News
TypeScript Surges in GitHub Octoverse 2020 Report
TypeScript popularity surged in GitHub's annual Octoverse report, one of the most comprehensive developer-oriented studies in the industry, focusing on the open source dev space.
The huge 2020 State of the Octoverse report was just published by the Microsoft-owned open source code repository and development platform, finding that Microsoft's programming language rose three steps on the ranking.
That appears to be the largest upward movement recorded in GitHub's yearly rankings, which go back to 2014. The new study showing an increase in TypeScript popularity echoes other programming language rankings that Visual Studio Magazine has reported in the past year or so, including:
Regarding that last article, from May 2019, RedMonk analyst James Governor, said, "So what is driving TypeScript growth? One high level answer is that more strongly typed languages -- in which you need to define the type of information in a variable up front -- are having a renaissance."
Here's this year's Octoverse ranking:
[Click on image for larger view.] Top Programming Languages Over Time (source: GitHub).
Here's RedMonk's graphic from earlier this year:
[Click on image for larger view.] RedMonk Q120 Programming Language Rankings (source: RedMonk).
Here's a graphic from a February report by Hired:
[Click on image for larger view.]Most Commonly Used Programming Languages by Software Engineers (source: Hired).
Another view on the language's popularity climb was expressed by Stack Overflow in it's May 2020 report: "TypeScript's surge in popularity highlights Microsoft's change of direction and embrace of the open source movement. As front end web and Node.JS codebases grow in size and complexity, adopting TypeScript's static typing gives developers increased confidence in their code's correctness.
"TypeScript's ability to be adopted incrementally means developers can dip their toes in, gaining immediate benefits, without having to undertake a risky porting project. As a final sweetener, TypeScript polyfills many ECMAScript changes (like arrow functions, async, and classes) before they're widely available in browsers. We've been persuaded ourselves, as more and more of Stack Overflow's JavaScript is actually transpiled TypeScript."
However, while much has been made of that relatively recent "embrace" of open source by Microsoft, the company (which acquired GitHub itself a couple years ago), barely appears in the 2020 Octoverse report at all. That's a change from 2018, for example, when Microsoft was said to have two of the top five open source projects on GitHub (as measured by the number of contributors): Visual Studio Code and Microsoft Azure Documentation.
This year, the report has a different format. It's divided into three sections: Finding balance, Empowering communities, and Securing software, with the COVID-19 pandemic figuring prominently.
"In 2020 we all had to rethink our working spaces and schedules, testing the boundaries between work and home -- and we saw that line can be hard to draw," GitHub said in the report overview.
The Octoverse report's three sections represent "deep dives" into data that GitHub has collected. On the security front, for example, GitHub touted the platform's automation capabilities as instrumental in providing better security. Key security-related findings listed by the company include:
- Most projects on GitHub rely on open source software. We see the most frequent use of open source dependencies in JavaScript (94 percent), Ruby (90 percent), and .NET (90 percent).
- Active repositories with a supported package ecosystem have a 59 percent chance of getting a security alert in the next 12 months. Ruby (81 percent) and JavaScript (73 percent) repositories were the most-likely to receive an alert in the last 12 months. Our analysis also breaks down advisories by severity.
- Security vulnerabilities often go undetected for more than four years before being disclosed. Once they are identified, the package maintainer and security community typically create and release a fix in just over four weeks. This highlights the opportunities to improve vulnerability detection in the security community.
- Most software vulnerabilities are mistakes, not malicious attacks. Analysis on a random sample of 521 advisories from across our six ecosystems found that 17 percent of the advisories were related to explicitly malicious behavior such as backdoor attempts. These malicious vulnerabilities were generally in seldom-used packages, but triggered just 0.2 percent of alerts. While malicious attacks are more likely to get attention in security circles, most vulnerabilities are caused by mistakes.
- Automation accelerates open source supply chain security. Repositories that automatically generate a Dependabot pull request patch their software 13 days sooner, or 1.4 times faster, than those that don’t. This is one way that teams can 'shift left,' by building security into development workflows and amplifying the impact of security findings.
Automation was also touted for improving things beyond security. "Thanks to automation and collaboration, developers have been able to communicate more effectively and increase efficiency, carving out more time to do the work that matters most," GitHub said.
About the Author
David Ramel is an editor and writer at Converge 360.