COVID-19 coronavirus captive coders create copious code, claims GitHub: Open-source projects mushroom amid pandemic

It was the best of times for software developers, it was the worst of times for everyone else.

GitHub, in its annual data dump known as the State of the Octoverse, revealed on Wednesday that COVID-19 has been good for quarantine-oriented activities like writing code. Software developers, the biz found, have created 35 per cent more code repositories over the past year, compared to the previous one. They've also created 40 per cent more open-source projects, and increased their contributions to open source projects by 25 per cent.

Also, pull request merge times – the interval between a submitted code improvement and its incorporation into the project – decreased by 7.5 hours.

GitHub suggests this is consistent with prior research that indicates employees with workplace flexibility – variable schedules and the ability to work from home – work longer hours, sometimes as much as one or two days per week.

Productivity gains of that magnitude, in conjunction with potential real estate cost reductions, help explain why companies like HPE have been rethinking office-bound work policies.

"We see increased development work – both time spent and amount of work – across all time zones we investigated," the GitHub report stated. "Developers may be taking advantage of flexible schedules to manage their time and energy, which contributes to this sustained productivity."

The report, however, warns that if work takes the place of personal time and rest breaks, the pace may not be sustainable. GitHub says that it has over 56m developers building projects, and expects to have 100m by 2025.

JavaScript remains the most popular programming language among GitHub repos, followed by Python, Java, Typescript, C#, PHP, C++, C, Shell, Ruby, and Objective-C.

TypeScript, a superset of JavaScript that adds support for static typing, made the most significant gains over the past year, rising from rank seven to four. A research paper published in 2017, "To Type or Not to Type: Quantifying Detectable Bugs in JavaScript," found that static typing can reduce the number of bugs in a project by 15 per cent.

Looking at 521 security advisories across six different programming and packaging ecosystems – PHP, Java, JavaScript, Python, .NET, and Ruby – GitHub found that 83 per cent followed from programming mistakes, and noted 17 per cent followed from malicious behavior, such as efforts to insert backdoors in code.

"Of those 17 per cent, the vast majority come from the npm ecosystem," the report stated. GitHub, as it happens, now runs npm, having acquired the company that runs the registry back in March.

The report goes on to note that software vulnerabilities typically go undetected for more than four years, which is consistent with a 2017 RAND report [PDF] that found zero-day flaws have a median survival time of five years before public disclosure.

Once word gets out about a security hole, GitHub's data indicates that it takes about 4.4 weeks before a fix appears. The code storage biz reckons this represents an opportunity to improve vulnerability detection and response. ®