惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Martin Fowler
Martin Fowler
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 聂微东
IT之家
IT之家
GbyAI
GbyAI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Y
Y Combinator Blog
博客园 - 【当耐特】
The Cloudflare Blog
宝玉的分享
宝玉的分享
罗磊的独立博客
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
V
Visual Studio Blog
小众软件
小众软件
博客园_首页
Last Week in AI
Last Week in AI
J
Java Code Geeks
V
V2EX
雷峰网
雷峰网
Apple Machine Learning Research
Apple Machine Learning Research
阮一峰的网络日志
阮一峰的网络日志
腾讯CDC
博客园 - 司徒正美
Engineering at Meta
Engineering at Meta
The GitHub Blog
The GitHub Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
D
DataBreaches.Net
博客园 - 三生石上(FineUI控件)
MyScale Blog
MyScale Blog
云风的 BLOG
云风的 BLOG
The Register - Security
The Register - Security
M
MIT News - Artificial intelligence
Microsoft Azure Blog
Microsoft Azure Blog
T
The Blog of Author Tim Ferriss
N
Netflix TechBlog - Medium
F
Full Disclosure
B
Blog
H
Help Net Security
C
Check Point Blog
WordPress大学
WordPress大学
人人都是产品经理
人人都是产品经理
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Jina AI
Jina AI
酷 壳 – CoolShell
酷 壳 – CoolShell
Blog — PlanetScale
Blog — PlanetScale
L
LangChain Blog
P
Proofpoint News Feed
D
Docker
Microsoft Security Blog
Microsoft Security Blog

2024 Sonatype Blog

Request for Comments: CARE and Maven Central Q2 2026 Open Source Malware Index AI Is Forcing a New Open Source Security Model Vulnerability Prioritization Is Missing the AI-Era Point The Hidden National Security Threat Inside AI-Driven Software Miasma Returns: Leo Platform Compromise in npm The Rise of Collective Defense for Open Source Signal Over Noise: Reachability Analysis Is the Reality Check SCA Has Been Missing Software Security Has to Start at Assembly easy-day-js Targets Mastra, Dependency Attacks Grow Software Dependency Cooldowns Are a Symptom, Not a Strategy Atomic Arch npm Campaign Adds Malicious Dependency From SBOMs to AI BOMs: Why SPDX 3.0 Matters Mythos Found 10,000 Vulnerabilities. The Bigger Challenge Is Fixing Them New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages Lazarus Group's Latest: Brandjacking Campaign on npm 5 Steps to Turn Your RMF Backlog Into a Continuous ATO: The CSRMC Migration Playbook The AI Race Is Becoming a Remediation Race Red Hat Cloud Services npm Packages Hijacked Inside a 176-Package npm Campaign Built to Beat Your Internal Dependencies AI Is Making Software Autonomous, and Governance Must Follow Your Outdated Repository Still Works, But It May Not Be Safe Hijacked npm Package Attempts to Deliver PolinRider-Linked RAT AppSec Tools Explained: SAST vs SCA vs DAST | Sonatype Managing Open Source Software Risks With the HeroDevs EOL Dashboard Shai-Hulud is Back: Maintainer Accounts Are Still the Soft Target Building Trusted AI Development With Kiro and Sonatype Guide How to Build a Software Supply Chain Security Playbook The Evolution of Open Source Malware: From Volume to Trust Abuse The Mythos AI Vulnerability Storm: What to Do Next Malicious PyTorch Lightning Packages Found on PyPI Why Developer Experience Is the Foundation of DevSecOps Success Open is Not Costless: Reclaiming Sustainable Infrastructure Q1 Updates in Nexus Repository: More Formats, Stronger Operations, and a Better Day-to-Day Experience Self-Propagating npm Malware Turns Trusted Packages Into Attack Paths The Time Is Now to Prepare for CRA Enforcement Sonatype Innovate: Real Peer Connections, Real Product Influence, Real Recognition Mythos and the AI Vulnerability Storm: Exploring the Control Point When AI Writes Code, Who Governs the Dependencies? Why Software Supply Chain Security Requires a New Playbook Q1 2026 Open Source Malware Index: Adaptive Attacks Exploit Trust Modernizing Nexus Repository: Moving Beyond OrientDB AI, DevSecOps, and the Future of Application Security: The Gartner® Report How Sonatype's Container Scanning Protects You From Zero-Days Axios Compromise on npm Introduces Hidden Malicious Package Is Your Repository Ready for What's Next? Autonomous Development and AI: Speed vs. Security Grounded Intelligence Ensures Safe AI Software Development Compromised litellm PyPI Package Delivers Multi-Stage Credential Stealer Golden Pull Requests: Automating Trusted Remediation Without Breaking Builds Sonatype Discovers Two Malicious npm Packages
Open Publishing, Commercial Scale
Brian Fox · 2026-06-16 · via 2024 Sonatype Blog

