[abharya]

- Other metrics such as how many contributors and organizations are involved, how many user feature requests and bugs getting reported, those are all important project importance and not just "dependency count". some projects can be standalone, so as per your algo, those should be very low. - Downloads data is not available for most repos, please find a reliable metric to use. - Package repo dependencies works, but it does not work for C/C++. At some point, we will integrate github's dependency count info as well.

[detaro]

So basically the algorithm is designed to not find projects that are critical because they are deep in the foundations, depended on by nearly everyone but only worked on by a few people? (which is what "critical" would suggest at least to me) This seems to be mostly a "github marketing index"...

I seriously hope no actual decisions about resource allocation etc are made based on this.

[abharya]

We are working on this problem, it is not simple. Identifying dependency trees reliably across languages is not straightforward [only nice for package manager ones]. Follow https://github.com/ossf/criticality_score/issues/8

[orf]

You didn’t identify certifi, urllib3, chardet or pytz in your top 10 critical Python dependencies. These are all highly download packages, mostly maintained by one person, which are totally critical to millions of other packages and the Python ecosystem as a whole.

A few of your top-10 I can agree with, but when you’re saying a home-automation package (“core”) is more critical than something like pytz then something has gone terribly wrong.

[abharya]

Filed https://github.com/ossf/criticality_score/issues/20, we will fix this, have an idea on the issue.