OSS Maintenance Log

Contributing to 7 open-source packages — **2M npm downloads/week** across tracked ecosystem.

---

🔬 Scan Your Dependencies — In One Command

npx oss-health-scan express lodash moment react

  OSS Health Scan Results
  ──────────────────────────────────────────────────
  Scanned: 4 packages
  Average health: 72.5/100
  ● Critical: 0  ● Warning: 1  ● Healthy: 3

   🟡 WARNING
  moment                              ██████████░░░░░░░░░░ 50.8/100  last push 582d ago  25.8M/wk

   🟢 HEALTHY
  react                               ████████████████░░░░ 80.9/100  81.0M/wk
  lodash                              ████████████████░░░░ 79.6/100  102.7M/wk
  express                             ████████████████░░░░ 78.8/100  71.7M/wk

Zero dependencies. v1.5.0. Scans any npm package, scores 0–100, detects outdated versions (libyear), checks known CVEs via OSV.dev, auto-retries on failures, exits with code 1 on critical findings. GitHub GraphQL batching (1 API call for 50 packages). SARIF output for GitHub Code Scanning. Programmatic API for custom integrations. CI-ready.

npm audit finds CVEs. This finds abandoned packages, outdated deps, AND vulnerabilities — in one command.

CLI flags

npx oss-health-scan            # Scan ./package.json
npx oss-health-scan pkg1 pkg2   # Scan specific packages
npx oss-health-scan --dev       # Include devDependencies
npx oss-health-scan --outdated  # Show installed vs latest + libyear metric
npx oss-health-scan --vulns     # Check OSV.dev for known CVEs
npx oss-health-scan --unused    # Detect unused dependencies
npx oss-health-scan --json      # JSON output for CI
npx oss-health-scan --sarif     # SARIF 2.1.0 for GitHub Code Scanning
npx oss-health-scan --markdown  # Markdown table for PR comments
npx oss-health-scan --threshold 40  # Only unhealthy
npx oss-health-scan --sort name # Sort by: score, name, downloads, risk

Programmatic API

const { scanPackages, scanPackageJson } = require('oss-health-scan');

// Scan specific packages
const { results } = await scanPackages(['react', 'lodash', 'moment']);
for (const r of results) {
  console.log(`${r.name}: ${r.health_score}/100 [${r.risk_level}]`);
}

// Scan a project's package.json
const { results, pkgName } = await scanPackageJson('.', { dev: true });

Config file

Add to package.json or create .oss-health-scanrc.json:

{
  "oss-health-scan": {
    "threshold": 40,
    "exclude": ["moment"],
    "dev": true
  }
}

GitHub Code Scanning (SARIF)

- name: Scan dependency health
  run: npx oss-health-scan --sarif > health.sarif

- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: health.sarif

---

📊 Interactive Dashboard

➜ Open Live Dashboard

Dark-mode dashboard with Chart.js — health score gauges, npm download distribution, radar breakdown, action queue. Auto-updates every 6 hours with fresh data.

---

Problem

Thousands of packages are effectively abandoned while still receiving hundreds of thousands of weekly downloads. Issue trackers fill up, security patches go unmerged, and downstream teams inherit silent risk. npm audit catches CVEs — but not abandoned packages.

About This Project

This is a public evidence log for ongoing maintenance work on a curated set of abandoned-but-critical npm packages. Five of the seven tracked repositories carry active "maintainers wanted" signals from their original authors and together move close to two million weekly downloads through the ecosystem.

The work here is not dramatic. Most of it is the quiet kind: reading old code, writing the regression test nobody got around to, re-opening a five-year-old issue with a tested patch, answering the "is this still maintained?" question that sits unanswered on the issue tracker.

The evidence log exists so that the work is verifiable rather than self-reported — every claim is machine-derived from the GitHub and npm APIs, timestamped in evidence/, and regenerated on a six-hour cadence by the pipeline in scripts/. The accompanying oss-health-scan CLI ships the same detection logic as a standalone tool for anyone who wants to audit their own dependency graph.

