Public Package Registries are handling roughly 10 trillion downloads a year, driven by machine — scale traffic from CI

Public package registries are handling roughly 10 trillion downloads a year, driven by machine — scale traffic from CI, build pipelines, and AI systems.

Public package registries are under unprecedented strain, handling roughly 10 trillion open-source file downloads each year, and maintainers are urging an organized industry response. The Linux Foundation has convened a Sustaining Package Registries Working Group charged with identifying practical ways to fund and govern registries so they can remain reliable as demand grows.

That 10 trillion figure comes from Sonatype, and the company’s telemetry underscores the scale and concentration of the load. Brian Fox, Sonatype’s CTO who oversees the Maven Central Java registry, warned that Maven risks being overwhelmed by constant downloads. Sonatype found that 82% of download traffic originates from just 1% of IP addresses, and in some cases a single company may request the same package hundreds of thousands of times in a single day.

Consumption and publishing across public registries have surged in recent years because automated build pipelines, continuous integration, and AI systems access registries at machine speed rather than human speed. This traffic profile has produced sharp increases in bot activity and automated publishing, a flood of security reports, and widespread abuse that registry operators say creates a 'sustainability gap' beyond mere hosting costs.

Stakeholders now frame the problem as a software supply‑chain resilience risk. Registries are not passive mirrors but operational and security‑critical infrastructure sitting in the path of nearly every modern software build. If core registries falter because of cost, overload, or attack, the potential blast radius could reach banks, hospitals, major cloud providers, and government systems that depend on those dependencies. The working group will focus on concrete funding models, governance frameworks, and security practices to keep code flowing reliably. Maintainers and organizations participating in the effort say registries have long been run on a shoestring and argue that sustainability should be treated as a shared industry responsibility rather than a charitable afterthought.

Christopher Robinson of the Open Source Security Foundation (OpenSSF) emphasized that package registries sit on the front lines of software supply‑chain security and resilience. The working group aims to translate that urgency into practical, global‑scale funding and governance recommendations so registries can be managed as the critical systems they have become.