Last year Open Source Collective announced that we were building shared infrastructure for a growing community of researchers, policymakers, funders and developers seeking to identify, secure and sustain crtitical open source components. Today we welcome Socket as our first partner and customer.

What is

Ecosystems is a set of free and open resources about the production, distribution, and use of open source software. It comprises a structured dataset, released periodically for researchers, funders, and policymakers, and a set of tools and services for application developers. Today Ecosystems combines data on 6m+ open source components from over 30 package registries with over 100m dependent repositories on GitHub, GitLab, and BitBucket. With this data we create a map of open source interdependency from which we can infer much about the state of the open source infrastrcuture on which we all depend.

Our services are designed to give open source users, funders, and application developers a leg up, to help them understand where their companies, customers or even counntries are on that map. Our service includes tools to:

  • resolve full, transitive dependency trees,
  • retrieve agregated, standardised metdata about a given package or respository,
  • parse license and vulnerability data, and
  • to attest to the integrity and authenticity of a given release.

Ecosystems continuously monitors changes in these environments, processing billions of individual events and parsing hundreds of millions of dependency manifasts to keep the map accurate and up to date. Of course we also provide services to aggregate, standardise and redistribute this data too.

Welcome Socket!

In October last year we announced that Ecosystems was entering Beta, and that we were looking for a small number of users to ensure that our services were built with practicality in mind. Today we are very happy to welcome Socket as our first partner and customer.

Socket helps developers and security teams to ship faster and spend less time on security busywork by helping them safely find, audit, and manage Open Source Software at scale. The Socket platform enables security and developer teams to work together to securely use and maintain OSS within the organization. The company was built by prolific open source maintainers whose software is installed over 1 billion times per month, as well as a Stanford security instructor. Customers include top tech organizations and startups.

Socket CEO Feross Aboukhadijeh has been flying in parallel with the Ecosystems team for years, having experimented with tools to support the node open source ecosystem back in 2019. He has since continued to look at how to ensure the relationship between open source users and producers continues to be positive and productive. In May last year Feross announced that the Socket team secured funding to protect users from a new type of malware attack, one based on the fundamentally trustful relationship between open source users and producers. If this worries you, check them out at enables Socket to build its product on a foundation of accurate and consistent data about open source software, enabling the team to focus on what makes their service unique. Right now Socket’s Python support is powered by Ecosystems but our standardisation will enable the team to rapidly build out support for other package and framework ecosystems in the future.

Creating a sustainable future for

Socket is also our first commercial customer, supporting the continued development and maintenance of Ecosystems with the purchase of an optional license agreement. While our initial development was paid for by Open Source Collective and Plaintext Group @ Schmidt Futures we know that it’s essential to build a sustainable buisiness model for Our licencing model enables users to choose to support us by disclosing the source of their data, or to support the project financially. Of course, they can do both, as Socket is doing today.

Our hope is that Ecosystems can be the catalyst for companies like Socket, and we’re extrememly happy for Socket to be the first partner and customer on this journey. If you’re interested in using in your research, policy decisions, funding program or application check out and contact us at [email protected].