Key Numbers
- 4.6 B unique code packages uploaded to public registries in 2025 — a 25% rise over 2024 (The New Stack)
- 70% of CI/CD pipelines now integrate JFrog Artifactory as their primary artifact store (The New Stack)
- Supply‑chain incidents grew 30% year‑over‑year, with 1 in 5 breaches linked to third‑party packages (The New Stack)
Bottom Line
Developers now face a vastly expanded attack surface as the number of code packages explodes. Investors in tech startups must prioritize robust supply‑chain defenses to protect valuation and avoid costly breaches.
The 2025 JFrog report logged 4.6 B unique code packages, up 25% from 2024. This surge forces developers to adopt stricter security controls, raising operating costs and impacting startup growth.
Why This Matters to You
If you build software or own a startup, the expanding package ecosystem means more dependencies to audit. Ignoring this trend could expose you to costly supply‑chain attacks and regulatory scrutiny.
Supply‑Chain Attack Surface Expands 30% — What It Means for Security Budgets
In 2025, incidents involving third‑party packages rose 30% (The New Stack). This spike signals that attackers are increasingly targeting open‑source libraries. Companies must allocate additional funds to automated scanning and policy enforcement.
CI/CD Pipelines Shift to JFrog Artifactory — How It Alters DevOps Workflows
Seventy percent of pipelines now use JFrog Artifactory as the central artifact store (The New Stack). This consolidation simplifies dependency management but introduces a single point of failure. DevOps teams need to implement multi‑zone replication and zero‑trust access controls.
Developer Productivity Slips as Package Volume Increases — What It Means for Time‑to‑Market
With 4.6 B packages uploaded, build times have lengthened by an average of 12% (The New Stack). Faster caching and deduplication strategies are essential to keep release cycles on schedule. Startups that lag may lose competitive edge.
What to Watch
- Watch JFrog’s Q2 2026 earnings call for guidance on security tooling investments (next month)
- Monitor the GitHub Advisory Database updates for new vulnerability disclosures (this week)
- Keep an eye on OWASP Dependency-Check releases for enhanced scanning capabilities (Q3 2026)
| Bull Case | Bear Case |
|---|---|
| Companies that swiftly integrate advanced supply‑chain security will attract higher valuations (Analyst view — Gartner) | Startups that delay security upgrades risk costly breaches and investor pullback (Analyst view — Forrester) |
Will the surge in code packages accelerate the shift toward zero‑trust DevOps, or will it overwhelm smaller teams?
Key Terms
- CI/CD — Continuous Integration/Continuous Delivery, the automated process of building, testing, and deploying code.
- Zero‑trust — A security model where no component is implicitly trusted, requiring verification for every access request.
- Artifact store — A repository that holds compiled code and dependencies for reuse across builds.
