894631 Not Participating
121 maven org.projectlombok:lombok 1.18.12 1.32368615 Not Participating
122 maven commons-io:commons-io 2.2 1.32363333 Not Participating
123 maven
org.hibernate.javax.
persistence:hibernate-jpa-2.1-api
1.0.0.final 1.32363333 Not Participating
124 maven net.minidev:json-smart 1.2 1.28276264 Not Participating
125 maven commons-collections:commons-collections 3.2.1 1.28081264 Not Participating
126 pypi six 1.10.0 1.27781882 Not Participating
127 pypi Werkzeug 1.0.1 1.27345396 Not Participating
128 go github.com/spf13/cobra v1.0.0 1.27041328 Not Participating
129 maven org.jacoco:org.jacoco.ant 0.8.5 1.26777749 Not Participating
130 maven org.jacoco:org.jacoco.agent 0.8.5 1.26472068 Not Participating
131 go github.com/hashicorp/golang-lru v0.5.4 1.26357176 Not Participating
132 maven com.google.code.findbugs:jsr305 1.3.9 1.25902482 Not Participating
133 pypi webencodings 0.5.1 1.23046402 Not Participating
134 go github.com/google/gofuzz v1.1.0 1.21720143 Not Participating
135 maven com.google.code.findbugs:jsr305 1.3.7 1.20102127 Not Participating
136 maven io.springfox:springfox-swagger-ui 2.9.2 1.19195182 Not Participating
137 maven org.slf4j:jul-to-slf4j 1.7.30 1.191689 Not Participating
138 maven org.objenesis:objenesis 2.6 1.18723125 Not Participating
139 maven com.fasterxml.jackson.core:jackson-annotations 2.12.2 1.18269643 Not Participating
114CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF
BADGE TIERED
PERCENTAGE
140 maven jakarta.annotation:jakarta.annotation-api 1.3.5 1.16330322 Not Participating
141 go github.com/golang/snappy v0.0.1 1.15638789 Not Participating
142 maven org.apache.logging.log4j:log4j-to-slf4j 2.13.3 1.14754318 Not Participating
143 maven org.slf4j:jcl-over-slf4j 1.7. 30 1.13857649 Not Participating
144 go github.com/json-iterator/go
v0.0.0-20200608025830-
a1ca0830781e
1.13054214 Not Participating
145 maven commons-codec:commons-codec 1.3 1.1192799 Not Participating
146 go github.com/mattn/go-isatty v0.0.12 1.1092574 Not Participating
147 nuget Newtonsoft.Json 12.0.3 1.1047819 Not Participating
148 maven net.minidev:accessors-smart 1.2 1.09963003 Not Participating
149 maven commons-codec:commons-codec 1.9 1.09260347 Not Participating
150 maven commons-io:commons-io 2.5 1.08738991 Not Participating
151 maven org.dom4j:dom4j 2.1.3 1.0813494 Not Participating
152 nuget Microsoft.Web.Infrastructure 1.0.0 1.07927456 Not Participating
153 pypi py 1.8.1 1.07504978 12
154 maven jakarta.validation:jakarta.validation-api 2.0.2 1.07249671 Not Participating
155 go github.com/mitchellh/go-testing-interface v1.0.0 1.06440741 Not Participating
156 pypi six 1.15.0 1.06418721 Not Participating
157 pypi gunicorn 20.0.4 1.05924462 Not Participating
158 maven org.glassfish.hk2:osgi-resource-locator 1.0.3 1.05685799 Not Participating
159 maven com.fasterxml.jackson.core:jackson-annotations 2.9.0 1.05609946 Not Participating
160 maven com.google.guava:guava 29.0-jre 1.05557118 Not Participating
161 maven
org.hibernate.javax.
persistence:hibernate-jpa-2.1-api
1.0.0.Final 1.05329172 Not Participating
162 pypi pyyaml 5.4.1 1.05227278 Not Participating
163 maven ch.qos.logback:logback-access 1.2.3 1.04717811 Not Participating
164 go github.com/prometheus/client_golang v1.5.1 1.04312267 Not Participating
165 maven org.apache.commons:commons-collections4 4.1 1.04017972 Not Participating
166 pypi six 1.2.0 1.03753854 Not Participating
167 maven org.lz4:lz4-java 1.7.1 1.03291302 Not Participating
115CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF
BADGE TIERED
PERCENTAGE
168 maven commons-configuration:commons-configuration 1.8 1.02374261 Not Participating
169 maven jakarta.xml.bind:jakarta.xml.bind-api 2.3.2 1.02265542 Not Participating
170 maven commons-digester:commons-digester 2.1 1.01406273 Not Participating
171 maven com.google.errorprone:error_prone_annotations 2.4.0 1.00794912 Not Participating
172 maven org.yaml:snakeyaml 1.27 0.99775977 3
173 maven mysql:mysql-connector-java 8.0.22 0.98502309 Not Participating
174 maven org.glassfish.hk2.external:aopalliance-repackaged 2.6.1 0.98043788 Not Participating
175 maven oro:oro 2.0.8 0.97290224 Not Participating
176 maven org.aspectj:aspectjweaver 1.9.6 0.97024854 Not Participating
177 maven org.hibernate.validator:hibernate-validator 6.1.5.Final 0.96821067 Not Participating
178 go github.com/golang/protobuf v1.3.4 0.9633049 Not Participating
179 maven junit:junit 4.13 0.96102306 Not Participating
180 maven org.hdrhistogram:HdrHistogram 2.1.12 0.96056866 Not Participating
181 maven com.fasterxml.jackson.core:jackson-annotations 2.6.0 0.95579717 Not Participating
182 go github.com/golang/protobuf v1.4.3 0.94734135 Not Participating
183 maven commons-httpclient:commons-httpclient 3.1 0.94052785 Not Participating
184 maven org.apache.commons:commons-compress 1.2 0.93815209 Not Participating
185 maven org.junit.jupiter:junit-jupiter-engine 5.7.0 0.92225576 Not Participating
186 pypi python-editor 1.0.4 0.91968099 Not Participating
187 maven org.json:json 20190722 0.91267872 Not Participating
188 go github.com/gorilla/mux v1.7.4 0.91085322 Not Participating
189 maven org.skyscreamer:jsonassert 1.5.0 0.90764039 Not Participating
190 pypi python3-openid 3.1.0 0.90553204 Not Participating
191 maven com.fasterxml.jackson.core:jackson-databind 2.11.4 0.90299884 Not Participating
192 nuget System.Net.Http 4.3.4 0.90147044 Not Participating
193 maven com.vaadin.external.google:android-json 0.0.20131108.vaadin1 0.90097102 Not Participating
194 maven commons-validator:commons-validator 1.7 0.8973947 Not Participating
195 maven commons-codec:commons-codec 1.11 0.89011796 Not Participating
196 go github.com/asaskevich/govalidator v 0.0.0-20170331111519-71551cef584c 0.87892611 15
116CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF
BADGE TIERED
PERCENTAGE
197 maven com.google.inject:guice 3 0.877016 Not Participating
198 maven com.github.ben-manes.caffeine:caffeine 2.8.8 0.8709024 Not Participating
199 maven javax.ws.rs:javax.ws.rs-api 2.1.1 0.84910665 Not Participating
200 go github.com/stretchr/testify
v0.0.0-20200605104845-
f654a9112bbe
0.84851934 Not Participating
201 maven org.apache.commons:commons-lang3 3.1 0.84844792 Not Participating
202 maven org.javassist:javassist 3.27.0 - GA 0.84593849 Not Participating
203 maven com.google.android:annotations 4.1.1.4 0.84491956 300
204 maven org.junit.jupiter:junit-jupiter-api 5.6.2 0.83476786 Not Participating
205 maven xml-apis:xml-apis 2.0.2 0.83318511 Not Participating
206 pypi appdirs 1.4.3 0.83093042 Not Participating
207 maven org.slf4j:slf4j-api 1.7. 21 0.83050117 Not Participating
208 cocoapods Commander 0.9.0 0.82875494 Not Participating
209 maven org.slf4j:slf4j-api 2.0.0-alpha1 0.82499502 Not Participating
210 maven org.junit.platform:junit-platform-commons 1.7.0 0.82343376 Not Participating
211 pypi Flask-OpenID 1.2.5 0.81659223 Not Participating
212 pypi attrs 19.3.0 0.81325914 Not Participating
213 maven io.vavr:vavr 0.10.2 0.80823791 Not Participating
214 maven io.perfmark:perfmark-api 0.19.0 0.80008643 Not Participating
215 maven org.reactivestreams:reactive-streams 1.0.3 0.80008378 Not Participating
216 maven commons-cli:commons-cli 1.2 0.79960083 Not Participating
217 cocoapods Mockingjay 3.0.0-alpha.1 0.79910834 Not Participating
218 cocoapods URITemplate 3.0.0 0.79910834 Not Participating
219 cocoapods MFPageFlowView 1.0.1 0.79834817 Not Participating
220 cocoapods FormatterKit 1.9.0 0.79834817 Not Participating
221 cocoapods AnimatedGIFImageSerialization 0.2.3 0.79834817 Not Participating
222 cocoapods NSAttributedString+CCLFormat 1.2.0 0.79834817 Not Participating
223 cocoapods SVProgressHUD 2.2.5 0.797588 Not Participating
224 cocoapods CCLDefaults 1.1.3 0.797588 Not Participating
117CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF
BADGE TIERED
PERCENTAGE
225 maven com.sun.istack:istack-commons-runtime 3.0.7 0.79702963 Not Participating
226 maven com.sun.activation:jakarta.activation 1.2.1 0.79702963 Not Participating
227 cocoapods ISO8601DateFormatter 0.8 0.79682783 Not Participating
228 cocoapods SimulatorStatusMagic 2.4.1 0.79682783 Not Participating
229 cocoapods FXKeychain 1.5.3 0.79682783 Not Participating
230 go github.com/patrickmn/go-cache
v1.0.1-0.20191004192108-
46f407853014
0.79530749 Not Participating
231 maven javax.validation:validation-api 1.0.0.ga 0.79231443 Not Participating
232 pypi packaging 19.2 0.79231443 Not Participating
233 pypi simplejson 3.17.0 0.79150665 Not Participating
234 maven com.sun.xml.fastinfoset:FastInfoset 1.2.15 0.78938761 Not Participating
235 maven org.jvnet.staxex:stax-ex 1.8 0.78684028 Not Participating
236 cocoapods TTTAttributedLabel 2.0.0 0.78390495 Not Participating
237 maven org.glassfish.jaxb:txw2 2.3.1 0.78276454 Not Participating
238 maven org.apache.geronimo.specs:geronimo-jta_1.1_spec 1.1.1 0.77919827 Not Participating
239 maven
org.springframework.
boot:spring-boot-starter-web
2.5.0 0.7786888 Not Participating
240 maven software.amazon.ion:ion-java 1.0.2 0.77560338 Not Participating
241 go github.com/go-openapi/spec v0.19.7 0.77250242 Not Participating
242 maven
edu.washington.cs.types.
checker:checker-framework
1.7.0 0.77206572 Not Participating
243 maven com.sun.mail:jakarta.mail 1.6.5 0.77104679 Not Participating
244 maven org.apache.commons:commons-pool2 2.6.2 0.76849945 Not Participating
245 maven io.netty:netty-transport 4.1.51.Final 0.76798998 Not Participating
246 maven io.netty:netty-buffer 4.1.51.Final 0.76798998 Not Participating
247 maven jakarta.servlet:jakarta.servlet-api 4.0.4 0.76748052 Not Participating
248 maven org.checkerframework:checker-qual 3.8.0 0.76697105 Not Participating
249 maven com.google.api.grpc:proto-google-common-protos 1.17.0 0.76646158 Not Participating
250 maven xml-apis:xml-apis 1.4.01 0.76591732 Not Participating
251 maven io.vavr:vavr-match 0.10.2 0.76289531 Not Participating
118CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF
BADGE TIERED
PERCENTAGE
252 maven io.netty:netty-handler 4.1.51.Final 0.75780064 Not Participating
253 maven org.springframework:spring-core 5.3.3 0.75627223 Not Participating
254 maven commons-validator:commons-validator 1.6 0.75474383 Not Participating
255 maven org.slf4j:slf4j-simple 1.6.4 0.75423437 Not Participating
256 maven
org.jboss.spec.javax.
transaction:jboss-transaction-api_1.2_spec
1.1.1.Final 0.75321543 Not Participating
257 maven io.netty:netty-codec 4.1.51.Final 0.75270596 Not Participating
258 maven org.springframework:spring-web 5.3.3 0.75168703 Not Participating
259 maven org.jboss.logging:jboss-logging 3.3.0.final 0.75144374 Not Participating
260 maven org.springframework:spring-context 5.3.3 0.75066809 Not Participating
261 maven log4j:log4j 1.2.16 0.74749 Not Participating
262 maven
com.fasterxml.jackson.
