[whatisthiseven]

I don't think I have ever used stars in making a decision to use a library and I don't understand why anyone would.

Here are the things I look at in order:

* last commit date. Newer is better

* age. old is best if still updating. New is not great but tolerable if commits aren't rapid

* issues. Not the count, mind you, just looking at them. How are they handled, what kind of issues are lingering open.

* some of the code. No one is evaluating all of the code of libraries they use. You can certainly check some!

What does stars tell me? They are an indirect variable caused by the above things (driving real engagement and third interest) or otherwise fraud. Only way to tell is to look at the things I listed anyway.

I always treated stars like a bookmark "I'll come back to this project" and never thought of it as a quality metric. Years ago when this problem first surfaced I was surprised (but should not have been in retrospect) they had become a substitute for quality.

I hope the FTC comes down hard on this.

Edit:

* commit history: just browse the history to see what's there. What kind of changes are made and at what cadence.

[bsuvc]

> I don't think I have ever used stars in making a decision to use a library and I don't understand why anyone would

I do it all the time, whenever there are competing libraries to choose among.

It's a heuristic that saves me time.

If one library has 1,000 stars and the other has 15, I'm going to default to the 1,000 stars.

I also look at download count and release frequency. Basically I don't want to use some obscure dependency for something critical.

[swiftcoder]

> If one library has 1,000 stars and the other has 15, I'm going to default to the 1,000 stars.

There are clearly inflection points where stars become useful, with "nobody has ever used this package" and "Meta/Alphabet pays to develop/maintain this package" on the two extremes.

I'm less sure what the signal says in-between those extremes. We have 2 packages, one has 5,000 stars, the other has 10,000 stars - what does this actually tell me, apart from how many times each has gone viral on HN?

[bigiain]

At the 10,000 star level, my worry is going to be how tempting a target it is for a supply chain attack. (Most likely via one of it's dependencies.)

[bonesss]

If the goals relate to maintenance and viability, we’re looking for a minimum threshold of implementation. Amazon and Microsoft have a lot of stars, both have ‘more than enough’ to care.

If the goals are marketing or targeting or mass-market appeal or hiring pools then those stars say something else.

[nradov]

And that's fine if you're just writing a toy program for personal use. But it's deeply problematic if you have to rely on that library for anything important. This type of lazy approach to the software bill-of-materials has gotten a lot of organizations into trouble with exploitable security flaws.

[godelski]

  > It's a heuristic that saves me time.

Sounds like it is wasting your time.

Just because you make a decision quicker doesn't mean you saved any time. It is good to save time, but not at the sake of quality. You spend more buying cheap boots, and they don't even keep your feet dry.

[matt_kantor]

> If one library has 1,000 stars and the other has 15, I'm going to default to the 1,000 stars.

Will you continue to do this after reading TFA?

[hnben]

<10 Stars is a strong signal, that a repo is not relevant to anyone except maybe the maintainer. This fact does not change even if other repos have bough 10.000 stars.

[matt_kantor]

I don't know how often this happens, but what about repositories that would "naturally" have <10 stars if not for buying them? Is the signal you're referring to still useful if it can be artificially silenced by spending some money?

[hartbook]

why would it be a strong signal? have you ever starred a project? I don't

[system2]

More stars = More followers = More people interested and contribute. Even with fake, there will be more people joining the project because they are duped. Still though it is going to get more attention.

[abustamam]

I will. I have other heuristics too, like there are plenty of starred libraries that are just hard to use or don't actually fit my use case. But if I choose the 1000 star one and it works easily, then cool. If it doesn't, I'll try the 15 star one. If it works, cool. If not, then I'll probably end up vibe coding my own thing.

[manquer]

Why not? Buying stars is also a positive signal on commitment.

i.e. if the maintainer is serious enough to buy stars, is not in theory likely to spend time /money in maintaining /improving the project also ?.

Presumably he wouldn't just want fake users but also real users, which is a signal than a just purely hobby project, that is vibe-coded on a whim over a weekend and abandoned?

[kylecazar]

It's a positive signal for fraud and willingness to deceive.

[justcool393]

> i.e. if the maintainer is serious enough to buy stars, is not in theory likely to spend time /money in maintaining /improving the project also ?.

i mean if maintainers clearly spend much more time and effort on fraud than actually improving the project, why should I at all believe they would, let alone trust their judgement with regards to other things such as technical choices for example

[LtWorf]

The problem is that you will mis-evaluate unknown projects that aim to be (or already are) VC funded.

[whatisthiseven]

> It's a heuristic that saves me time.

A bad one.

I listed many other useful heuristics. Do you not find value in them? Do you find stars more valuable than them?