This is not just a Maven Central story.

Across open source, public package registries are confronting the same uncomfortable reality: Infrastructure built for community-scale software sharing is now production infrastructure for commercial platforms, automated systems, CI/CD pipelines, scanners, AI-era developer tools, and machine-to-machine workflows operating at global scale.

For years, I have written about this shift through the lens of Maven Central. We first saw it most clearly on the consumption side: enormous volumes of repeated downloads, CI systems pulling the same artifacts again and again, scanners rehydrating dependency trees at industrial scale, and platforms treating Maven Central as if it were an unlimited backend service.

But those investigations were never just internal Maven Central exercises. They became part of a broader conversation among package registry operators and open source infrastructure stewards about what it actually costs to run public infrastructure at modern scale. The OpenSSF joint letters grew out of that shared recognition: across ecosystems, the same patterns were emerging. The old assumption that public registries could absorb unlimited commercial-scale demand without corresponding responsibility was no longer credible.

This is already turning into actions. The Eclipse Foundation recently launched Open VSX Managed Registry, a paid managed service for commercial adopters that need production-grade reliability, defined service levels, and predictable scaling, while preserving free access for individual developers and open source projects.

Maven Central is part of that same industry-wide shift.

For most of its history, Maven Central has run on a simple premise: make Java components broadly available, keep publishing open, and let developers build. That model helped make Maven Central one of the most important pieces of public software infrastructure in the world. It supports millions of developers, millions of components, and the quiet, constant machinery behind modern software delivery.

But open does not mean infinite. And free does not mean costless.

On the consumption side, that reality led us to introduce controls and rate limits, not as punishment, but as a signal that the ecosystem needs to change. When the same artifacts are downloaded millions of times by automation that could have cached them, the problem is not open infrastructure. The problem is a design pattern that treats open infrastructure as someone else's backend.

Publishing Has Its Own Version of the Same Problem

The consumption side of Maven Central made one thing impossible to ignore: scale changes the nature of use. Publishing has the same distinction.

A maintainer publishing normal releases for an open source project is one thing. A large commercial entity using Maven Central as the last-mile distribution channel for SDKs, agents, generated clients, integrations, or other commercial software components is another.

There is nothing inherently wrong with that. Maven Central is valuable precisely because it gives the Java ecosystem a trusted, familiar, broadly adopted distribution path. Commercial organizations publishing useful libraries, SDKs, integrations, and developer tools can create real value for the ecosystem.

But when commercial delivery pipelines use that shared path at very high scale, the cost shifts. Storage, validation, indexing, metadata processing, replication, abuse management, and long-term stewardship all become part of the cost of delivering those commercial offerings.

Historically, that cost has been absorbed by the same commons that supports ordinary open source publishing. That is the imbalance publishing limits are meant to address.

Publishing size and frequency are strong indicators of commercial-scale or infrastructure-driven use. They are not perfect measures of intent and are not meant to punish legitimate open source activity. But they are practical signals that a publishing pattern may be serving a very different purpose than a maintainer releasing an open source library.