module:jackson-module-jaxb-annotations
2.12.2 0.74710182 Not Participating
263 maven io.netty:netty-common 4.1.51.Final 0.74710182 Not Participating
264 maven org.hibernate:hibernate-core 5.4.27.Final 0.74659235 Not Participating
265 maven io.swagger:swagger-annotations 1.6.2 0.74353555 Not Participating
266 maven org.springframework:spring-beans 5.3.3 0.74251662 Not Participating
267 maven org.springframework:spring-aop 5.3.3 0.74149768 Not Participating
268 maven javax.transaction:javax.transaction-api 1.3 0.74149768 Not Participating
269 maven org.springframework:spring-jcl 5.3.3 0.73895034 Not Participating
270 maven org.springframework:spring-expression 5.3.3 0.73844088 Not Participating
271 maven javax.annotation:javax.annotation-api 1.2 0.73752795 Not Participating
272 maven ch.qos.logback:logback-classic 1.1.7 0.736167 Not Participating
273 pypi six 1.12.0 0.73388021 Not Participating
274 maven io.netty:netty-resolver 4.1.51.Final 0.7302894 Not Participating
275 maven org.ehcache:ehcache 3.8.1 0.72977993 Not Participating
276 maven net.bytebuddy:byte-buddy 1.10.17 0.72977993 Not Participating
277 maven org.eclipse.jetty.toolchain.setuid:jetty-setuid-java 1.0.4 0.72927046 Not Participating
278 pypi parsedatetime 2.5 0.7284126 Not Participating
279 pypi Flask-Caching 1.8.0 0.72689226 Not Participating
119CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF
BADGE TIERED
PERCENTAGE
280 pypi croniter 0.3.31 0.72537192 Not Participating
281 maven org.slf4j:slf4j-api 1.7.26 0.72465274 Not Participating
282 maven com.helger:profiler 1.1.1 0.72366632 Not Participating
283 maven com.google.guava:guava 18 0.7193071 Not Participating
284 maven commons-beanutils:commons-beanutils 1.9.3 0.71021445 Not Participating
285 pypi defusedxml 0.6.0 0.70929187 Not Participating
286 pypi humanize 0.5.1 0.70028634 Not Participating
287 pypi apispec 1.3.3 0.69572532 Not Participating
288 maven org.jboss.logging:jboss-logging 3.4.1.Final 0.69513094 Not Participating
289 go github.com/prometheus/procfs v0.1.3 0.69268464 Not Participating
290 maven com.squareup.okio:okio 2.8.0 0.69156988 Not Participating
291 maven org.apache.commons:commons-text 1.8 0.68974158 Not Participating
292 go github.com/prometheus/common v0.10.0 0.68812363 Not Participating
293 pypi six 1.14.0 0.67478718 Not Participating
294 go github.com/grpc/grpc-go v1.29.1 0.6691194 109
295 go github.com/kubernetes/apiextensions-apiserver v 0.18.0 -alpha.1 0.66531855 Not Participating
296 maven commons-dbcp:commons-dbcp 1.4 0.66489964 Not Participating
297 pypi isodate 0.6.0 0.66446644 Not Participating
298 maven io.micrometer:micrometer-core 1.5.5 0.66405864 Not Participating
299 maven com.google.guava:guava 19 0.65887082 Not Participating
300 go github.com/spf13/pflag v1.0.5 0.65771686 Not Participating
301 maven commons-codec:commons-codec 1.6 0.65742828 Not Participating
302 pypi prison 0.1.3 0.65467618 Not Participating
303 maven ch.qos.logback:logback-core 1.1.7 0.65414276 Not Participating
304 go golang.org/x/text v0.3.0 0.64571781 Not Participating
305 go github.com/davecgh/go-spew v1.1.1 0.64251347 Not Participating
306 maven io.reactivex:rxjava 1.2.0 0.63909474 Not Participating
307 maven javax.servlet:jstl 1.2 0.63705687 Not Participating
308 maven org.reflections:reflections 0.9.11 0.6365474 Not Participating
120CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF
BADGE TIERED
PERCENTAGE
309 maven org.slf4j:slf4j-api 1.7.7 0.63149136 Not Participating
310 pypi appdirs 1.4.0 0.62883169 Not Participating
311 go github.com/opentracing-contrib/go-stdlib v0.9.0 0.62122873 Not Participating
312 maven commons-codec:commons-codec 1.14 0.62040461 Not Participating
313 go golang.org/x/text v0.3.2 0.61973498 Not Participating
314 maven org.apache.commons:commons-lang3 3.8.1 0.61698431 Not Participating
315 maven jakarta.activation:jakarta.activation-api 1.2.1 0.61240773 Not Participating
316 maven commons-beanutils:commons-beanutils 1.7.0 0.61057076 Not Participating
317 maven com.google.guava:guava 30.1.1-jre 0.60496042 Not Participating
318 pypi vine 1.3.0 0.60026548 Not Participating
319 maven com.netflix.archaius:archaius-core 0.4.1 0.59935628 Not Participating
320 maven com.google.j2objc:j2objc-annotations 1.1 0.59700092 Not Participating
321 maven com.google.code.gson:gson 2.8.5 0.59686823 Not Participating
322 maven org.junit.platform:junit-platform-engine 1.6.2 0.58895499 Not Participating
323 maven antlr:antlr 2.7.2 0.58796101 Not Participating
324 maven net.jodah:typetools 0.6.2 0.58254386 Not Participating
325 maven org.junit.platform:junit-platform-commons 1.6.2 0.58169993 Not Participating
326 go github.com/mattn/go-colorable v0.1.6 0.57409824 Not Participating
327 maven org.junit.jupiter:junit-jupiter-engine 5.6.2 0.57333807 Not Participating
328 go github.com/emicklei/go-restful v2.9.5+incompatible 0.57333807 Not Participating
329 packagist twig/extensions v1.5.4 0.56649655 Not Participating
330 go github.com/hashicorp/errwrap v1.0.0 0.56573638 Not Participating
331 maven org.apache.httpcomponents:httpclient 4.5.6 0.56420303 Not Participating
332 pypi colorama 0.4.3 0.5634178 Not Participating
333 pypi amqp 2.5.2 0.55661435 Not Participating
334 maven org.ow2.asm:asm 5.0.4 0.54864108 Not Participating
335 maven commons-io:commons-io 2.1 0.54709032 Not Participating
336 nuget modernizr 2.5.3 0.54709032 24
337 maven com.squareup.retrofit2:converter-gson 2.8.0 0.54709032 Not Participating
121CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF
BADGE TIERED
PERCENTAGE
338 go github.com/pmezard/go-difflib v1.0.0 0.54120137 Not Participating
339 maven javax.cache:cache-api 1.1.0 0.53872966 Not Participating
340 go github.com/russross/blackfriday v1.5.2 0.53532961 Not Participating
341 maven org.slf4j:jcl-over-slf4j 1.7.21 0.53213953 Not Participating
342 maven commons-logging:commons-logging 1.1.3 0.52850127 Not Participating
343 go github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b 0.52772791 Not Participating
344 maven org.apache.httpcomponents:httpcore 4.4.13 0.52514073 Not Participating
345 go github.com/go-openapi/loads v 0.19.5 0.51860588 Not Participating
346 go github.com/uber-go/automaxprocs v1.3.0 0.5132847 Not Participating
347 maven com.google.errorprone:error_prone_annotations 2.3.4 0.51055123 Not Participating
348 maven org.yaml:snakeyaml 1.26 0.50662578 3
349 maven com.fasterxml.jackson.core:jackson-annotations 2.8.0 0.50621964 Not Participating
350 pypi idna 2.8 0.50465134 Not Participating
351 maven com.typesafe.netty:netty-reactive-streams 2.0.4 0.50001014 Not Participating
352 pypi Jinja2 2.11.2 0.49504064 Not Participating
353 maven com.googlecode.json-simple:json-simple 1.1.1 0.49484391 Not Participating
354 pypi pycparser 2.19 0.49135386 Not Participating
355 go golang.org/x/net
v0.0.0-
20200706173018-ab3426394381
0.48895928 Not Participating
356 go golang.org/x/oauth2
v0.0.0-20190604053449-
0f29369cfe45
0.48829239 Not Participating
357 go github.com/fsnotify/fsnotify v1.4.9 0.48591861 Not Participating
358 maven org.latencyutils:LatencyUtils 2.0.3 0.48509075 Not Participating
359 go github.com/kubernetes/kubernetes
v1.14.0-alpha.0.0.20190909192303-
94a1172f3976
0.4836381 111
360 go github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21 0.48135759 Not Participating
361 go github.com/go-openapi/errors v0.19.4 0.4760364 Not Participating
362 go gopkg.in/yaml.v3 v2.3.0 0.47451607 Not Participating
363 pypi pyyaml 5.3.1 0.47405836 Not Participating
364 maven org.apache.commons:commons-math3 3.6.1 0.47189337 Not Participating
122CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF
BADGE TIERED
PERCENTAGE
365 maven ch.qos.logback:logback-classic 1.3.0-alpha5 0.4709705 Not Participating
366 go github.com/pierrec/lz4 v2.4.1+incompatible 0.46995505 Not Participating
367 maven commons-collections:commons-collections 3.1 0.46534895 Not Participating
368 maven commons-lang:commons-lang 2.1 0.46534895 Not Participating
369 maven org.apache.commons:commons-collections4 4.4 0.46486068 Not Participating
370 maven org.apache.commons:commons-exec 1.3 0.46485689 Not Participating
371 pypi selenium 3.141.0 0.46061735 Not Participating
372 maven javax.activation:activation 1.1.1 0.45923071 Not Participating
373 maven org.slf4j:slf4j-log4j12 1.7. 30 0.45833779 Not Participating
374 nuget xunit 2.4.1 0.45313914 Not Participating
375 go github.com/go-openapi/swag v0.19.9 0.44943048 Not Participating
376 pypi Flask 1.1.2 0.44714997 Not Participating
377 maven com.fasterxml:classmate 1.5.1 0.44441802 Not Participating
378 maven org.codehaus.jackson:jackson-mapper-asl 1.9.13 0.43944651 Not Participating
379 pypi idna 2.1 0.43890773 Not Participating
380 nuget Owin 1.0.0 0.43174151 Not Participating
381 pypi pytz 2019.3 0.4315816 Not Participating
382 maven org.apache.httpcomponents:httpcore 4.4.9 0.42447827 Not Participating
383 maven org.checkerframework:checker-qual 2.0.0 0.42447827 Not Participating
384 maven commons-fileupload:commons-fileupload 1.4 0.41775195 Not Participating
385 go github.com/eapache/go-resiliency v1.2.0 0.41750337 Not Participating
386 go github.com/jcmturner/gofork v1.0.0 0.4144627 Not Participating
387 go gopkg.in/jcmturner/dnsutils.v1 v1.0.1 0.41370253 Not Participating
388 go gopkg.in/jcmturner/rpc.v1 v1.1.0 0.41294236 Not Participating
389 go gopkg.in/jcmturner/aescts.v1 v1.0.1 0.41218219 Not Participating
390 maven junit:junit 4.13. 2 0.41136282 Not Participating
391 go github.com/go-openapi/strfmt v0.19.5 0.41066185 Not Participating
392 maven com.google.guava:guava 30.0-jre 0.41056701 Not Participating
393 go github.com/eapache/queue v1.1.0 0.40838134 Not Participating
123CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF
BADGE TIERED
PERCENTAGE
394 pypi Flask-Login 0.4.1 0.40610083 Not Participating
395 pypi mccabe 0.6.1 0.40219524 Not Participating
396 go github.com/go-openapi/validate v 0.19.8 0.39849914 Not Participating
397 go github.com/go-openapi/runtime v0.19.15 0.39773897 Not Participating
398 maven com.fasterxml.jackson.core:jackson-core 2.9.8 0.39676451 Not Participating
399 maven commons-lang:commons-lang 2.4 0.3965976 Not Participating
400 go github.com/satori/go.uuid
v1.2.1-0.20181016170243-
4d30718d7656
0.39545846 Not Participating
401 maven org.apache.httpcomponents:httpcore 4.4.10 0.39244788 Not Participating
402 go golang.org/x/time v0.0.0-20191023193136-555d28b269f0 0.39241779 Not Participating
403 maven com.beust:jcommander 1.72 0.38937711 Not Participating
404 maven org.junit.jupiter:junit-jupiter-params 5.7.0 0.38861694 Not Participating
405 maven net.jcip:jcip-annotations 1 0.38843678 Not Participating
406 maven org.apache.httpcomponents:httpcore 4.4.5 0.38360758 Not Participating
407 maven org.jboss.logging:jboss-logging 3.4.1.final 0.38360758 Not Participating
408 maven com.sun.xml.bind:jaxb-impl 2.3.1 0.38360758 Not Participating
409 maven com.fasterxml.jackson.core:jackson-core 2.10.0 0.3809268 Not Participating
410 pypi pytz 2020.1 0.37622229 Not Participating
411 pypi PyJWT 1.7.1 0.36885254 Not Participating
412 maven commons-io:commons-io 2.7 0.36544469 Not Participating
413 go github.com/gogo/protobuf v1.2.1 0.36353135 Not Participating
414 maven org.apache.httpcomponents:httpcore 4.4.11 0.36292728 Not Participating
415 pypi pycparser 2.2 0.36144006 Not Participating
416 nuget System.Security.Cryptography.Primitives 4.3.0 0.35837821 Not Participating
417 maven com.fasterxml.jackson.core:jackson-databind 2.10.0 0.35737461 Not Participating
418 go github.com/prometheus/client_model v0.2.0 0.35639739 Not Participating
419 maven org.jetbrains.kotlin:kotlin-stdlib 1.3.72 0.3538336 Not Participating
420 pypi pyjwt 1.7.1 0.35286269 Not Participating
421 go github.com/gocql/gocql cd4b606dd2fb 0.35136865 Not Participating
124CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF
BADGE TIERED
PERCENTAGE
422 go github.com/go-openapi/analysis v0.19.10 0.35060848 Not Participating
423 nuget System.Security.Cryptography.Encoding 4.3.0 0.3492078 Not Participating
424 go github.com/dgrijalva/jwt-go
v1.0.3-0.20200107013213-
dc14462fd587
0.34680763 Not Participating
425 pypi numpy 1.18.1 0.34604746 Not Participating
426 go github.com/BurntSushi/toml 3012a1dbe2e4 0.34376695 Not Participating
427 maven org.slf4j:slf4j-api 1.5.6 0.3427369 Not Participating
428 maven com.sun.xml.bind:jaxb-impl 2.2.11 0.3427369 Not Participating
429 maven com.google.code.findbugs:jsr305 2.0.3 0.3427369 Not Participating
430 go github.com/mailru/easyjson v0.7.1 0.34148645 Not Participating
431 maven javax.servlet:javax.servlet-api 4.0.1 0.33756649 Not Participating
432 pypi six 1.11.0 0.33680229 Not Participating
433 maven com.fasterxml.jackson.core:jackson-databind 2.9.8 0.33596379 Not Participating
434 maven org.springframework:spring-web 5.3.7 0.33596164 Not Participating
435 pypi bleach 3.1.0 0.33388475 Not Participating
436 go golang.org/x/text v0.0.0-20181215175245-342b2e1fbaa5 0.33160425 Not Participating
437 maven org.slf4j:slf4j-api 1.7.12 0.33150917 Not Participating
438 maven org.checkerframework:checker-qual 2.5.2 0.330825 Not Participating
439 maven javax.persistence:javax.persistence-api 2.2 0.32632496 Not Participating
440 maven org.slf4j:slf4j-api 1.6.1 0.31933825 Not Participating
441 go github.com/rcrowley/go-metrics
v0.0.0-20190826022208-
cac0b30c2563
0.3179212 Not Participating
442 pypi jmespath 0.10.0 0.31201668 Not Participating
443 go github.com/kubernetes/apimachinery v0.16.13 0.30879917 Not Participating
444 pypi flask 1.1.2 0.306922 Not Participating
445 maven org.junit.jupiter:junit-jupiter-api 5.7.0 0.30567058 Not Participating
446 maven org.apache.httpcomponents:httpcore 4.0.1 0.30186621 Not Participating
447 maven org.jboss.logging:jboss-logging 3.2.1.final 0.30186621 Not Participating
448 maven commons-codec:commons-codec 1.2 0.30186621 Not Participating
449 maven commons-collections:commons-collections 3.2 0.30186621 Not Participating
12 5CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF
BADGE TIERED
PERCENTAGE
450 maven org.codehaus.mojo:animal-sniffer-annotations 1.18 0.29646482 Not Participating
451 pypi python-dateutil 2.8.0 0.29492195 Not Participating
452 go github.com/go-kit/kit v0.10.0 0.28903477 Not Participating
453 go github.com/fsnotify/fsnotify v1.4.9 0.28523392 Not Participating
454 maven commons-io:commons-io 2.8.0 0.28207154 Not Participating
455 go github.com/hashicorp/go-uuid v1.0.1 0.28143307 Not Participating
456 pypi Markdown 3.1.1 0.27991274 Not Participating
457 maven commons-beanutils:commons-beanutils 1.9.2 0.27979894 Not Participating
458 maven javax.xml.bind:jaxb-api 2.3.0 0.274 43512 Not Participating
459 maven com.thoughtworks.paranamer:paranamer 2.8 0.26788685 Not Participating
460 go github.com/smartystreets/goconvey v1.6.4 0.26546952 Not Participating
461 maven com.google.protobuf:protobuf-java 2.5.0 0.26210934 Not Participating
462 maven org.apache.httpcomponents:httpcore 4.4.1 0.26099553 Not Participating
463 go github.com/gorilla/handlers v1.4.2 0.2609085 Not Participating
464 go github.com/ipfs/bbloom v0.0.2 0.25938817 Not Participating
465 go github.com/prometheus/client_model v0.2.0 0.25558732 Not Participating
466 maven org.slf4j:slf4j-api 1.7.5 0.25508635 Not Participating
467 packagist intervention/image 2.5.1 0.25482715 Not Participating
468 maven org.slf4j:slf4j-api 1.7.16 0.25401313 Not Participating
469 maven org.codehaus.mojo:animal-sniffer-annotations 1.14 0.25367418 Not Participating
470 maven
org.apache.maven.
