In 2025, open-source software is in trouble because most maintainers feel burned out, underpaid, and are getting older, with many planning to quit. The people who keep these projects running spend lots of time for little or no money, and not enough young people are joining in. This puts big companies at risk, as their apps depend on this unpaid work – bugs and security holes can go unfixed if a maintainer leaves. Some projects survive by getting steady funding from companies, subscriptions, and grants instead of just relying on volunteers. The days of running open-source on goodwill alone are ending, and real support is needed to keep things safe and working.
What is the main challenge facing open-source software maintenance in 2025?
Open-source software in 2025 faces a critical sustainability crisis as 60% of maintainers are quitting or planning to quit, citing burnout, lack of funding, and aging contributor demographics. Successful projects now rely on structured support, including corporate sponsorship, subscriptions, and foundation grants.
The unpaid backbone of enterprise software is cracking
Every time a Fortune 500 app launches, it quietly leans on code written in spare bedrooms by volunteers who never expected to become critical infrastructure. In 2025, that delicate arrangement is showing serious strain.
60 % of maintainers have quit (or want to)
Surveys by SonarSource show that almost six in ten open-source maintainers have either already walked away or are actively planning to. Top reasons cited: life priorities (74 %), burnout (68 %), and simple lack of money (66 %).
The numbers are even starker when you look at time spent: maintainers report that triaging issues alone can eat 10-15 hours a week, unpaid. For many, that invisible labor now outweighs the joy of coding.
Graying community, shrinking pipeline
- The share of maintainers aged 46-65 has doubled since 2021.
- Contributors under 26 have fallen from 25 % to just 10 % of the total pool (GitHub Blog).
Without a new generation stepping up, the next decade risks a leadership vacuum at the precise moment when open-source software underpins cloud, AI and financial systems.
Security fallout is real
When a single maintainer disappears, known vulnerabilities can linger unfixed. Recent incident reviews found:
– At least three major npm packages were hijacked in 2024 via phishing aimed at aging maintainers.
– One-person libraries now make up an estimated 15 % of the transitive dependencies in average enterprise projects (Socket.dev analysis).
What actually works in 2025
Projects that survive the squeeze have shifted from goodwill to structured support. The most common successful mix:
| Funding lane | 2024-2025 median annual income | Stability indicator |
|---|---|---|
| Corporate sponsorship | $25 k – $80 k | Long-term contracts |
| LTS subscriptions | $50 k – $120 k | SLA-backed support |
| Foundation grants | $10 k – $40 k | Multi-year pledges |
| Micro-donations | $2 k – $8 k | Monthly recurring |
Case study: Composer/Packagist* * (the PHP package manager) now covers 60 % of maintainer salaries through Private Packagist commercial services**, reducing burnout while keeping the core open source (Packagist Blog).
Emerging lifelines
- *HeroDevs * offers “never-ending support” for abandoned libraries, giving enterprises a paid path to keep legacy code secure (HeroDevs report).
- OpenJS Foundation and Python Software Foundation run sustainability programs that pair maintainers with paid contractor help.
The message from veteran maintainers is simple: the era of pure volunteer heroics is ending. Projects that professionalize support and build transparent funding pipelines are the ones still shipping patches in 2026.
What is driving the burnout among open-source maintainers in 2025?
Nearly 60 % of maintainers have quit or are close to quitting, according to the SonarSource 2025 report. The top stressors are:
- Unpaid administrative work – triaging issues, documentation and user support now occupy more time than actual coding
- Enterprise pressure – single-person projects are expected to deliver the stability of commercial software
- Life priorities – after 2024, more maintainers cite family and health concerns than technical challenges
The average age of maintainers has also shifted: the group aged 46-65 has doubled since 2021, while contributors under 26 dropped from 25 % to just 10 % (Tidelift 2024 survey). This aging pipeline threatens long-term project continuity.
Why is the “hobbyist” label so controversial?
The term started as shorthand for unpaid maintainers, but many feel it erases the professional responsibility they carry. One maintainer noted: “We run the libraries that banks and hospitals depend on – calling that a hobby is insulting.”
The Open Source Security podcast episode “Hobbyist Maintainers” explores how this framing can:
- Reduce funding urgency (“it’s just a hobby”)
- Downplay security obligations
- Discourage new contributors who see unpaid work as unsustainable
Industry panels now recommend “critical infrastructure steward” as a more accurate title.
How severe are the security risks from under-funded projects?
Security gaps are growing faster than patches can be released:
- Over 1,200 widely-used npm packages are maintained by just one or two individuals (Socket.dev 2025)
- Recent phishing attacks compromised popular libraries like
faker.jsandcolors– both maintained solo - Only 38 % of maintainers have any formal security training
The 2025 Linux Foundation report warns that sustainability gaps directly translate to exploitable vulnerabilities, particularly in supply-chain dependencies.
What funding models are actually working in 2025?
Diversified approaches show the best results:
✅ Multi-stream funding – projects combining grants, GitHub Sponsors and corporate contracts last 2.3x longer
✅ LTS partnerships – companies like HeroDevs provide “Never-Ending Support” for abandoned frameworks, ensuring enterprise SLA coverage
✅ Foundation backing – Python Software Foundation’s sustainability program distributes $2.4M annually to 200+ maintainers
Case study success: Composer/Packagist funds core development through Private Packagist subscriptions while keeping the main project open-source – balancing revenue without gatekeeping.
What practical steps can organizations take today?
Immediate actions:
- Run an SBOM audit within 30 days to identify single-maintainer dependencies
- Allocate 2-5 % of engineering budget to direct maintainer sponsorship (GitHub Sponsors averages $340/month per maintainer)
- Join sector foundations – FINOS members report 40 % faster vulnerability resolution through shared resources
Cultural shifts:
- Include maintainer support in security reviews, not just code audits
- Replace “hobbyist” language with “infrastructure steward” in internal documentation
- Offer contractor positions to critical maintainers rather than expecting free support
The window for action is narrowing: with burnout accelerating and the contributor pipeline shrinking, 2025 may be the last year to stabilize critical infrastructure before cascading failures begin.
