feat(enrichment): package maintenance-health / deprecated-dep scorer

[GildardoDev]

What

A new REES analyzer that flags newly-added or upgraded direct dependencies that are deprecated or yanked by their maintainer, or stale (no release in roughly two years) — maintenance-health and future supply-chain risks the no-checkout reviewer cannot derive.

Data source

Public registry metadata, fetched with an injected fetch. npm: the packument deprecated field (a non-empty string means deprecated, and the maintainer reason is surfaced) and the time map for the newest publish date. PyPI: info.yanked (plus yanked_reason when present) and the newest release upload date. Output is public-safe: package@version plus a short factual reason only, with the registry-supplied reason markdown-escaped before it reaches the prompt block. No tokens, paths, or manifest contents.

Behavior

Additive and fail-safe: it reuses the existing extractDependencyChanges to act only on direct added/upgraded deps, bounds the number of registry queries, and returns no finding on a malformed or empty registry response, an unparseable date, or any fetch error. A healthy dependency produces no finding. It follows the established analyzer pattern entirely within review-enrichment/ (finding type in types.ts, a pure analyzer with injected fetch in analyzers/dep-maintenance-health.ts, registration in brief.ts, a public-safe block in render.ts), outside the engine scope. Scorecard, archived, and sole-maintainer signals are intentionally left out to keep this to the two deterministic registry signals.

Tests

24 node:test cases with a mocked fetch cover deprecated/yanked/stale detection for npm and PyPI, the healthy no-finding case, and the fail-safe edge cases: package-name and ecosystem validation, scoped-name URL encoding, malformed or missing registry JSON, a boolean or empty deprecated value, unparseable dates (Number.isFinite guard), query bounding, and direct-only dependency scope. Full suite: rees build clean, 227 of 227 tests pass.

Closes #1511

[gittensory-orb]

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

_{Review updated: 2026-06-30 06:54:45 UTC}

5 files · 1 AI reviewer · no blockers · readiness 55/100 · CI green · dirty

⏸️ Suggested Action - Manual Review

Review summary
The PR coherently adds a new REES analyzer for npm/PyPI dependency maintenance signals, wires it into the analyzer registry, extends the finding contract, and renders the new block with prompt escaping for registry-supplied text. The core paths are fail-closed on bad fetches, malformed JSON, oversized bodies, missing release dates, and unresolvable PyPI versions, and the tests exercise the important registry-shape and rendering cases. I do not see a reachable correctness defect in the provided post-change files.

Nits — 6 non-blocking

• nit: review-enrichment/src/render.ts:352 says "Deprecated / stale dependencies" even though the analyzer also reports PyPI yanked releases, so the heading should include yanked for reviewer accuracy.
• nit: review-enrichment/src/analyzers/dep-maintenance-health.ts:170 normalizes every PyPI release key from registry JSON without a per-key length guard; the 2 MiB body cap bounds this, but a small number of very long keys can still spend avoidable CPU in pep440Key.
• nit: review-enrichment/src/analyzers/dep-maintenance-health.ts:303 performs up to 25 registry requests sequentially, which is conservative but makes the analyzer less likely to use its timeout budget well on PRs with many dependency changes.
• Update review-enrichment/src/render.ts:352 to something like "Deprecated / yanked / stale dependencies" so the rendered evidence matches the DepMaintenanceHealthFinding.kind contract.
• Add a small length check before calling pep440Key on registry-provided release keys in review-enrichment/src/analyzers/dep-maintenance-health.ts:170, matching the defensive cap already applied to requested PyPI versions.
• Readiness score is below the configured threshold — Use the readiness panel as advisory maintainer context; the score does not block this PR.

Signal	Result	Evidence
Code review	✅ No blockers	1 reviewer
Linked issue	✅ Linked	#1511
Related work	⚠️ 2 scoped overlaps	Top overlaps are listed below; lower-confidence bulk is hidden.
Change scope	❌ 8/20	High review scope from cached public metadata (size label size:L; 1 linked issue).
Validation posture	❌ 5/25	Preflight is holding this PR; address the blocker before review.
Contributor workload	✅ 10/10	Author activity: 171 registered-repo PR(s), 128 merged, 0 issue(s).
Contributor context	✅ Confirmed Gittensor contributor	GildardoDev; Gittensor profile; 171 PR(s), 0 issue(s).
Gate result	✅ Passing	No configured blocker found.

Review context

• Author: GildardoDev
• Role context: outside_contributor
• Public audience mode: oss maintainer
• Lane context: Repository registration is not available in the local Gittensory cache.
• Public profile languages: not available
• Official Gittensor activity: 171 PR(s), 0 issue(s).
• Related work: Items reference the same linked issue feat(enrichment): Package maintenance-health / deprecated-dep scorer #1511. (issue #1511)
• Related work: Open PR work references issue feat(enrichment): Package maintenance-health / deprecated-dep scorer #1511. (issue #1511)

Contributor next steps

• Review top overlaps.
• Add a concise scope and risk note.
• Fix the blocker.
• Triage stale or unlinked PRs.
• Refresh registry data or choose a registered active repo.
• Check active issues and PRs before submitting.

Signal definitions

• Related work = same linked issue, overlapping active PRs, or title/path similarity.
• Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
• Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
• Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
• Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

_{🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed}

---

💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

• Re-run Gittensory review

[JSONbored]

Merge conflicts:

This branch has conflicts that must be resolved
Use the [web editor](https://github.com/JSONbored/gittensory/pull/1793/conflicts) or the command line to resolve conflicts before continuing.

review-enrichment/src/brief.ts