Proposal: Maintenance Trust Rating
- I can’t remember the names of the maintainers of the thousands of packages that I use
- I don’t want to give out my name or email to everyone who installs my packages, I am not tech support.
- Even the maintainers of the current packages that I am already using may be untrustworthy, what do I know?
- The entity that knows the most about the maintainers of the packages is npm.
I want a quick summary per package, of how known or unknown a maintainer the package has, or if the maintanance has changed. More importantly, I want to know if the packages that I am currently using already, require keeping more of an eye on! I also want to know if something changes drastically in the future.
- For each maintainer, calculate the number of packages that they publish.
- Give each maintainer a trust rating from 0 to 10 based on how many packages they maintain and how long the account has existed for.
- Now give each package a “Maintainer Trust Level” that for a start, simply averages the rank of each maintainer!
Maintainer trust level 0 + Maintainer trust level 0 / 2 = Package Maintainer Trust Level: 0
Maintainer trust level 9 + maintainer trust level 0 + maintainer trust level 0 / 3 = Package Maintainer Trust Level: 3
Maintenance trust level 9 / 1 = Package Maintainer Trust Level: 9
I am using package X, which is maintained by a well-known single maintainer who maintains 30 other npm packages and he has had that account for 4 years. That package maintainer’s trust level is 9, and thus the package’s Maintainer Trust Level is 9. He adds a second maintainer because he doesn’t have time to maintain the package on his own any more. That maintainer has no other packages, and an account that has only existed for 30 days. Their trust level is 0. The package’s Maintainer Trust Level drops from a 9 to a 4.5 for all subsequent releases! Warn me of this drop when I go to upgrade!
I am considering a new package Z because it has the cool features that I want. Who published it? Williams Norman. Not a name that I recognize. Do I trust him? no idea. Oh, wait, this is his only package and he has only had an npm account for 5 days. So this package has a trust rating of a big fat 0. I should proceed with caution if not look elsewhere for my cool feature.
I was just brought in on an application that is a high security banking app. I need to audit which packages are being used, where do I start? I run an npm command to get the maintenance trust levels of ALL of my packages and start scrutinizing the packages with 0’s first, then the 1’s, etc.
In summary: Put a quickly visualize-able abstraction around a trust level rating based on the information you already have. Expose the rating level. Iterate the factors that go into the rating.