A numerate accounting of what this repository actually does, who benefits, and what the evidence trail proves.
Last updated: 2026-04-17 (regenerate-aware sections are rebuilt by scripts/update-all-evidence.ps1)
- 1,928,596 weekly npm downloads flow through the five abandoned-but-critical packages currently under active external maintenance.
- ~8.3 million monthly downloads, equivalent to the install base of a mid-tier framework.
- 84,400 combined GitHub stars across the seven tracked upstream repositories.
- 9 tracked pull requests filed — 2 merged, 7 open and actively tracked with review SLA.
- 180-day rolling health history maintained with snapshots every 6 hours.
- ~700 evidence snapshots committed since launch, each cryptographically signed as a bot commit.
- Zero npm runtime dependencies in the public CLI — a dependency scanner that is itself dependency-free.
Thousands of npm packages sit in a liminal state: no recent releases, unanswered issues, PRs from external contributors queued for months, but with six- or seven-figure weekly install counts. Downstream teams inherit whatever state they're in. npm audit catches known CVEs; it does not catch abandonment itself, even though abandonment is often the root cause of eventually-disclosed vulnerabilities.
This repository is an attempt to make the maintenance gap visible and auditable, and to do something about it for a small hand-picked set of load-bearing abandoned packages. The evidence log side of the project produces the receipts. The oss-health-scan CLI side ships the same detection logic as a tool anyone can use on their own dependency tree.
Data source: official npm registry download counts, pulled every 6 hours by scripts/update-all-evidence.ps1 and written to evidence/ecosystem-status.json.
| Package | Weekly downloads (2026-04-17) | Maintenance status |
|---|---|---|
rrule |
1,643,561 | Open backlog (no recent releases) |
python-shell |
250,094 | Maintainer gap (explicit "looking for maintainer" issue) |
jquery-modal |
26,411 | Maintainers wanted (README flag) |
jquery-tablesort |
6,924 | Maintainers wanted (README flag) |
react-hexgrid |
1,606 | Maintainer needed (issue #72) |
| Combined weekly | 1,928,596 | — |
| Monthly equivalent (×4.3) | ~8,292,963 | — |
For context, the Claude for Open Source Program eligibility threshold is 1,000,000 monthly npm downloads. The packages under active external maintenance here clear that bar by ~8.3×.
Beyond the abandoned-package maintenance work, this tracker also logs contributions to actively-maintained flagship projects as a range check — the same contributor posture applied to large living codebases:
| Repository | Stars | PR | Status |
|---|---|---|---|
| grafana/grafana | 73,241 | #119212 — email template privacy hardening | Open, under review |
| lingdojo/kana-dojo | 2,074 | #6309 — content contribution | ✅ Merged 2026-02-27 |
Total stars across tracked upstream repositories: 84,400. This is the combined community footprint of the ecosystem being maintained, not a metric of this repository itself.
All tracked PRs are documented in config/tracked-repositories.json as the single source of truth. Every PR is monitored every 6 hours for state transitions, review responses, and SLA breaches.
| PR | Description | Package |
|---|---|---|
| jquery-modal #315 | Harden close button rendering + refresh docs/examples | jquery-modal |
| jquery-modal #316 | Keep ajax callbacks scoped to their originating modal | jquery-modal |
| jquery-modal #317 | Make plugin initialization idempotent for multiple imports | jquery-modal |
| jquery-tablesort #49 | Fix stale tablesort.$th reference after header clicks |
jquery-tablesort |
| python-shell #320 | Fix runString temp path to use tmpdir() + regression test |
python-shell |
| rrule #664 | Handle WeekdayStr arrays when serializing BYDAY |
rrule |
| react-hexgrid #123 | Test coverage for GridGenerator.ring and .spiral |
react-hexgrid |
| grafana #119212 | Email template privacy hardening | grafana |
| kana-dojo #6309 | Content contribution | ✅ Merged |
Every one of these PRs is a real remediation. None are documentation whitespace changes or dependency bumps submitted for signal — each one either fixes an actual bug, restores a missing test, or hardens a real risk in a package other people are installing today.
