Chainguard Customers Have 94% Python Ecosystem Coverage for Their Environments
Chainguard expands coverage and impact across Python, Java, and JavaScript libraries, securing the open source dependencies engineering teams rely on
KIRKLAND, Wash., Feb. 26, 2026 /PRNewswire/ -- Chainguard, the trusted source for open source, today announced it has expanded Chainguard Libraries coverage across Python, Java, and JavaScript, with customers seeing 94% coverage across the Python dependencies they use in their environments. Given Chainguard Libraries are rebuilt from publicly verifiable source code in the SLSA L2-compliant Chainguard Factory, this widespread coverage is a major step forward in preventing malware in the open source libraries that underpin 70-90% of all software. This allows engineering teams to maintain their development velocity without compromising security.
The expanding risk of open source dependencies
Engineering teams are increasingly relying on AI coding tools to build software, with 4% of all GitHub commits now being authored by Claude Code. These tools are trained on open source ecosystems such as Python, Java, and JavaScript. When an organization's developer velocity accelerates, its open source consumption increases, and its attack surface expands exponentially. With software supply chain attacks on the rise, such as Shai-Hulud, dYdX, spellcheckerpy, and SANDWORM_MODE, teams face an impossible tradeoff between slowing down to stay secure or moving fast while accepting growing supply chain risk. In the last year alone, researchers discovered more than 450,000 malicious packages, roughly one every minute.
"As untrusted code proliferates in this new world of AI coding, secure-by-default is the only effective security posture. Relying on unverified binaries and after-the-fact scanning simply doesn't work," said Patrick Donahue, SVP of Product, Chainguard. "Rebuilding open source dependencies from source is an incredibly complex problem that the industry hasn't solved until now. Chainguard Libraries delivers open source libraries as trusted infrastructure so organizations can stay secure while moving at the speed modern software demands."
Coverage that reflects real impact across open source ecosystems
Across Chainguard Libraries for Python, Java, and JavaScript, customers have access to the coverage they need to reduce their reliance on the malware-flooded registries that can disrupt their businesses. For every version built across each of the ecosystems, every underlying transitive dependency has been rebuilt too:
- Python: Now generally available, Chainguard Libraries for Python customers see 94% coverage across the dependencies they use in their environments. Chainguard has built more than half a million unique versions, including notoriously hard-to-rebuild AI libraries such as PyTorch, torchvision, and torchaudio.
- Java: Chainguard has rebuilt nearly one million unique versions of Java dependencies, including enterprise essentials such as Spring Boot, Jackson, Apache Commons, and Log4j.
- JavaScript: Just five months after launch, Chainguard already covers 88% of npm's top 500 highest-impact JavaScript libraries, and tens of thousands more in the long tail. A library earns "high-impact" status by crossing both of the following thresholds: more than one million downloads in the past week, or is depended upon by at least 500 other projects.
Over the past 12 months, enterprises from highly regulated industries to high-growth AI startups, such as Abridge AI, Alara, Canva, Cast AI, and Rocket Lab, have switched from downloading dependencies from public registries to using Chainguard Libraries. Now, they have verifiable proof through signed provenance and SBOMs that their open source artifacts match the source code bit-for-bit.
"Knowing what's in our dependencies before anything gets deployed is huge," Jeremy Knickerbocker, Principal Application Engineer, Alara. "And with Chainguard Libraries, this way we know we're safe whenever the next ecosystem-wide malware attack strikes."
Purpose-built for security, speed, and scale
Chainguard's ability to deliver broad, environment-based library coverage at scale is powered by the Chainguard Factory, a SLSA L2-compliant environment that builds libraries from verified source code. The Chainguard Factory allows Chainguard to quickly build new artifacts, apply consistent security best practices, and backport dozens of critical and high-severity CVEs in the Python ecosystem at scale. The company recently supercharged its software factory with the addition of DriftlessAF, a resilient, self-correcting agentic framework that uses AI reconciler bots to tackle complex tasks, such as adapting to new package releases and addressing security issues.
Discover how Chainguard Libraries eliminates the tradeoff between speed and security.
About Chainguard
Chainguard is the trusted source for open source. By delivering hardened, secure, and production-ready builds of all the open source software engineers rely on, Chainguard helps organizations build faster, stay compliant, and eliminate risk. Its customers include Fortune 500 enterprises and global industry leaders, including Anduril, Canva, Fortinet, Hewlett Packard Enterprise, Snap Inc., and Snowflake. Chainguard is venture-backed by leading investors, including Amplify, IVP, Kleiner Perkins, Lightspeed Venture Partners, Mantis VC, Redpoint Ventures, Sequoia Capital, and Spark Capital. For more information, visit: https://www.chainguard.dev/
SOURCE Chainguard
Share this article