The world of open source metadata (Interview)

What It Covers

Andrew Nesbitt discusses Ecosystems, tracking 12 million packages across 35 ecosystems and 287 million repositories. The platform provides open source metadata for SBOM enrichment, security analysis, and research, processing 50 million daily API requests while maintaining sustainability through grants and licensing.

Key Questions Answered

• •Critical Package Concentration: Only 0.01% of packages constitute 80% of all open source usage across ecosystems, translating to roughly 15,000 packages maintained by approximately one person each. This extreme asymmetry reveals how few individuals actually maintain the infrastructure powering modern software development globally.
• •Dependency Data Value: The 24.5 billion dependency relationships provide stronger usage signals than download counts or GitHub stars. When developers remove dependencies, it indicates real problems, unlike stars which persist indefinitely. This data enables tracking actual adoption patterns and identifying breaking changes affecting downstream users.
• •Package Manager Quirks: R package manager removes packages that fail to proactively fix compatibility issues with updated dependencies, creating reproducibility problems for scientific research. NPM contains roughly 1,000 case-sensitive package names despite being case-insensitive, and Maven's nested POM XML structures create parsing complexity across different historical formats.
• •Funding Gap Reality: Between 25-50% of critical packages have automated funding mechanisms like GitHub Sponsors or Open Collective, but individual sponsorships outnumber corporate contributions 10-to-1. Many GitHub Sponsors top earners sell digital goods rather than maintaining open source projects, distorting the sustainability model.
• •SBOM Enrichment Market: Organizations use Ecosystems to enrich software bills of materials with license information, security advisories, and maintainer data across multiple package managers. GitHub Actions drive weekday traffic spikes as CI pipelines automatically validate dependencies, demonstrating the shift toward automated supply chain security practices.