Methodology
The scoring model is fully declarative: weights, thresholds, and exclusion rules live in
pipeline/config/scoring.yml
and every change bumps methodology_version. The pipeline regenerates the
public-data/ bundle consumed by this site on every run.
Two pillars
Importance (0-100)
Ecosystem-relative log percentile of three signals.
- Dependency reach (0.60 weight) — downstream dependents via deps.dev
- Download volume (0.25 weight) — registry 90-day downloads
- Security exposure (0.15 weight) — OSV + transitive vuln counts
Fragility (0-100)
Seven signals blended by weight; each 0-100.
- Release recency (0.25) — 90-540 day ramp, paired-signal only
- Commit recency (0.20) — 30-365 day ramp
- Release cadence decay (0.15)
- Issue responsiveness (0.15) — median first response
- All-time contributor concentration (0.08) — top-1 share 0.30-0.90 ramp
- Recent contributor concentration (0.07) — top-1 share 0.30-0.90 ramp
- OpenSSF Scorecard aggregate (0.10)
Severity tiers
Tier ladder: Critical → High → Elevated →
Watch → Stable → Unrated. Unrated is
confidence-driven: any confidence = low row is forced to Unrated regardless of score.
- Stable: risk 0-14 when confidence is medium/high
- Watch: risk 15-24 when confidence is medium/high
- Elevated: risk 25-29 when confidence is medium/high
- High: risk 30-49 when confidence is medium/high
- Critical: risk 50-100 when confidence is medium/high
- Unrated: confidence is low (insufficient evidence quality)
Flagged definition
- Risk score ≥ 30 (risk = importance × fragility ÷ 100)
- Severity tier in (High, Critical)
- Confidence in (medium, high)
- At least 2 independent fragility signals ≥ 40, at least one not release_recency
- Top 25% importance within the ecosystem
If any condition is false, the package is ranked but not flagged. The pipeline enforces these rules via custom SQL checks on every run, not just in the UI.
Exclusions
- stub_types —
@types/*,*-stubs,types-* - too_new — first release less than 12 months ago
- archived_deprecated — registry or GitHub archival flag
- unmappable — repository mapping confidence below medium bucket
Coverage this snapshot
| Ecosystem | Tracked | Eligible | Flagged | Unmappable | Archived | Too new | Stub types |
|---|---|---|---|---|---|---|---|
| npm | 100 | 95 | 3 | 0 | 4 | 0 | 1 |
| pypi | 100 | 94 | 3 | 4 | 2 | 0 | 0 |
Ingestion telemetry
This table shows whether each ingestion asset completed cleanly for the current snapshot. It is pipeline-run telemetry, not a verdict on every downstream package score. A partial or missing row means the asset had coverage gaps, failed, or emitted no usable telemetry for this run.
| Asset | Run status | Last full success | Freshness | Notes |
|---|---|---|---|---|
| deps_dev | complete | 2026-04-25T03:43:56Z | fresh | |
| github_commits | complete | 2026-04-25T03:44:22Z | fresh | |
| github_contributors | partial | — | needs review | github_contributors contributor pages truncated for 11/152 repos |
| github_issues | complete | 2026-04-25T03:46:19Z | fresh | |
| github_releases | complete | 2026-04-25T03:46:36Z | fresh | |
| github_repos | complete | 2026-04-25T03:44:00Z | fresh | |
| npm_registry | complete | 2026-04-25T03:43:15Z | fresh | |
| openssf_scorecard | complete | 2026-04-25T03:46:41Z | fresh | |
| osv | complete | 2026-04-25T03:44:07Z | fresh | |
| pypi_registry | complete | 2026-04-25T03:43:53Z | fresh |