Take a moment to consider stars as a useful metric may only be useful for packages created prior to ~2015 when they weren't such a strong vanity metric, and are already very well established. This is preconditioning you to think "stars can still sometimes be useful, because I took a look at Facebook's React GH and it has a quarter million stars".

Sure, it's useful for that. But you aren't going to evaluate if the "React" package is safe. You already trivially know it is.

You'll be evaluating packages like "left-pad". Or any number of packages involved in the latest round of supply chain attacks.

For that matter, VCs are the ones stars are being targeted at, and potential employers (something this article doesn't cover, but some potential hires do hope to leverage on their resume).

If you are a VC, or an employer, it is a negative metric. If you are a dev evaluating packages, it is a vacuous metric that either tells you what you already know, or would be better answered looking at literally anything else within that repo.

The article also called out how download count can be faked trivially. I admit I have relied upon this in the past by mistake. Release frequency I do use as one metric.

When I care about making decisions for a system that will ingest 50k-250k TPS or need to respond in sub-second timings (systems I have worked on multiple times), you can bet "looking at stars" is a useless metric.

For personal projects, it is equally useless.

I care about how many tutorials are online. And today, I care more about if there was enough textual artifacts for the LLMs to usefully build it into their memory and to search on. I care if their docs are good so I spend less tokens burning through their codebase for APIs. I care if they resolve issues in a timely manner. I care if they have meaningful releases and not just garbage nothings every week.

I didn't mean for this to sound like a rant. But seriously, I just can't imagine in any scenario where "I look at stars" as a useful metric. You want to add it to the list? Sure. That is fine. But it should not be a deciding factor. I have chosen libraries with less stars because it had better metrics on things I cared about, and it was the correct choice (I ended up needing to evaluate them both anyhow. But I had my preference from the start).

Choosing the wrong package will waste you so much more time. Spend the 5 minutes evaluating for stuff that is important to your project.

[strbean]

Having stars isn't a positive metric, it's more that not having stars is a disqualifier unless I want to use someones brand new toy.

My first scan of a GitHub repository is typically: check age of latest commit, check star count, check age of project. All of these things can be gamed, but this weeds out the majority of the noise when looking for a package to serve my needs. If the use case is serious, proper due diligence follows.

[oreally]

This behavior is similar from the time I played a very popular mmorpg - when people selected others for their groups, their criteria deferred to the candidate's analyzed gameplay records (their 'logs') on a website which boiled down to a number showing their damage dealt and the color of it's text.

There was nothing about going into the logs to see if they could do the game's mechanical challenges, minimizing their damage taken. It made for a worse environment yet the players couldn't stop themselves from using such criteria.

In short, humans are lazy and default to numbers and colors when given the chance. When others question them on it, they can have a default easy answer of being part of the herd of zebras to get out of trouble.

[doctorpangloss]

you're arguing with people who are fundamentally unempathetic. it's a lot of words spent on vamping about stars instead of contributing to stuff everyone actually uses, which hardly anyone does, which should tell you everything you need to know about the value of having open source users: most of them only care that something is free as in beer.

[bsuvc]

Are you suggesting that because I consider stars, I must be a freeloader?

[creesch]

> * last commit date. Newer is better

To be honest, these days I have more faith in an application or library with a moderate development pace where maybe the last commit wasn't 2 seconds ago co-authored by claude (in the most blatant examples).

The same is true for amount of commits, the type of commits, release cadence and the amount of fixes and hotfixes in releases. I don't feel like being a glorified alpha tester so I look for maturity in a project.

Which more often than not means that, yes there needs be activity. But, it is also fine if it was two days ago and there is a clear sign of the same pattern over a longer period. Combined with a stable release cycle, sane versioning and clear changelogs that aren't just a list of the last 10 commit messages.

On your point of stars, I think they used to be a valid metric in a similar category. Namely, community behind the software. But it has been a while since that has been true. It certainly hasn't been for a while, ever since I saw these star tracking graphs pop up on repos I knew that there was no sense in paying attention to them anymore.

[baranul]

There is truth in that. A lot of claude co-authored repos look frantic and unstable. It will still depend on the contributors managing things properly to maintain stability and not succumb to AI addiction and insanity.

> community behind the software

Right. You can't just look at stars. You have to look to see that there is an actual community, along with other contributors.

[lukasgelbmann]

I use stars to try and protect myself from dependency confusion attacks.

For example, let’s say I want to run some piece of software that I’ve heard about, and let’s say I trust that the software isn’t malware because of its reputation.

Most of the time, I’d be installing the software from somewhere that’s not GitHub. A lot of package managers will let anyone upload malware with a name that’s very similar to the software I’m looking for, designed to fool people like me. I need to defend against that. If I can find a GitHub repo that has a ton of stars, I can generally assume that it’s the software I’m looking for, and not a fake imitator, and I can therefore trust the installation instructions in its readme.

