In studying software engineering practices from 100,000 production applications and 4 million open source component migrations, Sonatype uncovered some eye-opening behaviors in modern software development. One surprising trend: Nearly 70% of dependency management decisions are suboptimal.
Understanding these migration paths helps make sense of the panic that ensued when a zero-day vulnerability was disclosed in the world’s most widely adopted logging framework, Log4j, in late 2021. If you weren't automating software supply management and paying attention to your dependencies, you were left vulnerable. As the stewards of Maven Central, in addition to studying production applications Sonatype teams monitored download data, ensuring the world has access to reliable, up-to-date information on the latest Log4Shell trends.