For the full reach numbers, methodology, and per-package deep dives see docs/IMPACT.md and docs/CASE_STUDIES.md. For the underlying philosophy see docs/MAINTAINER_PLAYBOOK.md.

What This Does

Config-driven PowerShell + GitHub Actions that automatically:

• Polls GitHub API — stars, forks, issues, last push date per repo
• Pulls npm downloads — weekly rolling window
• Tracks PRs — state, mergeability, diff stats for your contributions
• Monitors review SLA — flags when maintainer feedback goes stale
• Computes health scores (0–100) — weighted engine with SVG badges
• Detects trends — 180-day history, 7-day and 30-day deltas
• Fires alerts — auto-creates GitHub Issues when packages drop below critical threshold
• Generates action queue — prioritized by urgency
• Commits snapshots — machine-readable JSON + human-readable Markdown every 6 hours
• Renders interactive dark-mode dashboard on GitHub Pages

Currently Tracked Projects

Project	Stars	npm/week	Status	Health	My PRs
grafana/grafana	73.4k	—	🟢 Open		#119212
lingdojo/kana-dojo	2.2k	—	✅ Merged		#6309
kylefox/jquery-modal	2.6k	28.4k	🟡 Maintainers Wanted		#315, #316, #317
kylefox/jquery-tablesort	258	7.5k	🟡 Maintainers Wanted		#49
extrabacon/python-shell	2.2k	277k	🔴 Maintainer Gap		#320
jkbrzt/rrule	3.7k	1.6M	🔴 Open Backlog		#664
Hellenic/react-hexgrid	351	1.5k	🟡 Maintainer Needed		#123

Across tracked projects: 84.7k stars · 2M downloads/week across tracked projects · refreshed 04/25/2026

Health Scoring

Each package gets a weighted health score (0–100):

Dimension	Weight	Metrics
Maintenance	40%	Last push recency (exponential decay), last npm publish, open issues ratio
Community	25%	GitHub stars (log-scaled), forks
Popularity	20%	npm downloads/week (log-scaled)
Risk	15%	Inactivity penalty, issue backlog, stale publish, license risk

Instant flags: DEPRECATED → 5/100, ARCHIVED → 8/100.

Contributions

Merged

• kana-dojo #6309 — content: add new japanese idiom. Merged 02/27/2026.

Open

• jquery-modal #315 — fix: harden close button rendering and refresh docs/examples
• jquery-modal #316 — fix: keep ajax callbacks scoped to their originating modal
• jquery-modal #317 — fix: make plugin initialization idempotent for multiple imports
• jquery-tablesort #49 — Fix stale tablesort.$th reference after header clicks
• python-shell #320 — Fix runString temp path to use tmpdir() and add regression test
• rrule #664 — fix: handle WeekdayStr arrays when serializing BYDAY
• react-hexgrid #123 — test: add coverage for GridGenerator.ring and .spiral

Use It Yourself

Quick Scan (no install)

npx oss-health-scan express lodash moment

Full Monitoring Setup

1. Fork this repository
2. Edit config/tracked-repositories.json — your packages, PRs, SLA settings
3. Push — GitHub Actions runs every 6 hours
4. evidence/ fills with JSON + Markdown snapshots
5. Health scores + SVG badges auto-generate

{
  "version": 1,
  "contributor": "your-github-username",
  "default_sla_hours": 24,
  "repositories": [
    {
      "owner": "org",
      "repo": "package-name",
      "package": "npm-package-name",
      "tracked_pr_numbers": [42]
    }
  ]
}

CI Integration

# .github/workflows/health-check.yml
name: Dependency Health Check
on:
  schedule:
    - cron: "0 9 * * 1"
  pull_request:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npx oss-health-scan --threshold 30

  # Optional: upload to GitHub Code Scanning
  sarif:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npx oss-health-scan --sarif > health.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: health.sarif

