Open Infrastructure Is Not Free, Part II: The Hidden Cost of Running Package Registries

The September 2025 Working Together Towards Sustainable Open Source open letter raised the alarm about the economic sustainability of open source package registries, highlighting how rising adoption and the pace of innovation are placing new and growing pressures on open source package registries. Those pressures have only accelerated in the time since the letter, amplified by the adoption of AI coding agents and tools.

But what are the real economics of an open source package registry? Beyond obvious infrastructure costs, there’s significant, often invisible work required to keep registries running, maintained by a small number of staff and volunteers. It’s more than just uploads and downloads. It’s strengthening security as threats evolve, continuously improving the developer experience, and more.

To ensure long-term sustainability, the registries have formed a Sustaining Package Registries Working Group hosted by the Linux Foundation to collaborate on and share community-aligned strategies and offerings. The right set of strategies will vary by registry and evolve over time, and some registries have already rolled out new approaches.

Inspiration, questions, and concerns can be brought to the WG at <operations@sustainableregistries.org>.

Behind the Scenes of a Package Registry

Registries today run primarily on two things: (1) infrastructure donations and credits; and (2) heroic efforts from small paid teams (themselves funded by donations and grants) and unpaid volunteers that operate and maintain registry services. The bulk of donations and grants comes graciously from a small set of donors who care about the value of package ecosystems, but even these donations don’t scale with demands on the registries.

The core job of a registry is to accept packages from open source publishers and make them available for consumers to download: simple in concept, demanding in practice. We expand on the behind-the-scenes jobs below.

Scale Drivers for Registries

For a sense of scale, the registries – npm, Maven Central, PyPI, Crates.io, RubyGems, Open VSX, Packagist, Hex, CPAN and more than a dozen others – will serve over 10 trillion open source package downloads in 2026 as the headwaters of the world’s software supply chains. 

That’s more than one billion downloads per hour or just under double the predicted number of Google searches that will be run in 2026. 

That 10 trillion number is incomprehensibly large but believable. Modern applications contain not just some open source but hundreds of dependencies often spanning language ecosystems, e.g., your Python package manager may be written in Rust, or the continuous integration system for your Java application may be written in Ruby.

The consumption side of the registry ecosystem – those 10 trillion downloads – is part of the pressure on sustainability, and it’s tempting to look at a “click charge” as part of the solution.  

Nonetheless, the scale of adoption and commercial use places a significant infrastructure and human load on the registries to the tune of millions of dollars per year of CDN, infrastructure, and labor.

The AI Boom Presents Big Challenges

Beyond adoption driving downloads, AI is another scale driver, amplifying both legitimate and malicious activity. AI is accelerating the rate of consumption and production of open source, pushing registry management beyond the scale of human action or oversight. (The difference between Python’s 2025 report and 2026 trajectory is striking: PyPI added 130,000 new packages in 2025, nearly matching its total of 140,000 in 2018, and the registry is adding nearly 900 packages per day in 2026.)

Registries also play a front-line role in supply chain security, keeping malware and vulnerabilities from entering the open source ecosystem, and the “good guys” aren’t the only ones using AI.

Attackers are using AI to create and ship more novel, more difficult-to-detect attacks more quickly. The community is still in the thick of Shai-Hulud and other recent supply chain attacks like the ones on Trivy and LiteLLM, and even more recently, the Axios compromise, which demonstrated how AI and social engineering are converging. But going back to 2021, where we can get a full picture of the end-to-end cost of a significant vulnerability, remediating the log4shell (CVE-2021-44228) vulnerability consumed around 10% of a year’s enterprise security effort across the industry.

Complexity Drivers for Registries

With some background on scale and AI drivers, let’s dive into the high-level jobs to be done by a registry, and it’s a long list. No registry does all of these jobs in depth today. Depending on scale, some jobs require fractional or sporadic attention while others, like site reliability engineering, might require a team.

• Identity and Access Management: Managing publisher identities, credentials, permissions, and audit logs is essential to secure package publication and support incident response.
• Namespace and Ownership Management: Protecting namespaces and defining publisher, maintainer, and owner roles helps prevent abuse such as brandjacking and typosquatting.
• Package Ingestion and Validation: Registries must store packages, index metadata, and validate elements like structure, licensing, and signatures to ensure quality and trust.
• Supply Chain Security and Risk Management: Registries help secure the supply chain by blocking, flagging, quarantining, or removing vulnerable or malicious packages and surfacing risk in package metadata.
• Registry Security: Registries require continuous hardening, review, and monitoring because a compromise could put the entire ecosystem at risk.
• Registry Availability: Maintaining reliable publication, discovery, and consumption services requires strong monitoring, alerting, and operational support to minimize downtime.
• Package Discovery, Search, and Evaluation: Consumers need robust search, filtering, and quality signals to find relevant packages and assess their health and ecosystem importance.
• Consumption, Distribution, and Mirroring: Registries must deliver packages efficiently through scalable infrastructure while keeping caches and clients aware of upstream changes such as vulnerabilities and new versions.
• Governance, Policy, and Community Support: Operating a registry requires clear policies, transparent enforcement, and ongoing legal and community support as global regulations evolve.
• Observability, Analytics, and Ecosystem Insights: Registries provide unique visibility into publishing and consumption patterns, enabling insights that publishers and consumers often cannot gather on their own.

Sustainability Call to Action

With massive traffic, a mountain of hard work to do, supply chain attackers at the gates, and a mission to keep access for individuals open and free, the registries need funding and paid services or models that scale with the demands. The way to get there is to bring commercial users and ecosystem stakeholders to the table as paying customers.

The Sustaining Package Registries Working Group is bringing registry leaders together to define what sustainable operation looks like across funding, operations, and transparency.

Now the ecosystem needs to meet that moment. The companies that depend on these systems must help sustain them so the next generation of software can be built on infrastructure that is not just open, but resilient.

Alpha-Omega 

Continuous Delivery Foundation (CDF)

Eclipse Foundation (OpenVSX)

OpenJS Foundation

Open Source Security Foundation (OpenSSF)

Linux Foundation

Packagist (Composer)

Perl and Raku Foundation

Python Software Foundation (PyPI)

Ruby Central (RubyGems)

Rust Foundation (crates.io)

Sonatype (Maven Central)