Chainguard has broadened Chainguard Libraries coverage across Python, Java, and JavaScript, with customers now reaching 94% coverage of the Python dependencies in their environments. Because the libraries are rebuilt from publicly verifiable source code in the SLSA L2-compliant Chainguard Factory, this expanded reach represents a significant advance in stopping malware within the open source components that power 70–90% of modern software. As a result, engineering teams can move quickly without weakening their security posture.
Chainguard announced expanded coverage of Chainguard Libraries across Python, Java, and JavaScript, with customers achieving 94% coverage of the Python dependencies used in their environments. Because these libraries are rebuilt from publicly verifiable source code in the SLSA L2-compliant Chainguard Factory, the expanded coverage marks a significant advancement in blocking malware within the open source components that power 70–90% of modern software. As a result, engineering teams can sustain development speed without sacrificing security.
The expanding risk of open source dependencies
Engineering teams are increasingly relying on AI coding tools to build software, with 4% of all GitHub commits now being authored by Claude Code. These tools are trained on open source ecosystems such as Python, Java, and JavaScript. When an organization’s developer velocity accelerates, its open source consumption increases, and its attack surface expands exponentially. With software supply chain attacks on the rise, such as Shai-Hulud, dYdX, spellcheckerpy, and SANDWORM_MODE, teams face an impossible tradeoff between slowing down to stay secure or moving fast while accepting growing supply chain risk. In the last year alone, researchers discovered more than 450,000 malicious packages, roughly one every minute.
“As untrusted code proliferates in this new world of AI coding, secure-by-default is the only effective security posture. Relying on unverified binaries and after-the-fact scanning simply doesn’t work,” said Patrick Donahue, SVP of Product, Chainguard. “Rebuilding open source dependencies from source is an incredibly complex problem that the industry hasn’t solved until now. Chainguard Libraries delivers open source libraries as trusted infrastructure so organizations can stay secure while moving at the speed modern software demands.”
Coverage that reflects real impact across open source ecosystems
Across Chainguard Libraries for Python, Java, and JavaScript, customers have access to the coverage they need to reduce their reliance on the malware-flooded registries that can disrupt their businesses. For every version built across each of the ecosystems, every underlying transitive dependency has been rebuilt too:
- Python:Â Now generally available, Chainguard Libraries for Python customers see 94% coverage across the dependencies they use in their environments. Chainguard has built more than half a million unique versions, including notoriously hard-to-rebuild AI libraries such as PyTorch, torchvision, and torchaudio.
- Java:Â Chainguard has rebuilt nearly one million unique versions of Java dependencies, including enterprise essentials such as Spring Boot, Jackson, Apache Commons, and Log4j.
- JavaScript:Â Just five months after launch, Chainguard already covers 88% of npm’s top 500 highest-impact JavaScript libraries, and tens of thousands more in the long tail. A library earns “high-impact” status by crossing both of the following thresholds: more than one million downloads in the past week, or is depended upon by at least 500 other projects.
Over the past 12 months, enterprises from highly regulated industries to high-growth AI startups, such as Abridge AI, Alara, Canva, Cast AI, and Rocket Lab, have switched from downloading dependencies from public registries to using Chainguard Libraries. Now, they have verifiable proof through signed provenance and SBOMs that their open source artifacts match the source code bit-for-bit.
“Knowing what’s in our dependencies before anything gets deployed is huge,” Jeremy Knickerbocker, Principal Application Engineer, Alara. “And with Chainguard Libraries, this way we know we’re safe whenever the next ecosystem-wide malware attack strikes.”
Purpose-built for security, speed, and scale
Chainguard’s ability to deliver broad, environment-based library coverage at scale is powered by the Chainguard Factory, a SLSA L2-compliant environment that builds libraries from verified source code. The Chainguard Factory allows Chainguard to quickly build new artifacts, apply consistent security best practices, and backport dozens of critical and high-severity CVEs in the Python ecosystem at scale. The company recently supercharged its software factory with the addition of DriftlessAF, a resilient, self-correcting agentic framework that uses AI reconciler bots to tackle complex tasks, such as adapting to new package releases and addressing security issues.
Learn more about how Chainguard Libraries secures Python, Java, and JavaScript dependencies without sacrificing speed or security at the website here.
Related News:
Chainguard Container Images Surpass 500 Million Container Build Manifests
Chainguard Libraries for JavaScript Deliver Secure, Source-Built Code
