On February 2nd, the Open Source Security Foundation (OpenSSF) convened the OpenSSF Package Manager Security Forum, a cross-ecosystem working session focused on one of the most critical and complex challenges facing open source today: package repository security.
The forum brought together participants from across a wide range of package manager ecosystems, including JavaScript and Node.js via npm, the Python ecosystem via PyPI and conda-forge, Rust via crates.io, Ruby via RubyGems, PHP via Packagist and the Composer ecosystem, Erlang via Hex, the Java ecosystem via Maven Central, Perl via CPAN, the Swift ecosystem, as well as Go module ecosystems that operate without a traditional centralized registry.
While these ecosystems differ significantly in their technical designs, governance models, and historical paths, the discussion surfaced a strong set of shared challenges that cut across language, tooling, and community boundaries.
By design, the conversation was held under Chatham House Rule, enabling candid and experience-driven dialogue while ensuring that insights could be shared publicly without attribution.
Key outcomes from the discussion
While the details of individual contributions remain private, several cross-cutting themes emerged that resonated across ecosystems:
- Identity and account security remain foundational challenges. Ecosystems that rely on external identity providers, as well as those operating their own authentication systems, face common difficulties in ensuring strong and durable maintainer identity over time, particularly as projects grow, change hands, or scale beyond their original communities.
- Security expectations vary widely across packages and users. Participants highlighted the need for more nuanced ways to signal security posture, recognizing that package consumers range from individual developers to large enterprises and governments, and that not all projects can or should meet the same requirements at the same time.
- Governance and abuse handling are under increasing strain. As package volume, automation, and dependency reuse continue to scale, registries are being asked to make harder decisions around malware handling, namespace and ownership disputes, account recovery, and policy enforcement, often with limited resources and volunteer capacity.
- Transparency and auditability are gaining importance, but remain complex. Across ecosystems, there is growing interest in publishing security- and governance-relevant events in a structured way, alongside careful consideration of privacy, legal, and operational implications.
- Sustainability is inseparable from security. Whether ecosystems are volunteer-driven, foundation-supported, or commercially backed, participants consistently acknowledged that long-term security improvements require clearer funding models, better cost visibility, and realistic expectations around support and service levels.
Why this matters
Package managers are deeply interconnected. A security failure, policy decision, or design choice in one ecosystem can quickly ripple into many others through shared tooling, transitive dependencies, and downstream consumption. The challenges discussed at the OpenSSF Package Manager Security Forum are therefore not isolated problems, but shared ecosystem concerns.
This discussion reinforced a clear conclusion: progress depends on coordination, not duplication. While no single solution fits every ecosystem, shared frameworks, common language, and mutual learning can significantly reduce friction and improve outcomes for everyone involved.
OpenSSF’s role
OpenSSF organized and facilitated the OpenSSF Package Manager Security Forum as part of its ongoing commitment to strengthening the security and sustainability of the open source ecosystem. By providing a neutral and trusted forum, OpenSSF enables maintainers, registry operators, and security practitioners from across ecosystems to exchange insights, surface common needs, and explore collaborative paths forward without prescribing outcomes or privileging any single approach.
Looking ahead
The OpenSSF Package Manager Security Forum represents an important step in an ongoing conversation, not a one-time event. As package manager ecosystems continue to evolve in response to new security threats, regulatory pressures, and user expectations, OpenSSF intends to continue convening space for dialogue, learning, and coordination across communities. Future work will focus on identifying where shared guidance, tooling, or frameworks can reduce duplication of effort, support ecosystem autonomy, and help package managers advance security in ways that are practical, scalable, and sustainable.
We look forward to building on the momentum created through these cross-ecosystem conversations. If you would like to join the conversations and help secure these package repositories, and especially if you work on or contribute to a package repository, come join the OpenSSF Securing Software Repositories Working Group via our Slack in the #wg_securing_software_repos channel and our community meetings.