The largest publishers are often not hobbyists or small open source projects accidentally crossing a line. They are large organizations using Maven Central as part of their software delivery infrastructure. That can be reasonable, and in many cases it is beneficial.

But if Maven Central is part of a commercial distribution model, then the organizations depending on it at that scale need to help support the infrastructure that makes it possible.

This is less radical than it sounds. It is how most infrastructure works once it becomes important enough. The community path remains open. The commercial-scale path becomes explicit.

What Is Changing

Maven Central is adding publishing usage visibility and limits for high-volume publishing activity. This rollout begins with visibility.

Starting June 16, 2026, some publishers may see informational notifications in Maven Central if their organization is approaching or has reached monthly publishing limits. These notifications are part of a soft-limit phase. They are informational only. They will not block, throttle, or prevent publishing.

This does not start with enforcement. The first step is giving publishers a clearer view of their usage so they can understand their publishing patterns, review their workflows, and plan ahead.

Many publishers publish through build and release tooling and may not regularly sign in to the Maven Central UI. That means usage can grow without anyone having a clear operational picture. The new visibility is intended to close that gap before limits are enforced.

Hard enforcement is scheduled to begin on August 11, 2026. Starting then, organizations above the free publishing limits will have publishing activity capped until usage is reduced, an exemption has been approved, or a paid option is in place.

Most publishers will not need to make any changes.

That bears repeating, because infrastructure changes tend to create understandable anxiety: This is not a blanket fee for publishing to Maven Central.

Maven Central remains free for community open source publishing. The change is focused on organizations with unusually large artifacts, very high publishing frequency, or repeated high-volume publishing activity.

For organizations above the free limits, there are three paths.

First, reduce avoidable publishing activity. Maven Central should be used for public distribution of release-ready artifacts, not as the default destination for every intermediate output produced by a software factory. Avoid publishing every CI build. Move internal-only artifacts to private repositories. Review automation for duplicate or unnecessary publish attempts. If something is not intended for public consumption, Maven Central is probably not the right place for it.

Second, legitimate open source projects with unusual publishing patterns may request an exemption for review. Limits are useful for identifying patterns, but they are not a substitute for judgment. Some real open source projects may have unusual release models, unusually large artifacts, or other characteristics that deserve review rather than automatic classification.

Third, organizations with higher-volume, commercial-scale, or infrastructure-driven publishing needs can move to Maven Central Publisher Pro. Maven Central Publisher Pro provides a paid path for publishing at higher scale while helping support the infrastructure those publishing patterns depend on.

The Larger Point

Rather than making open source smaller, these changes ensure the underlying infrastructure is durable enough to support its continued growth and success at machine speed and scale.

For years, the software industry treated public registries as if they were naturally occurring resources. They are not. They are built, operated, defended, scaled, and maintained. Someone handles the storage growth. Someone handles the abuse. Someone pays for bandwidth. Someone keeps the metadata flowing. Someone makes sure the system is still there when the next build runs.

The commons does not fail because people use it. It fails when use and responsibility become permanently disconnected.

We saw this with consumption, we now see it on the publishing side. And it is the pattern package registries across ecosystems are beginning to address in their own ways.

Maven Central will remain open for ordinary open source publishing. That remains core to its purpose. But commercial-scale publishing through Maven Central cannot continue to be treated as indistinguishable from community-scale publishing simply because both use the same upload path.

Open infrastructure works best when it is open by design, not open by exhaustion.

For important dates, guidance on next steps, and further reading, visit the Maven Central Publishing Limits page: http://central.sonatype.org/publish/maven-central-publishing-limits/.

Publishing limits are one step toward reconnecting use with responsibility.

Further reading:

Tags

development infrastructure Central Open Source Maven central repository Modern Infrastructure Publishing to the Central Repository registry scale