plugin-tools:maven-plugin-annotations
3.6.0 0.25330681 Not Participating
471 pypi marshmallow 2.19.5 0.25254664 Not Participating
472 go github.com/hailocab/go-hostpool
v0.0.0-20160125115350-
e80d13ce29ed
0.25026614 Not Participating
473 go github.com/hashicorp/go-hclog v0.14.0 0.24950597 Not Participating
474 maven org.projectlombok:lombok 1.18.16 0.24792673 Not Participating
475 go github.com/olivere/elastic v5.0.84 0.24494495 Not Participating
476 go github.com/hashicorp/yamux v0.0.0-20190923154419-df201c70410d 0.24494495 Not Participating
477 go github.com/bsm/sarama-cluster v2.1.13+incompatible 0.24494495 Not Participating
126CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF
BADGE TIERED
PERCENTAGE
478 go github.com/rs/cors v1.7.0 0.24494495 Not Participating
479 maven org.jacoco:org.jacoco.core 0.8.5 0.24476698 Not Participating
480 go github.com/DataDog/zstd 8fdb57968034 0.2411441 Not Participating
481 go github.com/Shopify/sarama cd910a683f9f 0.2411441 Not Participating
482 go github.com/oklog/run v1.1.0 0.24038393 Not Participating
483 go github.com/VividCortex/gohistogram 51564d986199 0.24038393 Not Participating
484 go github.com/grpc-ecosystem/go-grpc-middleware v1.0.0 0.24038393 Not Participating
485 maven io.github.java-diff-utils:java-diff-utils 4.8 0.24038393 Not Participating
486 go github.com/soheilhy/cmux v0.1.4 0.24038393 Not Participating
487 go github.com/grpc-ecosystem/grpc-gateway v1.14.4 0.23962377 Not Participating
488 go github.com/uber/jaeger-client-go v2.23.1+incompatible 0.2388636 Not Participating
489 go github.com/gorilla/mux v1.8.0 0.23810343 Not Participating
490 maven joda-time:joda-time 2.9.9 0.23714941 Not Participating
491 maven com.fasterxml.jackson.core:jackson-core 2.11.4 0.2366155 Not Participating
492 go github.com/gogo/googleapis v1.1.0 0.23658309 Not Participating
493 maven com.fasterxml.jackson.core:jackson-core 2.10.2 0.23513469 Not Participating
494 nuget System.Text.RegularExpressions 4. 3.1 0.23152083 Not Participating
495 go gopkg.in/jcmturner/gokrb5.v7 v7.2.2 0.2312619 Not Participating
496 go github.com/googleapis/go-genproto v0.0.0-20180718234121-fedd2861243f 0.22822123 Not Participating
497 pypi six 1.9.0 0.22012484 Not Participating
498 maven joda-time:joda-time 2.1 0.22012484 Not Participating
499 maven net.minidev:json-smart 1.1 0.22012484 Not Participating
500 maven com.google.guava:guava 20 0.22005789 Not Participating
Appendix G: Top 500 npm, Indirect
127CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
& Direct, Versioned Packages
Our dependency analysis identified the following 500 packages as the most used FOSS packages among those reported in the private
usage data contributed by SCA partners hosted on the npm package manager. These packages were identified as either direct or indirect
dependencies called by observed packages in use and account for the package version. For further information on how this list was
compiled, refer to the Methods section.
1 npm inherits 2.0.3 4.73839884 Not Participating
2 npm isarray 1.0.0 4.68847512 Not Participating
3 npm inline-process-browser 2.0.1 4.66197968 Not Participating
4 npm safe-buffer 5.1.2 4.18279846 Not Participating
5 npm array-slice 0.2.3 4.04842903 Not Participating
6 npm core-util-is 1.0.2 3.76796155 Not Participating
7 npm concat-map 0.0.1 3.65798515 Not Participating
8 npm fs.realpath 1.0.0 3.6457213 Not Participating
9 npm inherits 2.0.4 3.5941186 Not Participating
10 npm foreach 2.0.5 3. 58272911 Not Participating
11 npm util-deprecate 1.0.2 3.56708893 Not Participating
12 npm wrappy 1.0.2 3.46603705 Not Participating
13 npm ms 2.0.0 3.36814104 Not Participating
14 npm safer-buffer 2.1.2 3.181921 Not Participating
15 npm through2 0.6.5 3.12742391 Not Participating
16 npm inherits 2.0.2 3.11000575 Not Participating
17 npm once 1.4.0 3.10820861 Not Participating
18 npm path-is-absolute 1.0.1 3.07490211 Not Participating
19 npm escape-string-regexp 1.0.5 2.99099296 Not Participating
20 npm util-deprecate 1.0.1 2.82692072 Not Participating
21 npm object-assign 4.1.1 2.78426282 Not Participating
22 npm buffer-shims 1.0.0 2.76118101 Not Participating
23 npm minimatch 3.0.4 2.72076759 Not Participating
24 npm inflight 1.0.6 2.69413744 Not Participating
25 npm set-getter 0.1.0 2.38092844 Not Participating
128CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
26 npm debug 2.6.9 2.33870425 Not Participating
27 npm string_decoder 1.1.1 2.30371736 Not Participating
28 npm expected 0.1.0 2.28160451 Not Participating
29 npm isarray 0.0.1 2.27008528 Not Participating
30 npm wrappy 1.0.1 2.21747159 Not Participating
31 npm wrappy 1.0.0 2.21747159 Not Participating
32 npm assign-symbols 1.0.0 2.15745851 Not Participating
33 npm isobject 3.0.1 2.13215871 Not Participating
34 npm balanced-match 1.0.0 2.11569435 Not Participating
35 npm color-name 1.1.3 2.03811733 Not Participating
36 npm has-flag 3.0.0 2.00350259 Not Participating
37 npm is-fullwidth-code-point 2.0.0 1.96828311 Not Participating
38 npm iconv-lite 0.4.24 1.92900824 Not Participating
39 npm xtend 4.0.0 1.92309406 Not Participating
40 npm ansi-styles 3.2.1 1.90809625 Not Participating
41 npm is-number 3.0.0 1.9045124 4 Not Participating
42 npm has-flag 1.0.0 1.88338385 Not Participating
43 npm tweetnacl 0.14.5 1.87698754 Not Participating
44 npm ansi-regex 2.1.1 1.8465167 Not Participating
45 npm graceful-fs 4.1.11 1.84361871 Not Participating
46 npm asynckit 0.4.0 1.84170506 Not Participating
47 npm path-parse 1.0.6 1.81555396 Not Participating
48 npm number-is-nan 1.0.0 1.80787853 Not Participating
49 npm decode-uri-component 0.2.0 1.78982162 Not Participating
50 npm strip-ansi 3.0.1 1.77549933 Not Participating
51 npm is-typedarray 1.0.0 1.76848254 Not Participating
52 npm core-util-is 1.0.1 1.76704972 Not Participating
53 npm core-util-is 1.0.0 1.76704972 Not Participating
54 npm delayed-stream 1.0.0 1.74615983 Not Participating
55 npm is-buffer 1.1.6 1.72961742 Not Participating
129CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
56 npm number-is-nan 1.0.1 1.72723631 Not Participating
57 npm minimist 1.2.5 1.70264147 Not Participating
58 npm esmangle-evaluator 1.0.1 1.69657809 Not Participating
59 npm unreachable-branch-transform 0.5.0 1.69657809 Not Participating
60 npm esmangle-evaluator 1.0.0 1.69657809 Not Participating
61 npm unreachable-branch-transform 0.5.1 1.69657809 Not Participating
62 npm depd 1.1.2 1.67520353 Not Participating
63 npm isexe 2.0.0 1.66456456 Not Participating
64 npm path-is-absolute 1.0.0 1.65407139 Not Participating
65 npm function-bind 1.1.1 1.61117914 Not Participating
66 npm assert-plus 1.0.0 1.58575556 Not Participating
67 npm to-object-path 0.3.0 1.5855932 Not Participating
68 npm source-map 0.5.7 1.58297513 Not Participating
69 npm ee-first 1.1.1 1.57303027 Not Participating
70 npm is-stream 1.1.0 1.56684333 Not Participating
71 npm kind-of 3.2.2 1.56492726 Not Participating
72 npm is-arrayish 0.2.1 1.56484823 Not Participating
73 npm statuses 1.5.0 1.54777617 Not Participating
74 npm set-blocking 2.0.0 1.53305886 Not Participating
75 npm is-fullwidth-code-point 1.0.0 1.52885025 Not Participating
76 npm extend 3.0.2 1.51295328 Not Participating
77 npm sax 1.2.4 1.48837157 Not Participating
78 npm unpipe 1.0.0 1.45360166 Not Participating
79 npm esprima 4.0.1 1.44948343 Not Participating
80 npm on-finished 2.3.0 1.44273702 Not Participating
81 npm arr-diff 2.0.0 1.4409786 Not Participating
82 npm urix 0.1.0 1.4385254 Not Participating
83 npm lodash 4.17. 21 1.43157873 Not Participating
84 npm resolve-url 0.2.1 1.41795295 Not Participating
85 npm supports-color 5.5.0 1.40829857 Not Participating
130CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
86 npm escape-html 1.0.3 1.40071604 Not Participating
87 npm is-data-descriptor 0.1.4 1.39520516 Not Participating
88 npm safe-buffer 5.1.1 1.38757009 Not Participating
89 npm json-schema 0.2.3 1.38062508 Not Participating
90 npm is-plain-object 2.0.4 1.37565895 Not Participating
91 npm is-accessor-descriptor 0.1.6 1.34713434 Not Participating
92 npm verror 1.10.0 1.33387157 Not Participating
93 npm isstream 0.1.2 1.33183377 Not Participating
94 npm punycode 2.1.1 1.31398901 Not Participating
95 npm qs 6.5.2 1. 3 0611207 Not Participating
96 npm object-copy 0.1.0 1.30269087 Not Participating
97 npm pascalcase 0.1.1 1.30120194 Not Participating
98 npm brace-expansion 1.1.11 1.29557909 Not Participating
99 npm copy-descriptor 0.1.0 1.29220515 Not Participating
100 npm toidentifier 1.0.0 1.2875023 Not Participating
101 npm json-schema-traverse 0.4.1 1.28186734 Not Participating
102 npm ms 2.1.1 1.27890503 Not Participating
103 npm performance-now 2.1.0 1.26943702 Not Participating
104 npm inherits 2.0.1 1.26386475 Not Participating
105 npm semver 5.7.1 1.26135131 Not Participating
106 npm setprototypeof 1.1.1 1.25764102 Not Participating
107 npm map-cache 0.2.2 1.25285312 Not Participating
108 npm destroy 1.0.4 1.24734471 Not Participating
109 npm source-map 0.6.1 1.24146299 Not Participating
110 npm minimist 0.0.8 1.22592366 Not Participating
111 npm js-tokens 4.0.0 1.22513923 Not Participating
112 npm safe-regex 1.1.0 1.21813807 Not Participating
113 npm json-stringify-safe 5.0.1 1.21025018 Not Participating
114 npm os-tmpdir 1.0.2 1.20949935 Not Participating
115 npm media-typer 0.3.0 1.20442744 Not Participating
131CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
116 npm chalk 2.4.2 1.19566569 Not Participating
117 npm is-extendable 1.0.1 1.18708501 Not Participating
118 npm encodeurl 1.0.2 1.1797443 Not Participating
119 npm jsbn 0.1.1 1.17476258 Not Participating
120 npm color-convert 1.9.3 1.16623204 Not Participating
121 npm readable-stream 2.3.3 1.16454458 Not Participating
122 npm is-extendable 0.1.1 1.16261415 Not Participating
123 npm path-exists 3.0.0 1.13656852 Not Participating
124 npm tunnel-agent 0.6.0 1.13343221 Not Participating
125 npm sprintf-js 1.0.3 1.13167458 Not Participating
126 npm fresh 0.5.2 1.12526591 Not Participating
127 npm code-point-at 1.1.0 1.11950786 Not Participating
128 npm punycode 1.4.1 1.11499426 Not Participating
129 npm source-map-url 0.4.0 1.10553667 Not Participating
130 npm fast-deep-equal 3.1.3 1.09778505 Not Participating
131 npm commander 2.8.1 1.0958188 Not Participating
132 npm is-arguments 1.0.4 1.09477271 Not Participating
133 npm etag 1.8.1 1.0891214 Not Participating
134 npm arr-union 3.1.0 1.084907 Not Participating
135 npm forever-agent 0.6.1 1.08212549 Not Participating
136 npm semver 5.5.0 1.08138726 Not Participating
