Research how we can calculate an npmx package score

[43081j]

Rather than relying on a third party score like npms.io, we should create our own with transparency.

This means we need to do the following:

• Research which metrics could be used in the scoring algorithm
• Trial some of these out against a random set of packages to see what their scores end up as
• Ensure whichever metrics we settle on are publicly available

Importantly, we need to be able to explain why a package was scored the way it was. We can't really do that if we use a third party scoring mechanism, so we should build our own.

This will take some discussion so nobody needs to try implement this yet. For now, we just need to research which metrics may be useful.

If you have any suggestions, reply here and we will maintain a list in this post.

If anyone wants to pick up the trial work (trying to create the algorithm and try it out), let us know here.

Summary

• All metrics should be publicly available
• Packages should show their total score
• A drilldown page or panel should show each individual underlying score and what that means
• The e18e data project may be useful here as we will have enriched registry data with things like deep license types, ESM/CJS, etc
• Proposed algorithms need to be trialled out against a random set of packages

[graphieros]

A few ideas:

Community metrics

• having no readme could penalise by a fixed factor
• how to evaluate the 'quality' of a README ? (standard boilerplate vs thoughtful content...)
• average response time to PRS (and issues ?)
• I don't think metrics like commits / t should be considered, as it would punish stable packages. Same for release frequency. Same for downloads (except if there exists a way to isolate bot downloads)
• how ownership is concentrated ? (Maybe a single maintainer introduces a risk factor, for example)
• having a changelog ?
• semver compliance
• reverse dep count: adoption bonus (small bonus maybe, to avoid overrating isEven types). @skaldebane adds: also penalize packages with e18e recommendations against them?

Health of dependencies

• no dependencies could provide a bonus (In know, they can be stealth, but this could be explained^^)
• deprectated deps = malus
• vulnerable deps = mega malus
• obfuscated code, nasty stuff like crypto mining

Package quality

• presence of dubious file extensions
• treeshakability
• docs website
• license risk - multiple license statements conflicts

[userquin]

Asking IA, including @graphieros ideas:

npm Package Health Score (NPHS) 2.0: Sustainability & Risk

This version focuses on Long-term Stability and Supply Chain Integrity rather than vanity metrics.

---

1. Core Weighted Pillars

The Total Score ($S_{total}$) is a balance between reliability and risk.

Category	Weight	Key Focus
Governance ($G$)	30%	Bus factor, Ownership, PR/Issue response.
Supply Chain ($SC$)	30%	Dependency health, Malicious code, Provenance.
Quality & Docs ($Q$)	25%	README quality, Semver, Treeshakability.
Ecosystem Trust ($E$)	15%	Reverse dependencies, License risk.

---

2. Advanced Formulas

A. Ownership Concentration (Bus Factor)

To avoid the risk of a "single point of failure," we use a simplified version of the Gini coefficient for commits. If $C_1$ is the % of commits by the top contributor:

$$Score_{Bus} = \max(0, 100 - (C_1 - 50) \cdot 2)$$

• Diverse (Top person has 20%): 100 pts.
• Fragile (Top person has 95%): 10 pts.

B. Dependency Health

Dependencies are liabilities. We reward "lean" packages:

$$Bonus_{Deps} = \begin{cases} +10 & \text{if } deps = 0 \ 0 & \text{if } 0 < deps < 5 \ -10 \cdot \log_{2}(deps) & \text{if } deps \geq 5 \end{cases}$$

C. Response Velocity (PRs & Issues)

Combining average time to respond ($t_{res}$) and time to close ($t_{close}$):

$$Score_{Velocity} = \frac{100}{1 + \log_{10}(t_{res} + t_{close} + 1)}$$

---

3. Heuristics & Modifiers

README Quality Heuristics

Instead of a binary check, we evaluate the README quality based on:

• Length: $&gt; 500$ characters.
• Structure: Presence of ## Installation, ## Usage, ## API.
• Richness: Presence of code blocks (```) and links.
• Penalty: If README exists but is $&lt; 100$ chars, it's treated as "No README" ($-20$ points).

Security & Integrity (The "Malus" list)

• Obfuscated Code: Detection of eval(), large hex strings, or minified code in the source → Score = 0 (Critical Alert).
• Deprecated Deps: $-5$ points per deprecated dependency.
• Vulnerable Deps: $-20$ points per high/critical CVE.
• Dubious Extensions: Presence of .exe, .dll, or .sh in unexpected folders → -30 points.

Ecosystem Trust

• Reverse Dep Count: $\log_{10}(count)$ bonus. A package used by 10,000 others is battle-tested.
• Semver Compliance: Check if the last 5 versions follow strict Semver. Manual overrides of major versions without breaking changes (or vice versa) penalize the score.
• License Conflict: If package.json says "MIT" but the LICENSE file says "GPL", apply a -20 legal risk penalty.