This repository is itself an engineering artifact, not just a PR log:
- 12 PowerShell scripts in
scripts/— modular with shared helpers incommon.ps1 - 9 JavaScript library files in
cli/lib/— the public CLI engine - 4 JSON Schema contracts in
schemas/— draft-07 validation for evidence outputs - 5 CI jobs in
.github/workflows/validate.yml— config validation, Pester tests (21 passing), CLI unit tests (71 passing), evidence schema validation, Windows-specific PowerShell parse check - 1 composite GitHub Action in
action.yml— reusable by any downstream repo - 1 interactive dashboard in
index.html— dark-mode Chart.js visualization with freshness banner, trend arrows, per-repo freshness dots
- GraphQL batching cut GitHub API consumption by ~97% (30 packages: 1 GraphQL query instead of 30 REST calls)
- ETag caching further cut API consumption by ~60% on repeat scans
- Python fallback path for 403-throttled environments where PowerShell-native
Invoke-WebRequestgets blocked - Retry + exponential backoff with
Retry-Afterhonoring for 429s - Manifest-driven partial-failure tolerance: individual steps can fail without bringing down the full refresh
- Evidence integrity enforced by JSON Schema validation in CI
These five packages are dependencies of packages you probably use. A partial downstream sample:
rrule: used by major calendar libraries and iCalendar ecosystem tools. 1.6M weekly downloads is not a long tail — it is sustained load-bearing install volume.python-shell: a Node → Python bridge used by data-science tooling and Electron apps that need to call local Python scripts.jquery-modal/jquery-tablesort: the long tail of jQuery still in production on hundreds of thousands of sites — WordPress plugin ecosystems, legacy CMS deployments, admin dashboards that predate the React era but still run critical workflows.react-hexgrid: niche but structurally critical for a category of data-visualization tools (geospatial, hex-binning).
Total downstream package count is not trivially measurable from public data — this is on the near-term roadmap (see docs/ROADMAP.md → "Downstream dependency graph"). Even without that analysis, an abandoned package with 1.6M weekly downloads is a supply-chain failure domain that nobody currently owns. This repository owns it for the packages listed.
A specific, observable example: jquery-modal PR #316 fixes a scoping bug where ajax callbacks would fire against the wrong modal instance when multiple modals were open. This is the kind of bug that produces mysterious "why is this form submitting twice" support tickets downstream — a bug whose cost is distributed across thousands of sites that will never trace the root cause to a jQuery plugin. The PR sits open upstream, but the fix is available in the review queue and documented in the evidence log. A downstream consumer who reads this repository can vendor the patch themselves and short-circuit the supply-chain delay.
Every claim above is reproducible from the repository itself:
| Claim | Verification path |
|---|---|
| Weekly download counts | evidence/ecosystem-status.json → projects[].npm.downloads_last_week |
| PR states at any point in time | evidence/status-{owner}-{repo}-{timestamp}.json files, 180-day rolling window |
| Review SLA breaches | evidence/review-sla-*.json → summary.overdue_count |
| Health score history | evidence/health-history.json → 180-day per-package timeseries |
| Pipeline run health | evidence/manifest.json → run_status + per-step outcomes |
| Automation commit attribution | git log --author="dusan-maintains-bot" — every evidence refresh is signed |
No claim in this document survives if the evidence/ directory contradicts it. That is the design.
- Downloads are the npm registry's public weekly counter. Some weeks show small dips for holidays or registry-side re-counts. The
health-history.jsonfile preserves raw values so an investigator can reconstruct any instantaneous figure. - Health scores use the weighted dimensions documented in
README.md→ Health Scoring. The JavaScript implementation incli/lib/scoring.jsand the PowerShell implementation inscripts/compute-health-scores.ps1produce equivalent outputs; parity is enforced by tests. - Review SLA is computed from the most recent review comment or maintainer response against the PR's last-modified timestamp. Default SLA is 24 hours; configurable per-repo via
tracked-repositories.json. - "Abandoned" in this document means: no release in the upstream package's window that exceeds its previous typical release cadence by more than 3× standard deviations, plus public signals (pinned "maintainers wanted" issue, README banner, explicit maintainer handoff thread). We do not label any package "abandoned" from a single inactivity signal alone.
- That
oss-maintenance-logis authoritative in the way OpenSSF Scorecard or Snyk is — it is a single maintainer's public, auditable work log for a specific scope. - That the tracked upstream maintainers are at fault for the maintenance gap — they are not. Open-source maintainership is voluntary and often unpaid; life circumstances change.
- That every tracked PR will be merged. Some may be superseded, declined, or absorbed into other forks. The evidence log tracks outcomes, not predictions.
- That star count on this repository matters — it is a personal work log, not a product with a growth strategy.
README.md— product overview and usagedocs/ARCHITECTURE.md— system layoutdocs/DATA_MODEL.md— config and evidence output contractsdocs/OPERATIONS.md— local commands and constraintsdocs/ROADMAP.md— engineering prioritiesCHANGELOG.md— release history, v1.0.0 through current- Live dashboard — visualized real-time data
- GitHub Actions runs — pipeline audit trail