137 npm process-nextick-args 2.0.1 1.07049789 Not Participating
138 npm decamelize 1.2.0 1.06819124 Not Participating
139 npm repeat-string 1.6.1 1.06803381 Not Participating
140 npm xtend 4.0.1 1.0 6 409113 Not Participating
141 npm shebang-regex 1.0.0 1.06276954 Not Participating
142 npm safe-buffer 5.2.1 1.06108154 Not Participating
143 npm extsprintf 1.3.0 1.05227598 Not Participating
144 npm tslib 1.10.0 1.05146823 Not Participating
145 npm co 4.6.0 1.02994758 Not Participating
132CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
146 npm ms 2.1.2 1.02769719 Not Participating
147 npm arr-diff 1.1.0 1.02709757 Not Participating
148 npm array-unique 0.3.2 1.02420502 Not Participating
149 npm caseless 0.12.0 1.01475792 Not Participating
150 npm vary 1.1.2 1.0108859 Not Participating
151 npm uuid 3.4.0 1.00502305 Not Participating
152 npm string-width 1.0.2 0.99859107 Not Participating
153 npm methods 1.1.2 0.99790446 Not Participating
154 npm ansi-regex 3.0.0 0.9961967 Not Participating
155 npm jsprim 1.4.1 0.99568256 Not Participating
156 npm content-type 1.0.4 0.99290352 Not Participating
157 npm mkdirp 0.5.1 0.98148918 Not Participating
158 npm dashdash 1.14.1 0.98017521 Not Participating
159 npm har-schema 2.0.0 0.97665172 Not Participating
160 npm safe-buffer 5.2.0 0.96875089 Not Participating
161 npm getpass 0.1.7 0.96582565 Not Participating
162 npm pump 3.0.0 0.96532214 Not Participating
163 npm semver 6.3.0 0.95938427 Not Participating
164 npm strip-ansi 4.0.0 0.93990886 Not Participating
165 npm has 1.0.3 0.93916748 Not Participating
166 npm punycode 1.3.2 0.93267879 Not Participating
167 npm mime 1.6.0 0.9033328 Not Participating
168 npm fragment-cache 0. 2.1 0.90176792 Not Participating
169 npm is-extglob 2.1.1 0.89455498 Not Participating
170 npm shebang-command 1.2.0 0.89127798 Not Participating
171 npm static-ex tend 0.1.1 0.88503571 Not Participating
172 npm glob 7.1.2 0.8784218 Not Participating
173 npm is-windows 1.0.2 0.87356273 Not Participating
174 npm define-property 0.2.5 0.86239319 Not Participating
175 npm fast-json-stable-stringify 2.1.0 0.85978864 Not Participating
133CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
176 npm cookie 0.4.0 0.85379821 Not Participating
177 npm imurmurhash 0.1.4 0.85181084 Not Participating
178 npm parseurl 1.3.3 0.84995279 Not Participating
179 npm uri-js 4.2.2 0.84893261 Not Participating
180 npm utils-merge 1.0.1 0.82781221 Not Participating
181 npm bytes 3.1.0 0.81948528 Not Participating
182 npm debug 2.6.8 0.81581182 Not Participating
183 npm argparse 1.0.10 0.81158971 Not Participating
184 npm aws-sign2 0.7.0 0.80976481 Not Participating
185 npm has-ansi 2.0.0 0.80669745 Not Participating
186 npm concat-map 0.0.0 0.805056 Not Participating
187 npm signal-exit 3.0.2 0.80362706 Not Participating
188 npm cookie-signature 1.0.6 0.80049207 Not Participating
189 npm color-name 1.1.4 0.79851837 Not Participating
190 npm object.pick 1.3.0 0.7971705 Not Participating
191 npm ansi-regex 2.0.0 0.79438272 Not Participating
192 npm source-map 0.5.6 0.79431615 Not Participating
193 npm safe-buffer 5.1.0 0.78958542 Not Participating
194 npm arr-flatten 1.1.0 0.78550263 Not Participating
195 npm color-convert 2.0.1 0.7834295 Not Participating
196 npm range-parser 1.2.1 0.77145972 Not Participating
197 npm path-to-regexp 0.1.7 0.77079096 Not Participating
198 npm setimmediate 1.0.5 0.76374273 Not Participating
199 npm is-extendable 0.1.0 0.7636679 Not Participating
200 npm negotiator 0.6.2 0.76167739 Not Participating
201 npm merge-descriptors 1.0.1 0.76080224 Not Participating
202 npm is-regex 1.0.4 0.75892207 Not Participating
203 npm typedarray 0.0.6 0.75437452 Not Participating
204 npm through 2.3.8 0.74991385 Not Participating
205 npm forwarded 0.1.2 0.74945488 Not Participating
134CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
206 npm copy-descriptor 0.1.1 0.74027639 Not Participating
207 npm chalk 2.4.1 0.73828632 Not Participating
208 npm for-in 1.0.2 0.73379198 Not Participating
209 npm lodash 4.17.11 0.73318248 Not Participating
210 npm is-my-ip-valid 1.0.0 0.72899138 Not Participating
211 npm glob 7.1.6 0.72653732 Not Participating
212 npm is-data-descriptor 1.0.0 0.72316356 Not Participating
213 npm array-flatten 1.1.1 0.72143705 Not Participating
214 npm strip-json-comments 2.0.1 0.71884664 Not Participating
215 npm expand-brackets 2.1.4 0.71400525 Not Participating
216 npm buffer-from 1.1.1 0.71152567 Not Participating
217 npm loose-envify 1.4.0 0.703497 Not Participating
218 npm extend-shallow 3.0.2 0.70312161 Not Participating
219 npm is-date-object 1.0.1 0.69491948 Not Participating
220 npm is-accessor-descriptor 1.0.0 0.69255306 Not Participating
221 npm snapdragon-capture 0.2.0 0.69207767 Not Participating
222 npm http-errors 1.7.2 0.68743695 Not Participating
223 npm xtend 4.0.2 0.68510782 Not Participating
224 npm is-buffer 1.1.5 0.68477836 Not Participating
225 npm inflight 1.0.4 0.6797731 Not Participating
226 npm inflight 1.0.5 0.6797731 Not Participating
227 npm rimraf 2.6.2 0.67778826 Not Participating
228 npm http-signature 1.2.0 0.67190141 Not Participating
229 npm has-values 0.1.4 0.67116942 Not Participating
230 npm which-module 2.0.0 0.67027054 Not Participating
231 npm static-extend 0.1.2 0.66974395 Not Participating
232 npm rimraf 2.7.1 0.66108289 Not Participating
233 npm require-directory 2.1.1 0.65750059 Not Participating
234 npm ansi-styles 2.2.1 0.65296779 Not Participating
235 npm string_decoder 0.10.31 0.65246584 Not Participating
135CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
236 npm accepts 1.3.7 0.6505428 Not Participating
237 npm debug 3.1.0 0.64610225 Not Participating
238 npm debuglog 0.0.2 0.64285938 Not Participating
239 npm define-properties 1.1.2 0.64089385 Not Participating
240 npm p-finally 1.0.0 0.64064063 Not Participating
241 npm camelcase 5.3.1 0.62532259 Not Participating
242 npm define-property 1.0.0 0.6240384 Not Participating
243 npm commander 2.20.3 0.61997279 Not Participating
244 npm readable-stream 2.3.7 0.61413973 Not Participating
245 npm psl 1.8.0 0.61082918 Not Participating
246 npm string-width 2.1.1 0.60594091 Not Participating
247 npm extend-shallow 2.0.1 0.5993192 Not Participating
248 npm path-key 2.0.1 0.59534047 Not Participating
249 npm unset-value 1.0.0 0.59014373 Not Participating
250 npm delegates 1.0.0 0.586118 49 Not Participating
251 npm type-is 1.6.18 0.58157861 Not Participating
252 npm define-properties 1.1.3 0.58120595 Not Participating
253 npm map-visit 1.0.0 0.57686748 Not Participating
254 npm base 0.11.2 0.57247555 Not Participating
255 npm pseudomap 1.0.2 0.57025588 Not Participating
256 npm process-nextick-args 1.0.7 0.56165678 Not Participating
257 npm os-homedir 1.0.2 0.56103427 Not Participating
258 npm split-string 3.1.0 0.55994726 Not Participating
259 npm supports-color 2.0.0 0.55919063 Not Participating
260 npm async-limiter 1.0.0 0.55767213 Not Participating
261 npm ajv 6.12.6 0.55609867 99
262 npm request 2.88.2 0.55575184 Not Participating
263 npm has-value 0.3.1 0.54915297 Not Participating
264 npm combined-stream 1.0.8 0.54166484 Not Participating
265 npm has-values 1.0.0 0.54002321 Not Participating
136CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
266 npm lru-cache 5.1.1 0.53722048 Not Participating
267 npm jsonify 0.0.0 0.52920393 Not Participating
268 npm npmlog 4.1.2 0.52259703 Not Participating
269 npm minimist 1.2.0 0.52222451 Not Participating
270 npm to-fast-properties 2.0.0 0.52006073 Not Participating
271 npm to-regex 3.0.2 0.5167619 Not Participating
272 npm once 1.3.1 0.51606371 Not Participating
273 npm once 1.3.3 0.51606371 Not Participating
274 npm once 1.3.0 0.51606371 Not Participating
275 npm once 1.3.2 0.51606371 Not Participating
276 npm strip-ansi 3.0.0 0.51049203 Not Participating
277 npm arr-union 3.0.0 0.50639051 Not Participating
278 npm to-object-path 0.2.0 0.50639051 Not Participating
279 npm mkdirp 0.5.5 0.50636433 Not Participating
280 npm cache-base 1.0.1 0.50155338 Not Participating
281 npm strip-eof 1.0.0 0.49497077 Not Participating
282 npm collection-visit 1.0.0 0.49304178 Not Participating
283 npm prelude-ls 1.1.2 0.48934698 Not Participating
284 npm isobject 2.1.0 0.48420692 Not Participating
285 npm send 0.17.1 0.48138603 Not Participating
286 npm chalk 1.1.3 0.4796968 Not Participating
287 npm define-property 2.0.2 0.47930486 Not Participating
288 npm p-locate 3.0.0 0.47272274 Not Participating
289 npm graceful-readlink 1.0.1 0.47009637 Not Participating
290 npm readable-stream 3.6.0 0.46965984 Not Participating
291 npm raw-body 2.4.0 0.46904228 Not Participating
292 npm uuid 3.3.2 0.46779559 Not Participating
293 npm is-descriptor 1.0.2 0.46242879 Not Participating
294 npm get-value 2.0.6 0.45776629 Not Participating
295 npm has-value 1.0.0 0.45605587 Not Participating
137CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
296 npm posix-character-classes 0.1.1 0.44928231 Not Participating
297 npm p-limit 2.3.0 0.43651008 Not Participating
298 npm ansi-regex 5.0.0 0.43608259 Not Participating
299 npm regex-not 1.0.2 0.43560744 Not Participating
300 npm deep-is 0.1.3 0.43420658 Not Participating
301 npm has-flag 4.0.0 0.42854851 Not Participating
302 npm snapdragon 0.8.2 0.42778677 Not Participating
303 npm content-disposition 0.5.3 0.42551099 Not Participating
304 npm is-callable 1.1.3 0.42484041 Not Participating
305 npm type-check 0.3.2 0.41938868 Not Participating
306 npm querystring 0.2.0 0.41843031 Not Participating
307 npm extglob 2.0.4 0.41742643 Not Participating
308 npm form-data 2.3.3 0.41469713 Not Participating
309 npm invariant 2.2.4 0.41096306 Not Participating
310 npm console-control-strings 1.1.0 0.41091699 Not Participating
311 npm babel-runtime 6.26.0 0.40831466 27
312 npm base64-js 1.5.1 0.40633547 Not Participating
313 npm esutils 2.0.2 0.40296852 Not Participating
314 npm tslib 1.9.3 0.40270913 Not Participating
315 npm ini 1.3.5 0.40079495 Not Participating
316 npm isobject 3.0.0 0.39478588 Not Participating
317 npm qs 6.7.0 0.39032794 Not Participating
318 npm split-string 3.0.1 0.39005638 Not Participating
319 npm split-string 3.0.2 0.39005638 Not Participating
320 npm string_decoder 1.0.3 0.38945801 Not Participating
321 npm nanomatch 1.2.9 0.38708963 Not Participating
322 npm through2 2.0.3 0.38612166 Not Participating
323 npm which 1.3.1 0.38377461 Not Participating
324 npm p-try 2.2.0 0.38144164 Not Participating
325 npm oauth-sign 0.9.0 0.38124522 Not Participating
138CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
326 npm parse-json 2.2.0 0.36914667 Not Participating
327 npm bcrypt-pbkdf 1.0.2 0.36792105 Not Participating
328 npm debug 4.1.1 0.36735369 Not Participating
329 npm object-keys 1.0.11 0.36716422 Not Participating
330 npm locate-path 3.0.0 0.35875091 Not Participating
331 npm pinkie-promise 2.0.1 0.35857383 Not Participating
332 npm rc 1.2.8 0.35790359 Not Participating
333 npm mime-db 1.40.0 0.34945185 Not Participating
334 npm safe-buffer 5.0.1 0.34922994 Not Participating
335 npm error-ex 1.3.2 0.34378517 Not Participating
336 npm asn1 0.2.4 0.34211077 Not Participating
337 npm esutils 2.0.3 0.33945336 Not Participating
338 npm object.assign 4.1.0 0.33316865 Not Participating
339 npm finalhandler 1.1.2 0.33202972 Not Participating
340 npm kind-of 5.1.0 0.33176662 Not Participating
341 npm ansi-regex 4.1.0 0.33096828 Not Participating
342 npm serve-static 1.14.1 0.31646524 Not Participating
343 npm has-unicode 2.0.1 0.31635107 Not Participating
344 npm to-regex 3.0.1 0.31511036 Not Participating
345 npm levn 0.3.0 0.31493906 Not Participating
346 npm p-try 1.0.0 0.31459134 Not Participating
347 npm oauth-sign 0.8.2 0.31409598 Not Participating
348 npm asap 2.0.6 0.3136922 Not Participating
349 npm sshpk 1.16.1 0.31302397 Not Participating
350 npm prop-types 15.7. 2 0. 31056611 81
351 npm nopt 4.0.1 0.30908014 Not Participating
352 npm object-visit 1.0.1 0.30241441 Not Participating
353 npm arr-dif f 4.0.0 0.30167457 Not Participating
354 npm minimalistic-assert 1.0.1 0.30148808 Not Participating
355 npm mime-types 2.1.24 0.29882496 Not Participating
139CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
356 npm get-stdin 4.0.1 0.29714405 Not Participating
357 npm string_decoder 1.3.0 0.29174827 Not Participating
358 npm object-assign 4.1.0 0.28821741 Not Participating
359 npm glob 5.0.15 0.2853334 Not Participating
360 npm pify 2.3.0 0.2824221 Not Participating
361 npm has-color 0.1.7 0.28155244 Not Participating
362 npm lodash._baseslice 4.0.0 0.28155244 Not Participating
363 npm has 1.0.1 0.28027952 Not Participating
364 npm pify 3.0.0 0.2798559 Not Participating
365 npm has-symbols 1.0.0 0.2773597 Not Participating
366 npm bluebird 3.7.2 0.27724361 Not Participating
367 npm lru-cache 4.1.5 0.27093122 Not Participating
368 npm es-to-primitive 1.1.1 0.2700974 Not Participating
369 npm find-up 3.0.0 0.26921059 Not Participating
370 npm fill-range 4.0.0 0.26873334 Not Participating
371 npm set-value 2.0.1 0.26656798 Not Participating
372 npm file-uri-to-path 1.0.0 0.26497237 Not Participating
373 npm is-buffer 1.1.1 0.25843052 Not Participating
374 npm is-buffer 1.0.2 0.25843052 Not Participating
375 npm is-buffer 1.1.2 0.25843052 Not Participating
376 npm is-buffer 1.1.0 0.25843052 Not Participating
377 npm is-buffer 1.1.4 0.25843052 Not Participating
378 npm is-buffer 1.1.3 0.25843052 Not Participating
379 npm atob 2.1.2 0.25582556 Not Participating
380 npm micromatch 3.1.10 0.25553887 Not Participating
381 npm har-validator 5.1.5 0.25338138 Not Participating
382 npm encoding 0.1.12 0.25166199 Not Participating
383 npm union-value 1.0.1 0. 25021311 Not Participating
384 npm kind-of 6.0.2 0.24692412 Not Participating
385 npm object-keys 1.1.1 0.24470594 Not Participating
140CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
386 npm estraverse 4.3.0 0.24457178 Not Participating
387 npm component-emitter 1.2.1 0.23826708 Not Participating
388 npm normalize-path 2.1.1 0.23678094 Not Participating
389 npm tough-cookie 2.5.0 0.23565826 Not Participating
390 npm graceful-fs 4.2.6 0.22993536 Not Participating
391 npm to-regex-range 2.1.1 0.2271962 Not Participating
392 npm lodash.identity 2.4.1 0.22338538 Not Participating
393 npm lodash._objecttypes 2.4.1 0.22338538 Not Participating
394 npm lodash.isobject 2.4.1 0.22338538 Not Participating
395 npm lodash.isplainobject 2.4.1 0.22338538 Not Participating
396 npm lodash.merge 2.4.1 0.22338538 Not Participating
397 npm lodash._isnative 2.4.1 0.22338538 Not Participating
398 npm lodash.noop 2.4.1 0.22338538 Not Participating
399 npm lodash._getarray 2.4.1 0.22338538 Not Participating
400 npm lodash._basebind 2.4.1 0.22338538 Not Participating
401 npm lodash._slice 2.4.1 0.22338538 Not Participating
402 npm lodash.bind 2.4.1 0.22338538 Not Participating
403 npm lodash._createwrapper 2.4.1 0.22338538 Not Participating
404 npm lodash._shimisplainobject 2.4.1 0.22338538 Not Participating
405 npm lodash._shimkeys 2.4.1 0.22338538 Not Participating
406 npm lodash.forin 2.4.1 0.22338538 Not Participating
407 npm lodash.forown 2.4.1 0.22338538 Not Participating
408 npm lodash._setbinddata 2.4.1 0.22338538 Not Participating
409 npm lodash._basecreatewrapper 2.4.1 0.22338538 Not Participating
410 npm sprintf 0.1.1 0.22338538 Not Participating
411 npm lodash._basemerge 2.4.1 0.22338538 Not Participating
412 npm lodash._releasearray 2.4.1 0.22338538 Not Participating
413 npm lodash._arraypool 2.4.1 0.22338538 Not Participating
414 npm lodash._basecreatecallback 2.4.1 0.22338538 Not Participating
415 npm lodash.foreach 2.4.1 0.22338538 Not Participating
141CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
416 npm lodash._maxpoolsize 2.4.1 0.22338538 Not Participating
417 npm remove-trailing-separator 1.1.0 0.22061376 Not Participating
418 npm supports-color 7. 2.0 0.21869791 Not Participating
419 npm aproba 1.2.0 0.21759084 Not Participating
420 npm npm-run-path 2.0.2 0.21733509 Not Participating
421 npm base 0.11.1 0.2159235 Not Participating
422 npm falafel 1.0.1 0.2138773 Not Participating
423 npm falafel 1.2.0 0.2138773 Not Participating
424 npm private 0.1.6 0.2138773 Not Participating
425 npm private 0.1.5 0.2138773 Not Participating
426 npm private 0.1.7 0.2138773 Not Participating
427 npm falafel 1.1.0 0.2138773 Not Participating
428 npm falafel 1.1.1 0.2138773 Not Participating
429 npm strip-ansi 6.0.0 0.2137864 Not Participating
430 npm ecc-jsbn 0.1.2 0.2130166 Not Participating
431 npm ansi-styles 4.3.0 0.21044325 Not Participating
432 npm component-emitter 1.3.0 0.20758763 Not Participating
433 npm http-errors 1.7.3 0.20586503 Not Participating
434 npm debug 3.2.6 0.20569677 Not Participating
435 npm tslib 1.14.1 0.20350656 Not Participating
436 npm signal-exit 3.0.3 0.20196032 Not Participating
437 npm is-descriptor 0.1.6 0.20190978 Not Participating
438 npm fast-json-stable-stringify 2.0.0 0.20098155 Not Participating
439 npm iconv-lite 0.4.19 0.20071163 Not Participating
440 npm code-point-at 1.0.0 0.1991491 Not Participating
441 npm code-point-at 1.0.1 0.1991491 Not Participating
442 npm arr-flatten 1.0.2 0.1954204 4 Not Participating
443 npm arr-flatten 1.0.1 0.195 42044 Not Participating
444 npm arr-flatten 1.0.3 0.19542044 Not Participating
445 npm readable-stream 2.3.6 0.19016993 Not Participating
142CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
446 npm yallist 2.1.2 0.18735784 Not Participating
447 npm parse-passwd 1.0.0 0.18535307 Not Participating
448 npm lru-cache 6.0.0 0.18255774 Not Participating
449 npm universalify 0.1.2 0.17962976 Not Participating
450 npm balanced-match 1.0.2 0.17541295 Not Participating
451 npm call-bind 1.0.2 0.17360941 Not Participating
452 npm estraverse 4.2.0 0.17176057 Not Participating
453 npm fast-levenshtein 2.0.6 0.16833933 Not Participating
454 npm pinkie 2.0.4 0.16443198 Not Participating
455 npm buffer 4.9.2 0.15938919 Not Participating
456 npm snapdragon-util 3.0.1 0.15658322 Not Participating
457 npm kind-of 4.0.0 0.15490081 Not Participating
458 npm json-parse-better-errors 1.0.2 0.15355548 Not Participating
459 npm y18n 4.0.0 0.15282261 Not Participating
460 npm glob 7.1.4 0.15234882 Not Participating
461 npm gauge 2.7.4 0.14542586 Not Participating
462 npm url 0.11.0 0.1423 4759 Not Participating
463 npm is-plain-object 2.0.3 0.14200742 Not Participating
464 npm json-stable-stringify 1.0.1 0.13990403 Not Participating
465 npm abbrev 1.1.1 0.13399556 Not Participating
466 npm balanced-match 0.4.1 0.12979606 Not Participating
467 npm emoji-regex 8.0.0 0.1264649 Not Participating
468 npm is-fullwidth-code-point 3.0.0 0.12521629 Not Participating
469 npm supports-color 7.1.0 0.1209862 Not Participating
470 npm posix-character-classes 0.1.0 0.11935582 Not Participating
471 npm lodash 4.17.15 0.10110239 Not Participating
472 npm node-fetch 2.6.1 0.09876249 Not Participating
473 npm body-parser 1.19.0 0.0974884 Not Participating
474 npm jsesc 2.5.2 0.09326119 Not Participating
475 npm source-map-support 0.5.19 0.09161769 Not Participating
143CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
476 npm get-intrinsic 1.1.1 0.08884302 Not Participating
477 npm express 4.17.1 0.08455628 15
478 npm mime-db 1.47.0 0.08169822 Not Participating
479 npm is-glob 3.1.0 0.07977194 Not Participating
480 npm next-tick 1.0.0 0.07621652 Not Participating
481 npm extend-shallow 3.0.1 0.07573052 Not Participating
482 npm extend-shallow 3.0.0 0.07573052 Not Participating
483 npm resumer 0.0.0 0.07237473 Not Participating
484 npm defined 1.0.0 0.07237473 Not Participating
485 npm dotignore 0.1.2 0.07237473 Not Participating
486 npm inherits 2.0.0 0.07189533 Not Participating
487 npm lodash.isplainobject 4.0.6 0.07129318 Not Participating
488 npm strip-bom 3.0.0 0.07087095 Not Participating
489 npm deep-extend 0.6.0 0.0688996 Not Participating
490 npm is-promise 2.1.0 0.06563599 Not Participating
491 npm mime-types 2.1. 30 0.05728106 Not Participating
492 npm @babel/code-frame 7.0.0 0.05670427 27
493 npm braces 3.0.2 0.05503009 Not Participating
494 npm end-of-stream 1.4.4 0.05378408 Not Participating
495 npm is-absolute 0.1.7 0.04944349 Not Participating
496 npm normalize-path 3.0.0 0.04938947 Not Participating
497 npm convert-source-map 1.7.0 0.04288881 Not Participating
498 npm mime-db 1.30.0 0.04244873 Not Participating
499 npm lodash 4.17.10 0.04174476 Not Participating
500 npm process-nextick-args 2.0.0 0.03738922 Not Participating
Appendix H: Top 500 Non-npm, Indirect
144CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
& Direct, Versioned Packages
Our dependency analysis identified the following 500 packages as the most used FOSS packages among those reported in the private
usage data contributed by SCA partners hosted on package managers other than npm. These packages were identified as either direct
or indirect dependencies called by observed packages in use and account for the package version. For further information on how this
list was compiled, refer to the Methods section.
