feat(enrichment): package maintenance-health / deprecated-dep scorer#1850
feat(enrichment): package maintenance-health / deprecated-dep scorer#1850GildardoDev wants to merge 2 commits into
Conversation
|
Tip 🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩 ✅ Gittensory review result - approve/merge recommendedReview updated: 2026-06-30 10:50:57 UTC
✅ Suggested Action - Approve/Merge
Review summary Nits — 6 non-blocking
Review context
Contributor next steps
Signal definitions
🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
8036ac3 to
8aa1310
Compare
…corer for npm and PyPI
8aa1310 to
75d7ddc
Compare
JSONbored
left a comment
There was a problem hiding this comment.
Missing the full package parser:
The most notable implementation detail is the custom PyPI PEP 440 matcher; it is scoped and tested for the common equality cases, but it is still a local subset rather than the full packaging parser.
What
A new REES analyzer that flags newly-added or upgraded direct dependencies that are deprecated or yanked by their maintainer, or stale (no release in roughly two years) — maintenance-health risks the no-checkout reviewer cannot derive.
Data source
Public registry metadata, fetched with an injected fetch. npm: the packument
deprecatedfield (a non-empty string on the queried version, then a top-level string, means deprecated and the maintainer reason is surfaced) and thetimemap for the newest publish date. PyPI: the project-level JSONreleasesmap — the requirement's version is matched to its real release key by PEP 440 equality (a==1.0.0requirement may be published as1.0), a release is yanked when its files are all yanked, and staleness uses the newest upload across all releases. Output is public-safe: package@version plus a short factual reason only, with the registry-supplied reason markdown-escaped before it reaches the prompt block. No tokens, paths, or manifest contents.Behavior
Additive and fail-safe: it reuses the existing
extractDependencyChangesto act only on direct added or upgraded deps, bounds the number of registry queries, and returns no finding on a malformed or empty registry response (including a non-array or null release entry), an unparseable date, or any fetch error. A healthy dependency produces no finding. It follows the established analyzer pattern entirely withinreview-enrichment/(finding type intypes.ts, a pure analyzer with injectedfetchinanalyzers/dep-maintenance-health.ts, registration inbrief.ts, a public-safe block inrender.ts), outside the engine scope. Scorecard, archived, and sole-maintainer signals are intentionally left out to keep this to the two deterministic registry signals.Tests
node:testcases with a mocked fetch cover deprecated/yanked/stale detection for npm and PyPI, PEP 440 version-key matching (the==1.0.0→ release1.0case), the healthy no-finding case, and the fail-safe edge cases: package-name and ecosystem validation, scoped-name URL encoding, the PyPI project-level endpoint, malformed or missing registry JSON, a non-array or null release entry, a boolean or emptydeprecatedvalue, deprecation attributed to the queried version only, unparseable dates, query bounding, direct-only dependency scope, and abort handling. Full review-enrichment suite green.Closes #1511