Home  >  Posts

Reviewing open source trends in 2025

It’s the end of the year, which I suppose means it’s time for the now-traditional look at my predictions.

Software supply chain

I was right that this would continue to be an area of interest in the open source world, just as it was in 2024 (and — spoiler alert! — it will be in 2026). I wrote “In 2025, I expect to see a marked split between “hobbyist” and “professional” open source projects.” That’s probably not as true as my ego would like, but I do think we’re trending that direction, in part due to the inequality I address in the next section.

It’s true that supply chain issues have not stopped in 2025. The Shai-Hulud worm spread through the NPM ecosystem in September (with a similar attack in November). Debian images on Docker Hub contained the XZ backdoor more than a year after it was discovered. Phishing attacks spoofing PyPI in July resulted in the compromise of four accounts, allowing the attackers to upload malicious packages.

But the news wasn’t all bad. GitHub rolled out a immutable releases feature that protects against attackers re-tagging previously-good releases with malicious code. crates.io (Rust), npm (Node.js), and NuGet (.NET) added support for trusted publishing. New tools and frameworks came out to help maintainers better understand and address risks, including the OSPS Baseline and Kusari Inspector (disclosure: I am a Kusari employee).

Inequity

This section had two parts. First, I wrote:

I think we’ll see a growing separation between the haves and have-nots. The projects that enterprises see as critical will get funding and effort. The other projects, whether or not they’re actually important to enterprises, will be left to the increasingly scarce efforts of volunteers.

This held true. Two big examples are the temporary pause of the Kubernetes External Secrets Operator project and Nick Wellnhofer resigning as the sole maintainer of libxml2. Both of these were due to a maintenance burden that exceeded the capacity of the maintainers. Josh Bressers found that almost half of npm packages with a million-plus monthly downloads have a single maintainer. This is likely generalizable across all ecosystems, so it’s no surprise that we’d see this. Some in the FFmpeg community took public issue with Google, suggesting the giant should provide more support or stop sending bugs.

The other part of this prediction concerned events:

Events where companies can make sales will do well. Community events will suffer from a lack of sponsorship and attendance due to lack of travel funding. I think we’ll start to see a shift from global events toward regional events in the community space.

I was wrong here, as far as I can tell. US-based events struggled somewhat, in part due to geopolitics, but European events seem to be doing well. Larger community events, from what I gathered, have done well, although the finances are not what they used to be. Smaller events, though, are struggling. DevOpsDays Detroit, as one example, didn’t accept my talk proposal because the conference was shuttered instead. Many of the local and regional events rely on a small number of committed people to keep going. Just like in software projects, these people are getting burnt out.

The general idea of the prediction seems to be holding up well enough. I’ve heard the phrase “K-shaped economy” approximately a million times in financial news this year. The open source world has seen it, too.

Artificial intelligence

I’ll admit to being wrong on this one, too:

If the bubble doesn’t burst this year, the hype at least slows way down…it will lead to a leveling off in AI-generated code and bug report “contributions” as vendors start charging more money for services.

I maintain that my wrongness is more a matter of timing than anything. Generative AI continues to lose money, but the price increases are not here. While some have expressed concerns about the circular dealing in the sector, it seems like the fallout has mostly been contained to Oracle (whose share price is down over 40% since an early-September high) for the time being. The hype may be slowing, but it’s a little hard to say that with certainty just yet. There’s definitely no indication of a slowdown in AI-generated bug reports in curl’s data.

Bar chart of Hackerone reports to the curl project by year. The “likely AI slop” count increased from 2 in 2023 to 6 in 2024 to 37 in 2025.

Vibe check

I called my 2025 predictions “a little bleak,” and I think the vibe was spot on. One thing that didn’t fit well into any of the prediction categories was the attempt by Synadia to un-contribute NATS to the CNCF. Thankfully, that went nowhere. Unfortunately, so did the careers of many in the industry as job cuts continued at companies large and small.

If 2025 was bleak for you, rest assured that it is almost over. I truly appreciate everyone who has read these posts, bought a copy of Program Management for Open Source Projects, subscribed to the DAA newsletter, or in any other way made my year a little less bleak with your presence. Here’s hoping for an improved 2026!

This post’s featured photo by Agence Olloweb on Unsplash.

Categories:Posts

Tags:

Ben Cotton

Ben is the Open Source Community Lead at Kusari. He formerly led open source messaging at Docker and was the Fedora Program Manager for five years. Ben is the author of Program Management for Open Source Projects. Ben is an Open Organization Ambassador and frequent conference speaker. His personal website is Funnel Fiasco.

Share

Related Posts