1 maven logkit:logkit 1.0.1 14.3478344 Not Participating
2 bower punycode 2.1.1 12.305542 Not Participating
3 maven javax.mail:mail 1.4.3 9.57506183 Not Participating
4 bower resolve-url 0.2.1 7.1695871 Not Participating
5 maven log4j:log4j 1. 2.17 5.73455934 Not Participating
6 maven com.google.guava:listenablefuture
9999.0-empty-to-avoid-
conflict-with-guava
5.69115772 Not Participating
7 maven avalon-framework:avalon-framework 4.1.3 5.6359788 Not Participating
8 go golang.org/x/arch
v0.0.0-20170210192150-
f108ada9a904
5.60522863 Not Participating
9 go golang.org/x/net
v0.0.0-20180420070421-
5f9ae10d9af5
5.57138668 Not Participating
10 go golang.org/x/text
v0.0.0-20180222125823-
b7ef84aaf62a
5.56766994 Not Participating
11 go golang.org/x/crypto
v0.0.0-20180411154250-
d6449816ce06
5.56160578 Not Participating
12 go golang.org/x/tools
v0.0.0-20171007194205-
9bd2f442688b
5.53558856 Not Participating
13 go golang.org/x/sys
v0.0.0-20180416210726-
ecfd8b563e13
5.53030687 Not Participating
14 maven commons-logging:commons-logging 1.2 5.39301853 Not Participating
15 go golang.org/x/net
v0.0.0-20180218171552-
cbe0f9307d01
5.27639449 Not Participating
16 go golang.org/x/text
v0.0.0-20180204030725-
4e4a3210bb54
5.23257602 Not Participating
17 go golang.org/x/crypto
v0.0.0-20180228151834-
91a49db82a88
5.23061984 Not Participating
18 maven com.google.guava:failureaccess 1.0.1 5.10460688 Not Participating
145CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
19 maven org.apache.geronimo.specs:geronimo-jms_1.1_spec 1.0.1 5.0496039 Not Participating
20 maven org.apache.geronimo.specs:geronimo-jms_1.1_spec 1 5.0496039 Not Participating
21 go golang.org/x/sys
v0.0.0-20180202133531-
37707fdb30a5
4.94325675 Not Participating
22 go golang.org/x/tools
v0.0.0-20170914201924-
e531a2a1c15f
4.84564329 Not Participating
23 go golang.org/x/crypto
v0.0.0-20170915013737-
b0c9c05bfe14
4.61677004 Not Participating
24 go golang.org/x/text
v0.0.0 -20170706134635-
b19bf474d317
4.61559633 Not Participating
25 maven commons-collections:commons-collections 3.2.2 4.5355392 Not Participating
26 go golang.org/x/net
v0.0.0-20171003050924-
a04bdaca5b32
4.5097669 Not Participating
27 go golang.org/x/sys
v0.0.0-20170905232440-
9aade4d3a3b7
4.4495165 Not Participating
28 maven jakarta.annotation:jakarta.annotation-api 1.3.5 4.34618801 Not Participating
29 maven org.hamcrest:hamcrest-core 1.3 4.18600226 Not Participating
30 maven com.google.code.findbugs:jsr305 3.0.2 4.0861512 Not Participating
31 maven ch.qos.logback:logback-classic 1.2.3 4.0698854 Not Participating
32 maven junit:junit 4.12 4.02703534 Not Participating
33 maven log4j:log4j 1.2.12 3.91275462 Not Participating
34 maven javax.validation:validation-api 2.0.1.Final 3.78864124 Not Participating
35 maven ch.qos.logback:logback-core 1.2.3 3.76139072 Not Participating
36 maven org.slf4j:jul-to-slf4j 1.7. 30 3.68664177 Not Participating
37 maven org.latencyutils:LatencyUtils 2.0.3 3.63413253 Not Participating
38 maven commons-lang:commons-lang 2.6 3.60950634 Not Participating
39 maven aopalliance:aopalliance 1 3.38321887 Not Participating
40 maven javax.inject:javax.inject 1 3.314809 Not Participating
41 maven javax.xml:jsr173 1 3.17081088 Not Participating
42 maven avalon-framework:avalon-framework 4.1.5.src 3.17081088 Not Participating
43 maven avalon-framework:avalon-framework 4.1.5 3.17081088 Not Participating
44 maven log4j:log4j 1.2.6 3.02720887 Not Participating
146CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
45 maven antlr:antlr 2.7.7 3.02250783 Not Participating
46 go github.com/Sirupsen/logrus 0208149b40d8 3.01856962 Not Participating
47 maven org.jboss.logging:jboss-logging 3.4.1.Final 2.96682313 Not Participating
48 maven jakarta.validation:jakarta.validation-api 2.0.2 2.8951216 Not Participating
49 maven org.slf4j:slf4j-api 1.7.30 2.77498951 Not Participating
50 maven javax.activation:javax.activation-api 1.2.0 2.74061289 Not Participating
51 maven org.reactivestreams:reactive-streams 1.0.3 2.70794287 Not Participating
52 maven net.minidev:accessors-smart 1.2 2.64745482 Not Participating
53 maven net.minidev:json-smart 2.3 2.64734699 Not Participating
54 maven com.fasterxml:classmate 1.5.1 2.60497301 Not Participating
55 maven activation:activation 1.0.2 2.52460181 Not Participating
56 maven com.google.j2objc:j2objc-annotations 1.3 2.35976758 Not Participating
57 maven commons-codec:commons-codec 1.1 2.35706613 Not Participating
58 maven javax.xml.bind:jaxb-api 2. 3.1 2.31266798 Not Participating
59 maven commons-logging:commons-logging 1.1.1 2.3125918 Not Participating
60 maven org.apache.httpcomponents:httpclient 4.5.13 2.31180541 Not Participating
61 nuget modernizr 2.6.2 2.28526512 24
62 maven org.slf4j:slf4j-api 1.7.25 2.24438955 Not Participating
63 maven org.glassfish:jakarta.el 3.0.3 2.17616552 Not Participating
64 maven org.ccil.cowan.tagsoup:tagsoup 0.9.7 2.16559678 Not Participating
65 maven msv:relaxngdatatype 20030807 2.16559678 Not Participating
66 maven com.ibm.icu:icu4j 2.6.1 2.16559678 88
67 maven msv:xsdlib 20030807 2.16559678 Not Participating
68 maven xom:xom 1.0b3 2.16559678 Not Participating
69 maven xpp3:xpp3 1.1.3.3 2.16559678 Not Participating
70 maven jaxen:jaxen 1.1-beta-6 2.11772944 Not Participating
71 maven jdom:jdom 1 2.11772944 Not Participating
72 maven javax.activation:activation 1.1 2.10077394 Not Participating
73 maven org.jetbrains:annotations 13 2.06424645 Not Participating
74 maven javax.annotation:javax.annotation-api 1.3.2 2.03902925 Not Participating
147CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
75 maven org.opentest4j:opentest4j 1.2.0 2.03675188 Not Participating
76 maven org.objenesis:objenesis 2.6 2.03556584 Not Participating
77 nuget modernizr 2.8.3 2.02199476 24
78 maven com.google.errorprone:error_prone_annotations 2.3.4 1.95383688 Not Participating
79 maven org.apiguardian:apiguardian-api 1.1.0 1.95071004 Not Participating
80 maven javax.servlet:javax.servlet-api 3.1.0 1.94614459 Not Participating
81 go github.com/ianlancetaylor/demangle 4883227f6637 1.83762275 Not Participating
82 pypi docutils 0.14 1.83136297 Not Participating
83 maven com.google.code.gson:gson 2.8.6 1.8281166 Not Participating
84 maven commons-io:commons-io 2.4 1.81419814 Not Participating
85 pypi MarkupSafe 1 1.81395296 Not Participating
86 maven commons-io:commons-io 2.6 1.81360683 Not Participating
87 pypi Jinja2 2.1 1.80710632 Not Participating
88 pypi nose 1.3.7 1.79458676 Not Participating
89 pypi Pygments 2.2.0 1.79282619 Not Participating
90 pypi requests 2.15.1 1.79263058 Not Participating
91 pypi PySocks 1.5.6 1.79106563 Not Participating
92 nuget System.IO 4.3.0 1.78768341 Not Participating
93 pypi pkginfo 1.4.2 1.7853927 Not Participating
94 pypi tornado 4.2.1 1.78402338 Not Participating
95 pypi twine 1.5.0 1.78402338 Not Participating
96 pypi tox 2.1.1 1.78402338 Not Participating
97 maven commons-codec:commons-codec 1.2 1.78265807 Not Participating
98 maven dom4j:dom4j 1.6.1 1.77965236 Not Participating
99 pypi click 6.7 1.77932854 Not Participating
100 pypi pytest-cov 2.5.1 1.77580741 Not Participating
101 pypi snowballstemmer 1.2.1 1.76954763 Not Participating
102 pypi Jinja2 2.9.6 1.76759145 Not Participating
103 pypi pytest 3.1.0 1.76641774 Not Participating
104 pypi gcp-devrel-py-tools 0.0.7 1.76641774 Not Participating
148CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
105 pypi Sphinx 1.6.3 1.76289662 Not Participating
106 pypi mock 1.3.0 1.76152729 Not Participating
107 pypi pluggy 0.3.1 1.75585436 Not Participating
108 pypi six 1.10.0 1.75334278 Not Participating
109 pypi setuptools 36.0.1 1.75213762 Not Participating
110 pypi py 1.4.34 1.7497902 12
111 pypi coverage 4.4.1 1.7433348 Not Participating
112 pypi virtualenv 15.1.0 1.74196547 Not Participating
113 pypi requests 2.18.4 1.74059614 Not Participating
114 pypi incremental 17.5.0 1.73296704 Not Participating
115 maven xml-apis:xml-apis 2.0.2 1.7228239 Not Participating
116 go github.com/armon/go-metrics f036747b9d0e 1.71868691 Not Participating
117 pypi retrying 1.3.3 1.71281837 Not Participating
118 pypi nose-exclude 0.4.1 1.71164466 Not Participating
119 pypi colorama 0.3.9 1.71086218 Not Participating
120 pypi alabaster 0.7.10 1.69912509 Not Participating
121 pypi sphinxcontrib-websupport 1.0.1 1.69736453 Not Participating
122 nuget System.Reflection 4.3.0 1.69463316 Not Participating
123 nuget System.Reflection.Primitives 4.3.0 1.68967335 Not Participating
124 maven commons-collections:commons-collections 3.2.1 1.68824554 Not Participating
125 pypi towncrier 17.8.0 1.68777924 Not Participating
126 pypi enum34 1.1.6 1.68269317 3
127 pypi imagesize 1.0.0 1.67819395 Not Participating
128 maven com.google.j2objc:j2objc-annotations 1.1 1.67732975 Not Participating
129 pypi Babel 2.5.3 1.6754553 Not Participating
130 nuget System.Text.Encoding 4.3.0 1.67274532 Not Participating
131 maven org.ow2.asm:asm 5.0.4 1.66390393 Not Participating
132 nuget System.Resources.ResourceManager 4.3.0 1.66142403 Not Participating
133 pypi imagesize 0.7.1 1.65687157 Not Participating
134 pypi Babel 2.4.0 1.65648033 Not Participating
149CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
135 pypi docutils 0.14rc1 1.65452415 Not Participating
136 pypi requests 2.18.1 1.650 61179 Not Participating
137 nuget System.Runtime.InteropServices 4.3.0 1.63673283 Not Participating
138 pypi pytz 2018.4 1.6324193 Not Participating
139 pypi psutil 4.3.1 1.62928941 Not Participating
140 pypi toml 0.9.2 1.62772446 Not Participating
141 nuget System.Globalization 4.3.0 1.62454896 Not Participating
142 nuget System.Threading 4.3.0 1.6153841 Not Participating
143 maven commons-codec:commons-codec 1.11 1.61193023 Not Participating
144 pypi typing 3.6.1 1.61168377 Not Participating
145 pypi certifi 2018.4.16 1.61070568 Not Participating
146 nuget System.Diagnostics.Debug 4.3.0 1.60966954 Not Participating
147 nuget System.Security.Cryptography.Primitives 4.3.0 1.60427845 Not Participating
148 nuget System.Collections 4.3.0 1.59619181 Not Participating
149 pypi typing 3.6.4 1.58899207 Not Participating
150 pypi Sphinx 1.7.4 1.58116734 Not Participating
151 pypi coverage 3.7.1 1.57569003 Not Participating
152 pypi wheel 0.24.0 1.57373385 Not Participating
153 maven jakarta.activation:jakarta.activation-api 1.2.1 1.57290229 Not Participating
154 nuget System.Runtime.Handles 4.3.0 1.56492348 Not Participating
155 nuget System.Security.Cryptography.Encoding 4.3.0 1.55640555 Not Participating
156 nuget System.IO.FileSystem.Primitives 4.3.0 1.53171435 Not Participating
157 go github.com/google/pprof dec22b42d9ee 1.52893729 Not Participating
158 pypi flake8 3.5.0 1.52189504 Not Participating
159 nuget System.Linq 4.3.0 1.51478632 Not Participating
160 nuget System.IO.FileSystem 4.3.0 1.51155166 Not Participating
161 maven com.jayway.jsonpath:json-path 2.4.0 1.50540582 Not Participating
162 maven javax.validation:validation-api 1.1.0.Final 1.50076948 Not Participating
163 pypi ndg-httpsclient 0.5.0 1.48335826 Not Participating
164 maven javax.validation:validation-api 1.1.0.final 1.47152037 Not Participating
150CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
165 maven org.aspectj:aspectjweaver 1.9.6 1.4633553 Not Participating
166 maven org.springframework:spring-beans 5.3.7 1.46163015 Not Participating
167 nuget System.Text.Encoding.Extensions 4.3.0 1.45623906 Not Participating
168 maven software.amazon.ion:ion-java 1.0.2 1.45414826 Not Participating