Except this is also not 100% safe, because as mentioned in TFA, stars can be bought.

[whatisthiseven]

Sure, I suppose that is one solution, but given that buying stars has been around for at least 5 years, and I have been aware of people faking stars for longer than that, I am not sure why you would rely on stars as a primary metric.

There are many other far more useful metrics to look at first, and to focus on first, and to think about. Every time you think about stars, you'll forget the other stuff, or discount it in favor of stars.

Forget stars. They now no longer mean anything. Even if they did before, they don't anymore.

[ziml77]

Interesting that 5 years ago is exactly when this page showed up according to the Wayback Machine: https://docs.github.com/en/get-started/exploring-projects-on...

In it they explicitly call it out as a ranking metric

> Many of GitHub's repository rankings depend on the number of stars a repository has. In addition, Explore GitHub shows popular repositories based on the number of stars they have.

Yet another case of metric -> target -> useless metric

[MrSandingMan]

What does "TFA" mean here please?

[alternatetwo]

I think it's "The fucking article".

[inanutshellus]

Yes and to be clear, one uses "TFA" to imply annoyance that TFA hasn't been read.

e.g. "TFA covers this already."

[lukasgelbmann]

That’s not something I wanted to imply. It can also stand for "the fine article". Is there a better shorthand for "the article linked at top of the page" / "the original article"?

[inanutshellus]

And for clarity to @lukasgelbmann - I answered the questioner that clearly didn't know the term. I wasn't referring to your usage of it.

Context and tone tell the reader whether it's used "normally", tongue-in-cheek, or neutrally. ~\_O_/~

To ESL folk out there - the "F" definitely never means "fine". It's a cute and crass ... just like America. ;^)

[ssl-3]

TFA works fine either way. It's OK that it is subject to interpretation.

[inanutshellus]

Nope, one simply says "the article".

[tom_]

The article. Pick whatever adjective you like beginning with F!

[AgentMatt]

The featured article.

[bsuvc]

The fucking article.

[psychoslave]

You call these baubles, well, it is with baubles that men are led... Do you think that you would be able to make men fight by reasoning? Never. That is only good for the scholar in his study. The soldier needs glory, distinctions, and rewards.

https://en.wikiquote.org/wiki/Napoleon

[p2detar]

Totally agree with you. I think Github "stars" are a relic of the past. They should be renamed to "Bookmarks" and exist as a tool for users to just mark interesting repositories. By no means should a repository keep a count of how many people bookmarked it. It makes no practical sense. Active maintainers and commit dates are much better metric.

[dredds]

> Active maintainers and commit dates are much better metric.

But in an age of bots/agents, that's just kicking the can down the road by making it easier to fudge regular activity of practically zero importance. Even worse for the ecosystem than paid like counts.

[onlyrealcuzzo]

As someone else pointed out... When commits are this cheap, if that's the metric to be gamed, it will be gamed.

You just create 5 GitHub accounts, and spread your Claude Code commits to 5 separate accounts to make it look like there's 5 active contributors.

If anything, we're better off with a fake star economy that is the main thing most people are trying to game, so the signal to noise can still be that it (at least so far) seems pretty easy to tell how many REAL active contributors there are.

Though, I should note, 2 heads are not always better than 1.

I'm more interested in a repository that has commits only from two geniuses than a repository that has 100s of morons contributing to it.

[grayhatter]

> some of the code. No one is evaluating all of the code of libraries they use. You can certainly check some!

I do.

I don't review the whole repo, but every single time I update dep versions, I always look at the full diff between the two. It doesn't take that long

[nozzlegear]

> I always treated stars like a bookmark "I'll come back to this project" and never thought of it as a quality metric. Years ago when this problem first surfaced I was surprised (but should not have been in retrospect) they had become a substitute for quality.

Same here. I've starred over 1500 projects on Github over the years, and only because I wanted to save them for later use or as a reference for something I was working on. These days I'll occasionally use the star metric as a signal to avoid certain projects as overhyped (especially if the project has a stars-per-day meter).

[netdevphoenix]

> I don't think I have ever used stars in making a decision to use a library and I don't understand why anyone would.

You might not have but the makers of dependencies that you use might so still problematic.

[whatisthiseven]

True, but that is beyond my control. I am not evaluating every package within a dependency tree unless something happens, out of practicality.

I have limited time on this Earth and at my employer. My job is not critical to life. I am comfortable with this level of pragmatism.

[netdevphoenix]

The same response applies to the dependencies that you choose.

[toss1]

>>The FTC's 2024 rule banning fake social influence metrics carries penalties of $53,088 per violation - and the SEC has already charged startup founders for inflating traction metrics during fundraising

Six million fake stars is just what this small crew found, likely in a matter of hours.

