The professional open source survey results we published last year highlighted the impressive reach of open source usage among professional developers. We discovered several interesting data points, including that over 90% of professional developers use open source in building their applications. We also discovered that open source maintainers, when paid, will work on the very same things professional developers want more of—including predictable new features and releases, responsive security fixes, and more.
In our latest survey, which we ran in November and December of last year, we set out to answer some of the follow-up questions that arose after we analyzed the earlier results. Nearly 300 developers responded to our survey, which dives deeper into how professional developers use open source today.
Part 1 shared findings on the top 3 reasons why professional developers use open source. Here in part 2 we reveal some of the things about open source that concern professional developers most.
These three areas of concern stood out from the others among developers we surveyed:
Avoiding security vulnerabilities
Making safe bets on packages being maintained into the future
Staying current on packages they’re using
As with the reasons why developers use open source we covered in part 1, we examined concerns by respondent geography, development team size, and role/title. The results are mostly consistent across these parameters, with a few interesting exceptions.
Software architects, engineering managers, and product managers tend to be more worried about making safe bets on packages being maintained in the future than are respondents with software developer titles.
Similarly, software architects worry more about avoiding license compliance problems than do others we surveyed.
Development team size only impacted one concern—keeping track of the open source code in use. Respondents in organizations with development teams of 1,000 or more people are significantly more concerned with this than are respondents from smaller dev shops.
We’ll take a closer look at the top three open source concerns below.
As the figure below shows, three quarters of professional developers rate avoiding security vulnerabilities a “7” or higher on a scale of 0-10, and 35% rated their degree of concern at a “10.” It’s no wonder considering the series of newsmaking exploits like event-stream, left-pad, and floatdrop in JavaScript and colourama in Python.
This concern is consistent across geography, title, and company size.
Survey respondent: “It's sometimes hard to understand if a package is being maintained or not. Lots of issues and no updates for two years = not maintained, but it's not always that clear cut.”
Over two thirds of professional developers rate their level of concern with making safe bets on packages being maintained in the future a “7” or greater. This is no surprise, as we hear this topic come up time and again when speaking with professional development teams.
Survey respondents with titles software architect, engineering manager, and product manager worry more about this area than respondents with software developer titles. This may be a reflection of more senior developers having experienced more of the pain associated with having to replace a deprecated package. It also may reflect these respondents’ broader perspective on the architecture of a codebase and the long view that comes with this.
Nearly 60% of respondents rate this concern with using open source a “7” or higher. Uncoordinated, and in many cases unplanned, release schedules complicate staying current for professional developers.
Survey respondent: “We use React Native and there's a lot of effort to update to a new version after a long time without [an] update.”
Only one of the options we provided scored less than “5”—showing the security or legal team that developers are addressing concerns.
And while responses were largely consistent, development team size did impact responses to ‘keeping track of which open source code we are using.’ Respondents in organizations with development teams of 1,000 or more people are significantly more concerned with this than are respondents from smaller dev shops.
Survey respondent: "There are times where an open source platform or dependency's developers no longer have the time to contribute to the projects and the teams can dwindle down until there's no longer support from the leaders in that community."
Respondents also express concern over the future maintenance of open source. In the words of one developer “most useful open source libraries and tools are dramatically under-funded. Only a small minority of these projects have enough active maintenance for it to be worthwhile for me to depend on them.”
In the next blog post in this series, we will look into how much time developers spend on code maintenance, and how open source contributes to this. If you’re interested in reading more of our findings over the coming months, be sure to subscribe to updates from the Tidelift team and follow us on Twitter.