Image: GitHub

Like many other teams, developers from around the world came together this year to innovate, collaborate, and solve problems. As the global workplace shifted to a remote model, there was “an increase in developer connection and camaraderie through open source,” according to GitHub’s 2020 State of the Octoverse report.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

The report is divided into three separate reports.

Finding balance between work and play

The shift to remote work and the blurring of the lines between personal and professional lives affected many things—and the delivery of software and open source projects was no exception.

There were four key findings in this report. The first is that small pull requests drive innovation and productivity. “Teams that focus on small pull requests and closer collaboration have better reviews and faster feedback,” the report said.

SEE: Developer training sees spike in demand as more people learn to code (TechRepublic)

Other findings are that automation drives productivity gains and improves developer experience, open source is a great escape when people are stuck at home, and developer activity highlights the importance of flexible and personal solutions.

In the latter instance, “Developers may be taking advantage of flexible schedules to manage their time and energy, which contributes to this sustained productivity,” the report said.

Another interesting finding was that enterprise developer activity drops on weekends and holidays, but open source activity jumps during those same times. This is “evidence that as people are ‘signing off’ of work they are ‘signing on’ to open source,” the report said. Open source project creation is also up 25% since April year over year.

Overall, there has been increased activity through the pandemic, with consistent or increased activity for pull requests, pushes, reviewed pull requests, and commented issues per person, compared to last year, according to the report.

Empowering healthy communities

GitHub’s developer community of 56 million saw 1.9 billion contributions added in the past year, the report said. Among the other key findings in this report were that GitHub is for more than just software developers.

While the number of people in the community continues to grow, the proportion of those who identify as developers has decreased, “signaling an expanding diversity of those joining the open source community,” the report said.

Another significant finding is that open source project creation jumped by up to 40% year over year as people are turning to open source as a way to create, learn, and connect with the community, according to the report. People are also merging pull requests faster than last year, which indicates increased collaboration, the report said.

GitHub supports distance learning, and more than 900,000 students used the community to learn industry-standard software and build their portfolios, the report said. Over 50,000 teachers automated their course workflows with automated assignments and auto-grading, the report noted.

Securing the world’s software

Most projects on GitHub rely on open source software, and active repositories with a support package ecosystem have a 59% chance of getting a security alert in the next 12 months, according to this third report.

The repositories most like to receive an alert in the past year were Ruby (81%) and JavaScript (73%).

One disturbing finding from the report was that security vulnerabilities often go undetected for more than four years before being disclosed, according to the report.

“Once they are identified, the package maintainer and security community typically create and release a fix in just over four weeks. This highlights the opportunities to improve vulnerability detection in the security community,” the report said.

Other findings were that most software vulnerabilities are mistakes and not malicious attacks, and automation accelerates open source supply chain security.

Suggested actions here are that developers:

  • Check dependencies for vulnerabilities regularly

  • Participate in the community if their organization has a security team

  • Use automation to remediate vulnerabilities and stay secure

  • Remediate vulnerabilities quickly and keep code base current.

While developers worry about introducing security flaws, that is a risk anytime they write code or add a new dependency, the report noted.

“The opposite is also a risk: Stale code and outdated dependencies mean attackers have time to methodically attack a system by leveraging every known vulnerability,” the report said. “Malicious attacks exploit flaws in code, and as a result, developers are embracing proactive detection and automation to prevent or limit the impact a bug can have in production.”

To be successful, the report said, developers must consider all vulnerabilities in their code—both the code they write, and the open source software they depend on.