GitHub Action (reusable)

- uses: actions/checkout@v4

- uses: dusan-maintains/oss-maintenance-log@main
  id: health
  with:
    github-token: ${{ github.token }}
    config-file: config/tracked-repositories.json
    evidence-dir: evidence

- name: Fail on critical
  if: steps.health.outputs.critical-count > 0
  run: |
    echo "Found ${{ steps.health.outputs.critical-count }} critical packages"
    echo "Average health: ${{ steps.health.outputs.avg-health }}"
    exit 1

📊 Live Data

• 📊 Interactive Dashboard — health scores, charts, action queue
• Health Scores — weighted 0-100 per package
• Ecosystem Status — aggregated snapshot
• Action Queue — prioritized tasks
• Per-repo SLA: grafana · kana-dojo · jquery-modal · jquery-tablesort · python-shell · rrule · react-hexgrid

Project Structure

config/tracked-repositories.json     ← All configuration
scripts/
  common.ps1                        ← Shared functions (DRY)
  update-all-evidence.ps1            ← Single orchestrator (full pipeline)
  compute-health-scores.ps1          ← Health scoring (0-100)
  compute-trends.ps1                 ← 180-day trend engine
  check-alerts.ps1                   ← Auto GitHub Issues
  update-readme-stats.ps1            ← Auto-regenerates all README sections
  validate-evidence.js               ← JSON Schema validator for evidence outputs
cli/
  bin/scan.js                        ← CLI entry point
  lib/api.js                         ← Programmatic API (scanPackages, scanPackageJson)
  lib/scoring.js                     ← JS health algorithm
  lib/sarif.js                       ← SARIF 2.1.0 output for GitHub Code Scanning
  lib/outdated.js                    ← Libyear metric + drift classification
  lib/osv.js                         ← CVE check via OSV.dev API
  lib/unused.js                      ← Unused dependency detection
  lib/github-graphql.js              ← GitHub GraphQL batch API (1 query for N repos)
  lib/fetcher.js                     ← HTTP client with retry + 429 handling + ETag cache
  lib/reporter.js                    ← Colored terminal output
schemas/
  *.schema.json                      ← JSON Schema (draft-07) contracts for evidence outputs
evidence/
  *.json, *.md                       ← Machine + human snapshots
  badges/*.svg                       ← Health badges
tests/
  common.Tests.ps1                   ← Pester v5 tests (21 passing)
  health-score.Tests.ps1
cli/test/
  *.test.js                          ← 71 JS tests
docs/
  ARCHITECTURE.md                    ← System layout and control flow
  DATA_MODEL.md                      ← Config + evidence output contracts
  OPERATIONS.md                      ← Local commands and runtime constraints
  ROADMAP.md                         ← Engineering priorities
  IMPACT.md                          ← Measured reach and methodology
  CASE_STUDIES.md                    ← Per-package maintenance deep dives
  MAINTAINER_PLAYBOOK.md             ← Operational principles and decision trees
.github/workflows/
  evidence-daily.yml                 ← Cron: full pipeline every 6 hours
  validate.yml                       ← CI: config + Pester + CLI tests + schema validation
  publish-cli.yml                    ← Publish to npm on release

Documentation

• docs/ARCHITECTURE.md — system layout and control flow
• docs/DATA_MODEL.md — config and evidence output contracts
• docs/OPERATIONS.md — local commands and runtime constraints
• docs/ROADMAP.md — engineering priorities
• docs/IMPACT.md — measured reach, methodology, and ecosystem effect
• docs/CASE_STUDIES.md — per-package maintenance deep dives
• docs/MAINTAINER_PLAYBOOK.md — operational principles and decision trees
• CONTRIBUTING.md — how to add tracked packages or propose changes
• SECURITY.md — vulnerability reporting and supply-chain posture
• CODE_OF_CONDUCT.md — community standards

License

MIT

---

Auto-updated every 6 hours by GitHub Actions.