169 nuget System.Xml.ReaderWriter 4.3.0 1.44448647 Not Participating
170 nuget System.Security.Cryptography.X509Certificates 4.3.0 1.43877192 Not Participating
171 nuget System.Security.Cryptography.Algorithms 4.3.0 1.42928359 Not Participating
172 nuget System.Diagnostics.Tracing 4.3.0 1.41569804 Not Participating
173 maven jakarta.xml.bind:jakarta.xml.bind-api 2.3.2 1.40588625 Not Participating
174 nuget System.Collections.Concurrent 4.3.0 1.40491586 Not Participating
175 nuget System.Runtime.InteropServices.RuntimeInformation 4.3.0 1.39262417 Not Participating
176 nuget System.Runtime.Numerics 4.3.0 1.38680179 Not Participating
177 nuget System.Linq.Expressions 4.3.0 1.30313203 Not Participating
178 nuget System.Diagnostics.Tools 4.3.0 1.29288896 Not Participating
179 pypi wheel 0.30.0 1.28852256 Not Participating
180 nuget System.Reflection.Extensions 4.3.0 1.27272627 Not Participating
181 pypi tox 2.9.1 1.26974322 Not Participating
182 nuget Microsoft.Win32.Primitives 4.3.0 1.26021894 Not Participating
183 pypi certifi 2017.7.27.1 1.25996231 Not Participating
184 nuget System.Xml.XDocument 4.3.0 1.25978765 Not Participating
185 pypi pluggy 0.6.0 1.25820175 Not Participating
186 pypi pyOpenSSL 17.5.0 1.2501814 Not Participating
187 nuget System.Globalization.Calendars 4.3.0 1.24728032 Not Participating
188 maven jakarta.xml.bind:jakarta.xml.bind-api 2.3.3 1.24285962 Not Participating
189 pypi smmap2 2.0.3 1.24235668 Not Participating
190 pypi pyasn1 0.4.2 1.24216106 Not Participating
191 maven org.springframework:spring-context 5.3.7 1.23358694 Not Participating
192 pypi gitdb 0.6.4 1.23140206 Not Participating
193 pypi six 1.16.0 1.22884278 Not Participating
194 go google.golang.org/protobuf v1.25.0 1.22884278 Not Participating
151CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
195 pypi pytest 3.1.2 1.22788093 Not Participating
196 maven commons-codec:commons-codec 1.9 1.22343839 Not Participating
197 pypi six 1.11.0 1.21163252 Not Participating
198 pypi chardet 3.0.4 1.20863752 Not Participating
199 maven org.springframework:spring-expression 5.3.7 1.20835663 Not Participating
200 nuget System.IO.Compression 4.3.0 1.2077097 Not Participating
201 pypi pkginfo 1.4.1 1.19971192 Not Participating
202 pypi setuptools 39.0.1 1.18690276 Not Participating
203 pypi appdirs 1.4.3 1.18431635 Not Participating
204 maven org.yaml:snakeyaml 1.27 1.18291067 3
205 maven commons-logging:commons-logging 1.1.3 1.1801646 Not Participating
206 maven com.google.code.findbugs:jsr305 1.3.9 1.17949542 Not Participating
207 pypi Pympler 0.5 1.17330346 Not Participating
208 pypi setuptools 36.5.0 1.16567436 Not Participating
209 pypi invoke 0.21.0 1.156284 68 Not Participating
210 maven org.codehaus.jackson:jackson-mapper-asl 1.9.13 1.14776075 Not Participating
211 pypi pluggy 0.5.2 1.14728625 Not Participating
212 pypi GitPython 2.1.5 1.14493883 Not Participating
213 pypi unittest2 1.1.0 1.14317827 Not Participating
214 nuget System.Reflection.Emit.Lightweight 4.3.0 1.14226184 Not Participating
215 pypi tox 2.9.0rc1 1.14024399 Not Participating
216 nuget System.Reflection.Emit 4.3.0 1.13794 896 Not Participating
217 maven org.bouncycastle:bcprov-jdk15on 1.64 1.11735499 Not Participating
218 maven commons-logging:commons-logging 1.0.3 1.11730207 Not Participating
219 pypi webencodings 0.5.1 1.08858167 Not Participating
220 maven org.hdrhistogram:HdrHistogram 2.1.12 1.08500844 Not Participating
221 maven org.bouncycastle:bcpkix-jdk15on 1.64 1.08263636 Not Participating
222 maven org.apache.logging.log4j:log4j-api 2.12.1 1.07756873 Not Participating
223 nuget System.ObjectModel 4.3.0 1.07746091 Not Participating
224 maven com.fasterxml.jackson.core:jackson-annotations 2.12.3 1.06549268 Not Participating
152CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
225 maven org.springframework:spring-aop 5.3.7 1.06527704 Not Participating
226 maven com.fasterxml.jackson.core:jackson-core 2.12.3 1.06031724 Not Participating
227 maven com.vaadin.external.google:android-json 0.0.20131108.vaadin1 1.04619257 Not Participating
228 maven commons-httpclient:commons-httpclient 3.1 1.04619179 Not Participating
229 pypi Babel 2.6.0 1.03245838 Not Participating
230 pypi certifi 2017.4.17 1.0305022 Not Participating
231 pypi gitdb2 2.0.2 1.02424242 Not Participating
232 maven org.apache.httpcomponents:httpcore 4.4.13 1.0220553 Not Participating
233 maven org.apache.commons:commons-lang3 3.9 1.01890066 Not Participating
234 maven org.jboss.logging:jboss-logging 3.3.2.Final 1.01589463 Not Participating
235 pypi setuptools 39.2.0 1.00957106 Not Participating
236 maven com.fasterxml.jackson.core:jackson-databind 2.12.3 1.00877839 Not Participating
237 maven org.apache.logging.log4j:log4j-api 2.13.3 1.00770017 Not Participating
238 nuget System.Net.Sockets 4.3.0 1.0068376 Not Participating
239 maven org.codehaus.jackson:jackson-core-asl 1.9.13 1.00263255 Not Participating
240 pypi alabaster 0.7.12 0.99685588 Not Participating
241 pypi attrs 17.4.0 0.99587779 Not Participating
242 maven jakarta.activation:jakarta.activation-api 1.2.2 0.99422244 Not Participating
243 nuget System.Console 4.3.0 0.99195818 Not Participating
244 maven org.hdrhistogram:HdrHistogram 2.1.11 0.98624363 Not Participating
245 nuget System.Threading.Timer 4.3.0 0.97912739 Not Participating
246 maven xml-apis:xml-apis 1.4.01 0.96003518 Not Participating
247 nuget System.AppContext 4.3.0 0.95626915 Not Participating
248 pypi certifi 2020.12.5 0.95616133 Not Participating
249 maven org.springframework.security:spring-security-rsa 1.0.9.RELEASE 0.95098588 Not Participating
250 maven javax.validation:validation-api 2.0.1.final 0.94497965 Not Participating
251 maven org.yaml:snakeyaml 1.26 0.94397746 3
252 pypi requests 2.19.1 0.94208279 Not Participating
253 maven org.apache.commons:commons-lang3 3.4 0.93717973 Not Participating
254 pypi singledispatch 3.4.0.3 0.93621425 Not Participating
153CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
255 pypi backports_abc 0.5 0.93112817 Not Participating
256 maven org.apache.logging.log4j:log4j-to-slf4j 2.12.1 0.92413824 Not Participating
257 maven org.skyscreamer:jsonassert 1.5.0 0.91637507 Not Participating
258 pypi setuptools 40.4.3 0.91254445 Not Participating
259 pypi pluggy 0.8.0 0.90804523 Not Participating
260 pypi Sphinx 1.7.5 0.90158983 Not Participating
261 pypi setuptools 40.2.0 0.89982927 Not Participating
262 pypi futures 3.2.0 0.89533005 Not Participating
263 nuget NETStandard.Library 1.6.1 0.89200733 Not Participating
264 pypi python-dateutil 2.8.1 0.88963525 Not Participating
265 pypi idna 2.6 0.88808688 Not Participating
266 pypi attrs 18.2.0 0.88378858 Not Participating
267 nuget System.IO.Compression.ZipFile 4.3.0 0.88176426 Not Participating
268 maven commons-cli:commons-cli 1.2 0.88039345 Not Participating
269 maven org.springframework.plugin:spring-plugin-core 1.2.0.RELEASE 0.87993129 Not Participating
270 pypi toml 0.9.4 0.87772442 Not Participating
271 pypi attrs 18.1.0 0.87694194 Not Participating
272 maven commons-codec:commons-codec 1.1 0.87432455 Not Participating
273 pypi gcp-devrel-py-tools 0.0.15 0.87029093 Not Participating
274 pypi towncrier 18.6.0 0.86696542 Not Participating
275 pypi more-itertools 4.3.0 0.86540047 Not Participating
276 pypi GitPython 2.1.11 0.86422676 Not Participating
277 maven stax:stax-api 1 0.86121181 Not Participating
278 maven xerces:xmlparserapis 2.6.2 0.86121181 Not Participating
279 maven xerces:xmlparserapis 2.6.1 0.86121181 Not Participating
280 maven jaxme:jaxme-api 0.3.1 0.86121181 Not Participating
281 maven pull-parser:pull-parser 2.1.10 0.86121181 Not Participating
282 maven jaxme:jaxme-api 0.3 0. 86121181 Not Participating
283 maven pull-parser:pull-parser 2 0.86121181 Not Participating
284 pypi fixtures 3.0.0 0.85659765 Not Participating
154CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
285 pypi testscenarios 0.5.0 0.85503271 Not Participating
286 pypi testresources 2.0.1 0.85464147 Not Participating
287 pypi invoke 1.2.0 0.85327214 Not Participating
288 pypi testrepository 0.0.20 0.85092473 Not Participating
289 pypi atomicwrites 1.2.1 0.85092473 Not Participating
290 maven org.jboss.logging:jboss-logging 3.3.2.final 0.84924498 Not Participating
291 maven org.codehaus.mojo:animal-sniffer-annotations 1.17 0.84433153 Not Participating
292 maven dk.brics.automaton:automaton 1.11-8 0.84089978 Not Participating
293 maven stax:stax-api 1.0.1 0.83962668 Not Participating
294 pypi pylint 2.0.0.dev2 0.83742707 Not Participating
295 pypi coverage 4.5.1 0.82138638 Not Participating
296 maven net.jcip:jcip-annotations 1 0.82019798 Not Participating
297 go github.com/Sirupsen/logrus 4b6ea7319e21 0.81766964 Not Participating
298 maven com.github.stephenc.jcip:jcip-annotations 1.0-1 0.81728679 Not Participating
299 pypi testtools 2.3.0 0.81708278 Not Participating
300 maven com.fasterxml.jackson.core:jackson-annotations 2.9.0 0.81081252 Not Participating
301 maven commons-io:commons-io 2.5 0.80948561 Not Participating
302 pypi hacking 0.12.0 0.80886682 Not Participating
303 pypi PyYAML 3.12 0.80691064 Not Participating
304 pypi packaging 16.8 0.80232903 Not Participating
305 pypi mock 2.0.0 0.80182457 Not Participating
306 pypi selenium 3.6.0 0.80137764 Not Participating
307 pypi zope.interface 4.5.0 0.79047871 Not Participating
308 nuget System.Xml.XmlDocument 4.3.0 0.78612628 Not Participating
309 pypi pyflakes 1.6.0 0.78480579 Not Participating
310 maven org.springframework.plugin:spring-plugin-metadata 1.2.0.RELEASE 0.77254073 Not Participating
311 maven com.google.guava:guava 18 0.77054524 Not Participating
312 pypi jsonschema 2.6.0 0.75898419 Not Participating
313 maven org.slf4j:jul-to-slf4j 1.7.25 0.75690656 Not Participating
314 pypi Sphinx 2.0.1 0.75389812 Not Participating
155CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
315 maven org.apache.logging.log4j:log4j-to-slf4j 2.13.3 0.75356408 Not Participating
316 pypi extras 1.0.0 0.74900766 Not Participating
317 maven javax.annotation:javax.annotation-api 1.2 0.74580707 Not Participating
318 maven org.springframework:spring-web 5.3.7 0.74472269 Not Participating
319 pypi pycodestyle 2.3.1 0.74 411721 Not Participating
320 maven org.dom4j:dom4j 2.1. 3 0.74051764 Not Participating
321 maven oro:oro 2.0.8 0.73679144 Not Participating
322 pypi tornado 5.1.1 0.73551001 Not Participating
323 pypi packaging 17.1 0.72833723 Not Participating
324 pypi ddt 1.2.0 0.7278809 Not Participating
325 maven commons-beanutils:commons-beanutils 1.9.4 0.72271961 Not Participating
326 pypi pytest 3.5.1 0.7192737 Not Participating
327 pypi PySocks 1.6.8 0.71829561 Not Participating
328 pypi setuptools 39.1.0 0.70792785 Not Participating
329 pypi idna 2.5 0.70710809 Not Participating
330 maven com.google.code.findbugs:jsr305 1.3.7 0.70564296 Not Participating
331 maven org.hibernate.javax.persistence:hibernate-jpa-2.1-api 1.0.0.final 0.70564296 Not Participating
332 maven org.checkerframework:checker-qual 2.5.2 0.70475615 Not Participating
333 pypi Pallets-Sphinx-Themes 1.1.4 0.70362425 Not Participating
334 pypi pytz 2017.2 0.70166807 Not Participating
335 pypi pytest-timeout 1.3.1 0.70166807 Not Participating
336 pypi imagesize 1.1.0 0.70088559 Not Participating
337 pypi backports.ssl_match_hostname 3.5.0.1 0.68640985 3
338 maven xmlpull:xmlpull 1.1. 3.1 0.68553744 Not Participating
339 maven net.minidev:json-smart 1.2 0.68170929 Not Participating
