The Danger of Legacy Containers in Open Source

History of Bitnami

Bitnami is a well‑regarded provider of prepackaged application stacks that makes it simple to deploy open source software across on-premise platforms and clouds. Bitnami bundles applications with all required dependencies into ready‑to‑run Docker containers and Helm charts streamlining installs for tools like WordPress, Drupal, and many enterprise applications.

In 2019 VMware acquired Bitnami, and Bitnami’s extensive open source container library, to accelerate application delivery, expand VMware’s Kubernetes capabilities, and position Bitnami’s packaging expertise as a complement to VMware’s existing developer and infrastructure tooling.

When Broadcom completed its acquisition of VMware in late 2023, the purchase brought Bitnami under Broadcom’s control, triggering a strategic shift for Bitnami from the more open, community-focused distribution model toward a tighter, commercially driven approach. 

‍

What Has Changed

In July 2025, Broadcom announced the phase out of Bitnami’s longstanding open source community container catalog. Broadcom detailed a plan to move most of the containers from the Bitnami Docker registry into an archived Bitnami Legacy Docker repository where the containers would no longer receive further updates, effectively rendering them end-of-life, or EOL.

‍

‍

This move has unfortunately left many upstream open source developers scrambling, including many Apache projects, such as Superset and Airflow.

To the dismay of open source security experts, many teams are opting to keep pulling Bitnami containers from the EOL Bitnami Legacy registry because it avoids the immediate work of migration. Currently, there are over 4,500 files on GitHub that reference the EOL Bitnami Legacy registry in Dockerfiles, Helm charts, CI/CD workflows, and more.

Many official Helm charts published by vendors such as Atlassian and Mesosphere continue to rely on containers from the EOL Bitnami Legacy registry. Teams deploying these official vendor charts are unknowingly deploying abandoned open source software into their deployments.

These containers in the EOL Bitnami Legacy registry will no longer receive security patches or maintenance, leaving these deployments exposed to unpatched CVEs and newly discovered vulnerabilities. Running version‑pinned containers from an archived, stagnant registry creates a false sense of stability while dramatically increasing security risk. 

In addition to leaving infrastructure vulnerable, relying on the EOL Bitnami Legacy registry is only a temporary solution. Broadcom has signaled that they do not plan to maintain the EOL Bitnami Legacy registry indefinitely.

Teams currently relying on Bitnami containers, particularly those relying on those containers in the Bitnami Legacy registry, should migrate to upstream, actively maintained community containers or engage open source security specialists like HeroDevs for ongoing support for EOL open source software and secure backporting rather than relying on unsupported legacy containers in the Bitnami Legacy registry.

‍