Skip to main content

Scoring Methodology

How DepHealth calculates health scores and predicts abandonment risk

Component Weights

The health score (0-100) is a weighted combination of five components:

User-Centric 30%

Adoption metrics - most predictive of package health

Weekly downloadsDependent packagesGitHub stars
Maintainer Health 25%

Active maintenance and sustainability

Days since last commitTrue bus factor (contribution distribution)PR merge velocity
Evolution 20%

Development momentum with maturity adjustment

Release recencyCommit activityMaturity factor for stable packages
Security 15%

Security posture and vulnerability status

OpenSSF ScorecardKnown vulnerabilitiesSecurity policy presence
Community 10%

Contributor diversity and engagement

Total contributorsIssue response time

How We Score

Recency Signals

We use exponential decay functions so scores decrease smoothly over time, not in sudden steps.

  • Commit recency: 90-day half-life (50% score after 90 days inactive)
  • Release recency: 180-day half-life (more lenient for stable releases)

True Bus Factor

We analyze commit distribution to find the minimum contributors needed for 50% of commits. A project with 10 contributors where 1 person does 95% of work has a bus factor of 1, not 10.

Interpretation:
  • Bus factor 1: High risk - single point of failure
  • Bus factor 2-3: Moderate risk - small team
  • Bus factor 4+: Lower risk - distributed contributions

Maturity Factor

High-adoption packages with low activity aren't penalized - they're likely stable, not abandoned. Packages like lodash benefit from this.

Criteria: 1M+ weekly downloads OR 5K+ dependents with <10 commits/90d

Security Assessment

We integrate OpenSSF Scorecard data and track known vulnerabilities by severity.

OpenSSF Scorecard (50%): Automated security practices assessment

Vulnerabilities (30%): CRITICAL=3x, HIGH=2x, MEDIUM=1x weight

Security Policy (20%): Has SECURITY.md with disclosure process

PR Merge Velocity

Measures maintainer responsiveness by tracking the ratio of merged to opened pull requests over the last 90 days.

Interpretation:
  • >80% merge rate: High maintainer responsiveness
  • ~50% merge rate: Moderate maintainer engagement
  • <30% merge rate: Potential maintainer overload or abandonment
  • No PRs: Neutral score (could indicate stable package)

Issue Response Time

Fast issue response time is a strong indicator of maintainer engagement and project health.

Scoring:
  • <24 hours: Perfect score (1.0)
  • 24-72 hours: High score (0.7-1.0)
  • >72 hours: Exponential decay
  • No data: Neutral score (0.5)

Bot Commit Filtering

We filter out commits from known bot accounts (Dependabot, Renovate, etc.) to get accurate human activity metrics.

Why it matters: Bot commits can artificially inflate activity metrics. We analyze real human contributions for more accurate health assessment.

Risk Levels

LOW
80-100
Healthy, well-maintained
MEDIUM
60-79
Monitor for changes
HIGH
40-59
Significant concerns
CRITICAL
0-39
Serious issues

Data Sources

deps.dev

Primary source for dependencies, dependents, advisories, OpenSSF scores

npm Registry

Downloads, maintainers, deprecation status, release dates

GitHub API

Commits, contributors, stars, issue response times, PR merge velocity, archived status

Confidence Levels & Intervals

Every score includes a confidence level and interval indicating data reliability:

  • HIGH: Complete data, package >1 year old, recently updated (±5 point interval)
  • MEDIUM: Some data missing or package 6-12 months old (±10 point interval)
  • LOW: Significant data gaps or stale information (±15 point interval)
  • INSUFFICIENT_DATA: Package <90 days old - scores unreliable

Confidence intervals: Wider intervals for lower data quality reflect increased uncertainty. A score of 75 with HIGH confidence has an interval of [70, 80], while LOW confidence might be [60, 90].

Limitations

DepHealth does NOT measure:

  • Code quality or test coverage
  • API stability or breaking changes
  • Actual usage patterns in your codebase
  • Zero-day vulnerabilities not in public databases
  • Commercial support availability

Scores are advisory - always review packages manually before making critical decisions.

Changelog

v3.0 - January 2026 Current
  • Added issue response time signal to Community Health
  • Added PR merge velocity signal to Maintainer Health
  • Improved abandonment risk with Weibull survival analysis
  • Added confidence intervals based on data quality
  • Bot commit filtering for accurate activity metrics
v2.0 - January 2026
  • Added Security as 5th component (15% weight)
  • True bus factor from contribution distribution
  • Maturity factor for stable packages
  • Individual OpenSSF checks exposed in API
  • Rebalanced weights (Maintainer 25%, Evolution 20%, Community 10%)
v1.0 - December 2025

Initial release with 4-component scoring