"Is this dependency maintained?" sounds like a yes/no question. It isn't. Maintainer health is a five-signal vector that you can pull from public APIs in under a minute per package. Here are the signals, the free tools that surface them, and how to use them in a review.
The five signals
- Cadence: commits per quarter on the default branch over the last 24 months
- Headcount: number of distinct contributors in the last 12 months
- Issue triage: median time to first response on issues
- Release cadence: published versions in the last 12 months
- Funding/legal posture: license, governance file, security policy, archived flag
Free dashboards worth knowing
| Tool | What it gives you | Cost |
|---|---|---|
| OpenSSF Scorecard | Auto-graded score (0–10) on signed releases, fuzzing, branch protection, dependency-update tools, and more | Free |
| deps.dev (Google) | Aggregated dependency graph + license + Scorecard + advisories | Free |
| libraries.io | SourceRank score (0–30) combining stars, forks, contributors, license clarity, README | Free with quota |
| Snyk Advisor | Per-package health with maintenance + community + security badges | Free read-only |
| Tidelift | Lifecycle status (Active, Lite, End-of-life), commercial support availability | Free read-only catalog |
No single tool is enough. Cross-reference at least Scorecard + last-commit + maintainer count. The combination is what passes a compliance review.
The DIY check (no signup)
# Last commit
curl -s "https://api.github.com/repos/<owner>/<repo>" | jq '.pushed_at, .archived, .open_issues_count'
# Last npm publish
npm view <package> time | jq 'to_entries | sort_by(.value) | last'
# OpenSSF Scorecard
curl -s "https://api.scorecard.dev/projects/github.com/<owner>/<repo>" | jq '.score'
# Active contributors (last 90 days, GitHub API)
curl -s "https://api.github.com/repos/<owner>/<repo>/stats/contributors" | jq 'length'
What goes in the review
For each load-bearing dependency in your tree, document:
- Last commit date
- OpenSSF Scorecard score
- Active maintainers in last 12 months
- Stated support status (Active / Lite / End-of-life)
- Your action: keep / replace / fork
Pull all of this for every package automatically
DepTriage cross-references your lockfile with Scorecard, last-commit, and maintainer count — one click, one report.
Run a scan →FAQ
≥ 7 is solid. 5–7 is acceptable for a smaller library. < 5 should prompt closer inspection.
Not for small, mature libraries. Many one-line utility packages are stable with a single maintainer and that's fine. Combine with cadence and issue triage.
At every minor release, or quarterly for slow-moving projects. Maintainer health degrades fastest right after the lead maintainer changes job — and that's not in any feed.