[prmoustache]

What if the library new features aren't useful to your project and do not correct any bug you might hit in your use case?

[OJFord]

If you're going to audit your dependencies sufficiently to know that then you don't need a tool like this anyway?

[rrwo]

A tool like that won't replace auditing dependencies.

The total age of dependencies tell you nothing useful.

[OJFord]

Nor did I claim it would. If you are auditing your dependencies like that then you don't need it, I said, as in it's not going to give you any extra information.

If you're not, and very many people are not, then total age of dependencies is a decent low-effort approximation for the probability of bug fixes affecting parts of dependencies that you're using.

[mort96]

What if security fixes are useful to your project

[prmoustache]

I count security fixes with "bugs that you would hit in your use case".

I don't care about CVEs that only affect functions my app do not use.