[woodruffw]

This should come with a heavy caveat: it’s based on heuristics, and heuristics can be wrong (at best) or maliciously gamed (at worst).

I wish companies would take a simpler approach: stop intermediating your open source interactions through middlemen, and work directly with your upstreams. You might discover that you have too many to work with, in which case you’ve laid the problem bare rather than obscuring it with metrics and policies.

[pmig]

Thanks for the feedback, shouldiuse.dev gave us a lot of information on the first glance.

[mentalgear]

can you explain/expand?

[FlyingAvatar]

If you have a dependency that is simple and stable, it could appear unmaintained since it doesn't have a lot of recent commits, bug reports, comment history, etc.

If a library author wants to make their package "look" maintained for some reason, they could generate superfluous commits and open and close fake bug reports. This could be a "good" signal to the heuristic, but has no real world benefit or worse-case could be used to lend credibility to a package with known vulnerabilities.

[pmig]

We actually check from how many different organization the last committers belong to and analyze if the most recent commits have be done by bots (like renovate or dependabot)