top | item 44400859

(no title)

If you have a dependency that is simple and stable, it could appear unmaintained since it doesn't have a lot of recent commits, bug reports, comment history, etc.

If a library author wants to make their package "look" maintained for some reason, they could generate superfluous commits and open and close fake bug reports. This could be a "good" signal to the heuristic, but has no real world benefit or worse-case could be used to lend credibility to a package with known vulnerabilities.

discuss

pmig|8 months ago

We actually check from how many different organization the last committers belong to and analyze if the most recent commits have be done by bots (like renovate or dependabot)