The 89% Problem: LLMs are resurrecting the "dormant majority" of open source (snyk.io)

Recent analysis reveals that AI coding assistants are inadvertently resurrecting millions of abandoned open source packages, challenging the long-held belief that package popularity equates to trust. Traditionally, developers have relied on widely used packages, assuming that high download rates and active maintenance signal safety. However, generative AI, trained on vast data including neglected and experimental repositories, can recommend lesser-known or outdated packages, which might carry significant risks such as security vulnerabilities or maintenance issues. The emergence of this trend highlights a critical disconnect in the software supply chain, as LLMs risk introducing what is termed the "Dormant Majority" — approximately 6.3 million unmaintained projects — into active development environments. With findings from Snyk and the Linux Foundation indicating that nearly 90% of open source packages fall into this category, the implications for developers and security professionals are profound. To combat these risks, Snyk has introduced a suite of tools, including the Snyk Security Database and Package Health API, aimed at providing insights into package legitimacy and health. This strategy encourages a shift from popularity-based selection to a more nuanced evaluation of package provenance and overall security posture, essential for maintaining robust software supply chains in an era increasingly influenced by AI.