The OpenJS Foundation, providing vendor-neutral support for sustained growth within the open source JavaScript community, today announced its participation as a founding member of the newly-formed Sustaining Package Registries Working Group. Under the Linux Foundation, the Working Group provides a forum for registry leaders to collaborate on the financial, operational, and infrastructure challenges of sustaining public package registries at global scale. 

As open source consumption and publishing move from developer scale to machine scale, reaching close to 10 trillion downloads in 2025, registries are facing a sharp rise in AI-driven demand, bot traffic, automated publishing, security reporting volume, and registry abuse. Those pressures are exposing a broader sustainability gap that now poses a software supply chain security and resilience risk. 

Building off of the Joint Statement on Sustainable Stewardship, core objectives of the Sustaining Package Registries Working Group include: 

• Economic sustainability: Develop funding models registries can adopt to cover infrastructure, operations, maintainers, and governance costs.
• Collective defense: Foster coordinated security practices and information sharing across registries to help the ecosystem detect and respond to threats more effectively.
• Governance enablement: Craft shared policy frameworks and standardized terms to support sustainable funding models.
• Ecosystem education and transparency: Create aligned communications and educational content that helps the ecosystem better understand registry sustainability efforts.

“Open source registries are no longer passive distribution points; they are operational and security-critical systems sitting in the path of nearly every modern software build. As AI-driven demand and automated publishing surge, the strain on volunteer maintainers has reached a critical inflection point,” said OpenJS Foundation Executive Director Robin Bender Ginn. “At the OpenJS Foundation, we believe that security in the age of AI isn't just about writing better code, it’s about shared responsibility and ensuring that the human-led ecosystems powering the global software supply chain have the sustained capacity to respond to evolving threats. Strategic investment in our shared infrastructure is the only way to turn reactive survival into proactive stewardship for the entire open web.”

To get in touch with the Sustaining Package Registries Working Group or receive more information on joining, reach out to working-group@lists.sustainregistries.org. For an update on the Working Group’s activities, read the latest Joint Statement.

Supporting Quotes

“Open source registries are no longer passive distribution points. They are operational and security-critical systems sitting in the path of nearly every modern software build. If we want the software supply chain to remain resilient, we need a serious conversation about how these platforms are funded, governed, and sustained at global scale. It’s time to treat registry sustainability as a shared responsibility across the software industry.” — Brian Fox, Co-founder and CTO of Sonatype

“Package registries sit at the front lines of software supply chain security and resilience. As the pace of consumption, publishing, and attack activity accelerates, the stewardship behind these systems has to evolve as well. This initiative will be an important venue for registry leaders and ecosystem stakeholders to align on practical, community-minded ways to sustain the infrastructure on which modern software depends.” — Christopher Robinson, Chief Technology Officer and Chief Security Architect at the Open Source Security Foundation