A fine of $53,088 times six million is 318.528 billion.

Just going hard after a small portion of that should both put an end to it and a slight dent in the deficit.

This kind of fraud is rampant because everyone concludes the way to win is not to make a real advance, but to simply game the system. Seems they are not wrong because the lack of enforcement makes the rules meaningless.

[kevinsync]

I usually use stars as bookmarks to maybe come back to some repo I thought looked interesting a year later. Terrible metric to invest based on!

[q3k]

I also never in my career have consciously looked at the GH star counter on a repo, let alone used it to make decisions.

Instead I look at (in addition to the above):

1. Who is the author? Is it just some person chasing Internet clout by making tons of 'cool' libraries across different domains? Or are they someone senior working in an industry sector from which project might actually benefit in expertise?

2. Is the author working alone? Are there regular contributors? Is there an established governance structure? Is the project going to survive one person getting bored / burning out / signing an NDA / dying?

3. Is the project style over substance? Did it introduce logos, discord channels, mascots too early? Is it trying too hard to become The New Hot Thing?

4. What are the project's dependencies? Is its dependency set conservative or is it going to cause supply chain problems down the line?

5. What's the project's development cadence? Is it shipping features and breaking APIs too fast? Has it ever done a patch release or backported fixes, or does it always live at the bleeding edge?

6. NEW ARRIVAL 2026! Is the project actually carefully crafted and well designed, or is it just LLM slop? Am I about to discover that even though it's a bunch of code it doesn't actually work?

7. If the project is security critical (handles auth, public facing protocol parsing, etc.): do a deeper dive into the code.

[rpdillon]

Agree! My longstanding metric uses just two values:

* Most recent commit

* Total number of commits

This might have to die in the era of AI, but it's served me well for a long time. Rather than how many people are paying attention, it tries to measure the effort put in.

[creesch]

> This might have to die in the era of AI,

Sadly that is probably true.

At the very least I'd add release cadence to it and the quality of releases. Mature, good software will have hotfixes and patch releases every now and then. But not in every release and certainly not 50% of the changes. In the same sense I will often look at the effort put in changelogs. If they took the effort of putting things in category, writing about possible breaking changes, etc it is a possible indicator of some level of quality. At the very least I will have a lot more faith in software with good changelogs compared to something that is just a list of the last N commit messages.

[notamario]

With this approach, which I wholly agree with, many stars means approximately nothing, but few stars signals risk.

It’s a bloom filter of sorts for finding the right library.

[Brian_K_White]

But to someone else, it is a meaningful metric that you bookmarked something. It doesn't matter that the star isn't you saying you liked something. It's already telling enough merely that you wanted to bookmark it.

It's only not meaningful because of how other people can game it and fabricate it, but everything you just said, if it was only people like you, that would be a very meaningful number.

It doesn't even matter why you bookmarked it, and it doesn't matter that whatever the reason was, it doesn't prove the project as a whole is overall good or useful. Maybe you bookmarked it because you hate it and you want to keep track of it for reference in your ted talk about examples of all the worst stuff you hate, but really by the numbers adding up everyone's bookmarks, the more likely is that you found something interesting. It doesn't even matter what was interesting or why. The entire project could be worthless and the thing you're bookmarking was nothing more than some markdown trick in the readme. That's fine. That counts. Or it's all terrible, not a single thing of value, and the only reason to bookmark it is because it's the only thing that turned up in a search. Even that counts, because that still shows they tried to work on something no one else even tried to work on.

It's like, it doesn't matter how little a given star means, it still does mean something, and the aggregation does actually mean something, except for the fact of fakes.

[whatisthiseven]

> it still does mean something

Yes...which is why I said it is an indirect variable, as caused by the other things I pointed out above. Age, quality, code, utility, whether issues are addressed, interest, etc. Or fraud. Pretty cut and dry.

FWIW, I almost never star repos. Even ones I use or like. I don't see the utility for myself.

Aim for a more concise post and don't couch your statements in doubt next time if you want a productive conversation, because I don't know what you are trying to say.

[eek2121]

Honestly, anyone using Github as a basis for hiring to begin with is approaching hiring with flawed thinking. Github isn't the only source for git, and git isn't the only standard for version control. Further, Github has been pushing companies AWAY from the platform thanks to high costs and other nonsense. I've seen more than one company either run a local git server or something like a local git lab instance. Using github as a metric just ensures that you eliminate anyone not using github. That includes many amazing open source devs, for example.

[account42]

Except companies aren't looking for the smartest programmer, they looking for a cog to fit into a spot in the machine. In that sense, evaluation someone on how well they do on the de-facto standard platform makes sense, unfortunately.

[gauravsc]

They're doing it for VCs because VCs consider it proof of traction. They're not doing it to impress you and they don't care whether you check stars or not.