GitHub's report on open-source security

GitHub has released its "2020 Stateof the Octoverse" report; one piece of that is areport on security [PDF]. There are a number of interestingconclusions there, including that a surprising number of securityvulnerabilities are planted deliberately. "Analysis on a randomsample of 521 advisories from across our six ecosystems finds that 17% ofthe advisories are related to explicitly malicious behavior such asbackdoor attempts. Of those 17%, the vast majority come from the npmecosystem. While 17% of malicious attacks will steal the spotlight insecurity circles, vulnerabilities introduced by mistake can be just asdisruptive and are much more likely to impact popular projects. Out of allthe alerts GitHub sent developers notifying them of vulnerabilities intheir dependencies, only 0.2% were related to explicitly maliciousactivity. That is, most vulnerabilities were simply those caused bymistakes."