---

4. Why we ignore "Activity"

Traditional scores reward "Active" packages. NPHS 2.0 ignores:

1. Release Frequency: A package can be "finished" and secure without updates.
2. Commit Count: High volume often means instability or bug-fixing.
3. Downloads: Easily spoofed by bots/CI pipelines. We prefer Reverse Dependency Count.

---

5. Summary Logic (Pseudo-code)

const finalScore = (pkg) => {
  let score = (G * 0.3) + (SC * 0.3) + (Q * 0.25) + (E * 0.15);
  
  // Apply logic-based modifiers
  if (pkg.isTreeshakable) score += 5;
  if (pkg.hasChangelog) score += 5;
  if (pkg.licenseConflict) score -= 20;
  
  // Critical failure for malicious signals
  if (pkg.hasObfuscatedCode || pkg.hasMalwareSignals) return 0;

  return Math.min(100, score);
};

[bnb]

Thoughts coming into the thread:

• Include license permissiveness
  • Can leverage SPDX and/or BlueOak License Lists
  • Surface if the license is Open Source Initiative or Free Software Foundation approved
• Number of maintainers in source repo is an important metric, IMO. More accounts as authors, especially inactive ones, is a huge security risk.
• Maintainer impact could also be a score. For example, there are a handful of maintainers who have tremendous impact across the registry (I think there are 3 who are responsible for >10% of downloads, each). This might be able to be gamed by adding them as authors non-consensually, though.
• Apparently I made a request for npm scores in GitHub's community Discussions to npm 6 years ago that has a good amount of historical context around scoring
• A huge burden with scoring tools in the ecosystem - things like Snyk - is that they introduce reasons that end-users can't use packages and rather than going and fixing them, end-users often just open an issue to complain and ask the maintainer to fix the "bad" thing.
  • I imagine a lot of the negative scores would be programmatically fixable - maybe we can provide codemods for the ones that are or a way to easily submit a PR?
  • Maybe a small guide in the site for how to be a good member of the open source community and fix things before asking others to fix them.
  • As one potential "Impact" scoring metric, you could do higher average placement in the dependents' dependency trees x downloads of the dependent. This could help theoretically create a more balanced score where outliers like isEven exist.

Thoughts reading the thread:

• README, LICENSE, CONTRIBUTING, SECURITY, and Code of Conduct should all be files that give signals
• README quality is a hard problem, but there's a majority of packages that have either nothing or like a header and one paragraph level element. IIRC from previous work on exactly this, there's a handful of other cases that you can knock out pretty quickly from marking those as "low" effort.
• +1 to including average PR/Issue time + comparing that to the ecosystem averages.
• Building the full tree's license list and seeing if they're all actually compatible would be interesting. You'll find a lot... aren't.
• I do like including bus factor! One area you'll find this challenging is that npm authors for a lot of big projects are only one owner, and it's a bot account + this is considered best practice to reduce surface area.
• Penalty: If README exists but is <100 chars, it's treated as "No README" (-20 points). is a really accurate approach. I think you might need to do 120 chars, since heading + 80 character paragraph might push pas 100 chars sometimes, but I'd just look at the data and see where this would be most useful when we start scoring.
• +1 to packages being "done".
• Also +1 to direct downloads being bad, especially since they are also likely smaller than real numbers because of internal corporate caches that pull the package once then never again so they don't need to hit the public registry.

[IonianPlayboy]

If anyone wants to pick up the trial work (trying to create the algorithm and try it out), let us know here.

I have been digging into this this past few weeks to see what could be done, and it has been very enlightening so far. I am nowhere near finished, but at this point I think there is at least some interesting ideas that could lead to something useful down the road.

I do not have anything to show right now, but I am currently looking at how I can make it easy to share and explain to faciltate discussions and feedback.

[graphieros]

I have been digging into this this past few weeks to see what could be done, and it has been very enlightening so far. I am nowhere near finished, but at this point I think there is at least some interesting ideas that could lead to something useful down the road.

@IonianPlayboy can't wait to see the result !

[hamdibenjarrar]

Hey everyone
I've been following this issue with interest. I tried implementing a basic health score facet last week and got feedback that the feature needs more community discussion first, totally fair.
My rough approach was: maintenance (35% days since last publish), quality (30% types, ESM, license, description), security (20% vuln severity), popularity (15% downloads). Deprecated packages auto-score 0.
I noticed @IonianPlayboy mentioned they've been researching this too. Would love to hear what direction you're all leaning and whether there's a way I can help once the algorithm is settled!