340 pypi pbr 3.1.1 0.67389029 Not Participating
341 pypi atomicwrites 1.1.5 0.67252096 Not Participating
342 maven jakarta.transaction:jakarta.transaction-api 1.3.3 0.6692474 Not Participating
343 pypi hypothesis 3.56.5 0.66841298 Not Participating
344 pypi six 1.2.0 0.66639175 Not Participating
156CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
345 pypi urllib3 1.22 0.66188834 Not Participating
346 maven org.apache.commons:commons-collections4 4.1 0.6563205 Not Participating
347 pypi python-subunit 1.2.0 0.65589342 Not Participating
348 pypi oslosphinx 4.15.1 0.65471971 Not Participating
349 pypi py 1.5.2 0.64963363 12
350 maven org.hamcrest:hamcrest 2.1 0.64908471 Not Participating
351 maven javax.mail:mail 1.4.1 0.64780326 Not Participating
352 maven org.codehaus.mojo:animal-sniffer-annotations 1.14 0.64537937 Not Participating
353 pypi invoke 0.22.0 0.64122205 Not Participating
354 maven com.fasterxml.jackson.core:jackson-core 2.6.7 0.63384196 Not Participating
355 nuget System.Collections.NonGeneric 4.3.0 0.63118629 Not Participating
356 pypi coverage 5.0a1 0.62948496 Not Participating
357 maven org.hamcrest:hamcrest-library 1.3 0.62902985 Not Participating
358 pypi Jinja2 2.10.1 0.62889811 Not Participating
359 pypi GitPython 2.1.8 0.62009529 Not Participating
360 pypi pyparsing 2.2.0 0.61967586 Not Participating
361 pypi sphinxcontrib-websupport 1.1.0 0.6169654 Not Participating
362 pypi pytz 2017.3 0.6169654 Not Participating
363 pypi setuptools 40.1.0 0.60953191 Not Participating
364 pypi idna 2.1 0.60859575 Not Participating
365 pypi pyOpenSSL 17. 3.0 0.60796697 Not Participating
366 maven com.google.errorprone:error_prone_annotations 2.2.0 0.60142746 Not Participating
367 pypi urllib3 1.21.1 0.59831244 Not Participating
368 maven org.springframework:spring-tx 5.3.7 0.59366428 Not Participating
369 pypi ndg-httpsclient 0.4.3 0.59133942 Not Participating
370 maven org.checkerframework:checker-qual 3.5.0 0.58773408 Not Participating
371 maven commons-codec:commons-codec 1.3 0.58597462 Not Participating
372 pypi setuptools 36.2.0 0.58351469 Not Participating
373 nuget System.Collections.Specialized 4.3.0 0.58018655 Not Participating
374 pypi setuptools 36.6.0 0.57705929 Not Participating
157CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
375 nuget System.Net.Http 4.3.0 0.5750111 Not Participating
376 pypi pyasn1 0.3.5 0.5727557 Not Participating
377 pypi coverage 4.5.3 0.56864771 Not Participating
378 pypi Pillow 5.1.0 0.56317041 Not Participating
379 maven javax.persistence:javax.persistence-api 2.2 0.55980822 Not Participating
380 pypi execnet 1.5.0 0.55827995 Not Participating
381 nuget System.Threading.Tasks 4.3.0 0.55826425 Not Participating
382 maven javax.activation:activation 1.1.1 0.55282961 Not Participating
383 maven com.fasterxml:classmate 1.3.4 0.53694999 Not Participating
384 maven commons-codec:commons-codec 1.6 0.51523284 Not Participating
385 maven org.hibernate.javax.persistence:hibernate-jpa-2.1-api 1.0.0.Final 0.50891631 Not Participating
386 pypi cryptography 2.0.3 0.50624552 Not Participating
387 pypi sphinx_rtd_theme 0.2.5b1 0.50565866 Not Participating
388 pypi pytest 3.3.2 0.50487619 Not Participating
389 nuget System.Runtime.Extensions 4.3.0 0.50147292 Not Participating
390 maven org.apache.commons:commons-lang3 3.8.1 0.49179688 Not Participating
391 pypi urllib3 1.26.4 0.48950838 Not Participating
392 pypi coverage 4.4.2 0.48844427 Not Participating
393 pypi py 1.7.0 0.48707494 12
394 maven commons-logging:commons-logging 1.0.4 0.48121547 Not Participating
395 nuget System.Runtime 4.3.0 0.48033826 Not Participating
396 maven org.xerial.snappy:snappy-java 1.1.7.3 0.47937313 Not Participating
397 pypi openstackdocstheme 1.17.0 0.47846774 Not Participating
398 pypi flake8-pyi 17.3.0 0.47533785 Not Participating
399 pypi pytest-xdist 1.22.0 0.47533785 Not Participating
400 pypi reno 2.5.0 0.47494661 Not Participating
401 maven commons-lang:commons-lang 2.4 0.4745784 4 Not Participating
402 pypi flake8-bugbear 17.12.0 0.47455538 Not Participating
403 maven org.slf4j:jcl-over-slf4j 1.7.30 0.47452114 Not Participating
404 maven org.springframework:spring-jcl 5.3.7 0.47247253 Not Participating
158CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
405 maven commons-beanutils:commons-beanutils 1.9.3 0.46634675 Not Participating
406 pypi Sphinx 1.6.5 0.46418761 Not Participating
407 maven commons-codec:commons-codec 1.13 0.46330767 Not Participating
408 maven
com.fasterxml.jackson.
dataformat:jackson-dataformat-cbor
2.6.7 0.45967848 Not Participating
409 maven xalan:xalan 2.6.0 0.45832838 Not Participating
410 maven org.springframework:spring-core 5.3.7 0.45737747 Not Participating
411 pypi pytest 3.3.1 0.45421109 Not Participating
412 maven org.apache.httpcomponents:httpcore 4.4.4 0.45345092 Not Participating
413 pypi gitdb2 2.0.3 0.45264614 Not Participating
414 nuget System.Dynamic.Runtime 4.3.0 0.44724222 Not Participating
415 maven org.apache.commons:commons-compress 1.19 0.44228241 Not Participating
416 pypi idna 2.7 0.43524668 Not Participating
417 pypi requests 2.25.1 0.43354884 Not Participating
418 pypi cffi 1.10.0 0.43132376 Not Participating
419 nuget System.ComponentModel 4.3.0 0.42858904 Not Participating
420 pypi six 1.12.0 0.42840716 Not Participating
421 pypi ipaddress 1.0.18 0.4274114 Not Participating
422 maven xerces:xercesimpl 2.6.0 0.42641682 Not Participating
423 maven xerces:xercesimpl 2.2.1 0.42641682 Not Participating
424 maven xerces:xercesimpl 2.6.2 0.42641682 Not Participating
425 maven com.google.guava:guava 20 0.42322497 Not Participating
426 pypi functools32 3.2.3-2 0.42291218 Not Participating
427 pypi asn1crypto 0.22.0 0.42271656 Not Participating
428 nuget runtime.native.System 4.3.0 0.4191316 Not Participating
429 maven xml-apis:xml-apis 1.0.b2 0.41157395 Not Participating
430 maven xalan:xalan 2.5.d1 0.41046105 Not Participating
431 maven xalan:xalan 2.5.0 0.41046105 Not Participating
432 nuget System.Globalization.Extensions 4.3.0 0.40841334 Not Participating
433 maven com.sun.activation:jakarta.activation 1.2.2 0.40702467 Not Participating
159CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
434 pypi zope.interface 4.4.3 0.40393722 Not Participating
435 pypi py 1.6.0 0.4015898 12
436 pypi chardet 4.0.0 0.40098664 Not Participating
437 maven javax.servlet:servlet-api 2.5 0.39645813 Not Participating
438 maven org.glassfish.hk2:osgi-resource-locator 1.0.3 0.39505644 Not Participating
439 maven javax.validation:validation-api 1.0.0.ga 0.39450527 Not Participating
440 pypi packaging 19.2 0.39450527 Not Participating
441 pypi invoke 1.1.1 0.39122204 Not Participating
442 maven org.springframework:spring-webmvc 5.3.7 0.39052793 Not Participating
443 maven org.slf4j:jcl-over-slf4j 1.7.25 0.38233346 Not Participating
444 maven org.hdrhistogram:HdrHistogram 2.1.9 0.37812841 Not Participating
445 maven org.apache.httpcomponents:httpcore 4.4.14 0.37381554 Not Participating
446 nuget System.Net.Primitives 4.3.0 0.37271898 Not Participating
447 maven org.jboss.logging:jboss-logging 3.3.0.final 0.3705716 Not Participating
448 nuget System.Runtime.Serialization.Primitives 4.3.0 0.36939484 Not Participating
449 maven com.thoughtworks.paranamer:paranamer 2.8 0.36465068 Not Participating
450 pypi invoke 0.22.1 0.3552283 Not Participating
451 nuget System.ComponentModel.Primitives 4.3.0 0.35354503 Not Participating
452 maven javax.annotation:jsr250-api 1 0.35214335 Not Participating
453 maven commons-io:commons-io 1.3.2 0.34663793 Not Participating
454 pypi py 1.5.3 0. 3 4251311 12
455 pypi more-itertools 4.1.0 0.3380139 Not Participating
456 pypi tox 3.0.0 0.33762266 Not Participating
457 pypi MarkupSafe 1.1.1 0.33530572 Not Participating
458 maven com.google.guava:guava 30.1-jre 0.33284324 Not Participating
459 maven org.jboss:jandex 2.1.3.Final 0.33198066 Not Participating
460 maven javax.xml.stream:stax-api 1.0-2 0.33097257 Not Participating
461 maven commons-beanutils:commons-beanutils 1.7.0 0.32670912 Not Participating
462 nuget System.Reflection.Emit.ILGeneration 4.3.0 0.32593589 Not Participating
463 maven joda-time:joda-time 2.8.1 0.3243012 Not Participating
160CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
464 nuget System.ComponentModel.TypeConverter 4.3.0 0.32357056 Not Participating
465 pypi six 1.14.0 0.32270426 Not Participating
466 maven xml-resolver:xml-resolver 1.2 0.3136185 Not Participating
467 nuget System.Text.RegularExpressions 4.3.0 0.31325834 Not Participating
468 pypi ddt 1.1.1 0.30925803 Not Participating
469 maven log4j:log4j 1.2.15 0.29877059 Not Participating
470 maven com.sun.jdmk:jmxtools 1.2.1 0.29877059 Not Participating
471 maven com.sun.jmx:jmxri 1.2.1 0.29877059 Not Participating
472 pypi appdirs 1.4.0 0.29877059 Not Participating
473 maven org.slf4j:slf4j-api 1.7.26 0.29675967 Not Participating
474 maven jakarta.persistence:jakarta.persistence-api 2.2.3 0.29672292 Not Participating
475 maven junit:junit 4.13.1 0.28755806 Not Participating
476 nuget System.Security.Cryptography.OpenSsl 4.3.0 0.28652074 Not Participating
477 nuget runtime.native.System.Net.Http 4.3.0 0.28535783 Not Participating
478 pypi urllib3 1.23 0.2780855 Not Participating
479 nuget runtime.native.System.Security.Cryptography.Apple 4.3.0 0.27737902 Not Participating
480 maven antlr:antlr 2.7.2 0.27483692 Not Participating
481 maven javax.servlet:javax.servlet-api 3.0.1 0.27483692 Not Participating
482 nuget System.Security.Cryptography.Csp 4.3.0 0.27419827 Not Participating
483 nuget Microsoft.NETCore.Targets 1.1.0 0.26736766 Not Participating
484 maven org.yaml:snakeyaml 1.17 0.26707191 3
485 nuget
runtime.osx.10.10-x64.runtime.native.System.
Security.Cryptography.Apple
4.3.0 0.26681564 Not Participating
486 pypi six 1.15.0 0.26317039 Not Participating
487 maven joda-time:joda-time 2.9.9 0.25966618 Not Participating
488 nuget modernizr 2.5.3 0.25090325 24
489 maven commons-io:commons-io 2.1 0.25090325 Not Participating
490 maven com.squareup.retrofit2:converter-gson 2.8.0 0.25090325 Not Participating
491 pypi GitPython 2.1.9 0.24626898 Not Participating
492 maven org.apache.commons:commons-math3 3.6.1 0.2416088 Not Participating
161CENSUS II OF FREE AND OPEN SOURCE SOFTWARE - APPLICATION LIBRARIES
THE LINUX FOUNDATION & THE LABORATORY FOR INNOVATION SCIENCE AT HARVARD
PLATFORM NAME VERSION
Z-SCORE
COMBINED
OPENSSF BADGE
TIERED PERCENTAGE
493 go golang.org/x/crypto
v0.0.0-20180321233819-
88942b9c40a4
0.24137852 Not Participating
494 maven org.apache.httpcomponents:httpcore 4.4.10 0.24090657 Not Participating
495 maven io.swagger:swagger-models 1.5.20 0.24011645 Not Participating
496 pypi pytest 3.8.2 0.23863987 Not Participating
497 pypi pytest-forked 0.2 0.23609683 Not Participating
498 maven javax.servlet:javax.servlet-api 4.0.1 0.22782151 Not Participating
499 maven xpp3:xpp3_min 1.1.4c 0.22728565 Not Participating
500 maven com.google.guava:guava 14.0.1 0.22696958 Not Participating
twitter.com/linuxfoundation
facebook.com/TheLinuxFoundation
linkedin.com/company/the-linux-foundation
youtube.com/user/TheLinuxFoundation
Linux Foundation Research explores the growing scale of open source collaboration, providing insight
into emerging technology trends, best practices, and the global impact of open source projects.
Copyright © 2022 The Linux Foundation
This report is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International Public License.
In partnership with: