Skip to content

feat(enrichment): package maintenance-health / deprecated-dep scorer#1850

Closed
GildardoDev wants to merge 2 commits into
JSONbored:mainfrom
GildardoDev:feat/dep-maintenance-health-analyzer
Closed

feat(enrichment): package maintenance-health / deprecated-dep scorer#1850
GildardoDev wants to merge 2 commits into
JSONbored:mainfrom
GildardoDev:feat/dep-maintenance-health-analyzer

Conversation

@GildardoDev

Copy link
Copy Markdown
Contributor

What

A new REES analyzer that flags newly-added or upgraded direct dependencies that are deprecated or yanked by their maintainer, or stale (no release in roughly two years) — maintenance-health risks the no-checkout reviewer cannot derive.

Data source

Public registry metadata, fetched with an injected fetch. npm: the packument deprecated field (a non-empty string on the queried version, then a top-level string, means deprecated and the maintainer reason is surfaced) and the time map for the newest publish date. PyPI: the project-level JSON releases map — the requirement's version is matched to its real release key by PEP 440 equality (a ==1.0.0 requirement may be published as 1.0), a release is yanked when its files are all yanked, and staleness uses the newest upload across all releases. Output is public-safe: package@version plus a short factual reason only, with the registry-supplied reason markdown-escaped before it reaches the prompt block. No tokens, paths, or manifest contents.

Behavior

Additive and fail-safe: it reuses the existing extractDependencyChanges to act only on direct added or upgraded deps, bounds the number of registry queries, and returns no finding on a malformed or empty registry response (including a non-array or null release entry), an unparseable date, or any fetch error. A healthy dependency produces no finding. It follows the established analyzer pattern entirely within review-enrichment/ (finding type in types.ts, a pure analyzer with injected fetch in analyzers/dep-maintenance-health.ts, registration in brief.ts, a public-safe block in render.ts), outside the engine scope. Scorecard, archived, and sole-maintainer signals are intentionally left out to keep this to the two deterministic registry signals.

Tests

node:test cases with a mocked fetch cover deprecated/yanked/stale detection for npm and PyPI, PEP 440 version-key matching (the ==1.0.0 → release 1.0 case), the healthy no-finding case, and the fail-safe edge cases: package-name and ecosystem validation, scoped-name URL encoding, the PyPI project-level endpoint, malformed or missing registry JSON, a non-array or null release entry, a boolean or empty deprecated value, deprecation attributed to the queried version only, unparseable dates, query bounding, direct-only dependency scope, and abort handling. Full review-enrichment suite green.

Closes #1511

@GildardoDev GildardoDev requested a review from JSONbored as a code owner June 30, 2026 08:41
@dosubot dosubot Bot added the size:L label Jun 30, 2026
@gittensory-orb

gittensory-orb Bot commented Jun 30, 2026

Copy link
Copy Markdown

Tip

🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩

✅ Gittensory review result - approve/merge recommended

Review updated: 2026-06-30 10:50:57 UTC

9 files · 1 AI reviewer · no blockers · readiness 57/100 · CI green · clean

✅ Suggested Action - Approve/Merge

  • safe to merge

Review summary
The change adds a new enrichment analyzer for npm/PyPI dependency maintenance signals, wires it into metadata, rendering, registry descriptors, docs, and test coverage. The core paths are fail-safe for malformed registry data and bounded responses, and the visible tests exercise the important deprecated/yanked/stale cases plus rendering escaping. The main maintainability issue is that this analyzer reimplements bounded registry JSON fetching instead of using the repository’s existing external fetch/diagnostics path, so production observability and throttling conventions diverge from adjacent registry analyzers.

Nits — 6 non-blocking
  • nit: `review-enrichment/src/analyzers/dep-maintenance-health.ts:247` duplicates bounded fetch/body-reading logic that already exists in `boundedFetchJson`, so this analyzer will not participate in the same diagnostics and category-level call accounting as `install-scripts.ts`.
  • nit: `review-enrichment/src/analyzers/dep-maintenance-health.ts:133` runs the PEP 440 regex over untrusted PyPI release keys; the registry body cap limits blast radius, but bounding the version-key length before `pep440Key(key)` would make the ReDoS surface explicitly closed.
  • nit: `review-enrichment/src/analyzers/dep-maintenance-health.ts:314` relies on the descriptor-level `fetch` instead of accepting `analysis`/`diagnostics` in `ScanOptions`, unlike the nearby registry analyzers that can reuse the shared fetch context.
  • In `review-enrichment/src/analyzers/dep-maintenance-health.ts`, replace `readJsonText`/`fetchJson` with `boundedFetchJson` or thread through `AnalysisContext.fetchJson` and `AnalyzerDiagnostics`, matching `review-enrichment/src/analyzers/install-scripts.ts`.
  • In `resolvePypiReleaseKey`, skip release keys above a small PEP 440-safe length before passing them to `pep440Key`, and add a regression test with an oversized malformed key.
  • Readiness score is below the configured threshold — Use the readiness panel as advisory maintainer context; the score does not block this PR.
Signal Result Evidence
Code review ✅ No blockers 1 reviewer
Linked issue ✅ Linked #1511
Related work ⚠️ 3 scoped overlaps Top overlaps are listed below; lower-confidence bulk is hidden.
Change scope ❌ 8/20 High review scope from cached public metadata (size label size:L; 1 linked issue).
Validation posture ❌ 5/25 Preflight is holding this PR; address the blocker before review.
Contributor workload ✅ 10/10 Author activity: 172 registered-repo PR(s), 130 merged, 0 issue(s).
Contributor context ✅ Confirmed Gittensor contributor GildardoDev; Gittensor profile; 172 PR(s), 0 issue(s).
Gate result ✅ Passing No configured blocker found.
Review context
Contributor next steps
  • Review top overlaps.
  • Add a concise scope and risk note.
  • Fix the blocker.
  • Triage stale or unlinked PRs.
  • Refresh registry data or choose a registered active repo.
  • Check active issues and PRs before submitting.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@JSONbored JSONbored left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing the full package parser:

The most notable implementation detail is the custom PyPI PEP 440 matcher; it is scoped and tested for the common equality cases, but it is still a local subset rather than the full packaging parser.

@JSONbored JSONbored closed this Jun 30, 2026
@github-project-automation github-project-automation Bot moved this from Todo to Done in gittensory - v1 roadmap Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:feature Gittensor-scored feature linked to a feature issue — scores a 1.25x multiplier. gittensor Gittensor contributor context

Projects

No open projects
Status: Done

Development

Successfully merging this pull request may close these issues.

feat(enrichment): Package maintenance-health / deprecated-dep scorer

2 participants