Open Source Updates Have 75% Chance of Breaking Apps
Nearly all (95%) version upgrades of open source software contain at least one breaking change that causes other components to fail, with patches having a 75% chance of causing a break, according to Endor Labs.
The security vendor revealed the findings in its third annual Dependency Management Report, which is based on Endor Labs vulnerability and customer data, information in the Open Source Vulnerabilities (OSV) database and Java ARchives (JARs) related to the top 15 open source dependencies.
The challenge of breaking changes is compounded by the fact that a quarter (24%) of vulnerable components require a major version update, according to the findings.
“Whole program call graphs and the analysis of type hierarchies can clarify whether breaking changes of library updates actually matter in a specific application context,” the report noted.
Endor Labs also identified another major challenge for end-users of buggy open source software – delays in the publication of vital information on vulnerabilities.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25590106/STK054_NINTENDO_D.jpg)
