The heuristic layer in short form.

The MVP scores maintenance fragility using public activity, release, contributor, backlog, and Scorecard-style hygiene signals.

Last push age

How old the latest repository push is. Older push activity is a strong inactivity signal.

Release cadence

The approximate time between releases. Slower cadence can indicate fragility, depending on the project context.

Contributor depth

How many distinct recent contributors were observed. More depth reduces single-maintainer fragility.

Contributor concentration

How dominant one maintainer appears within recent activity. Higher concentration increases continuity risk.

Issue growth

Whether open issues are growing faster than they are being resolved. Persistent growth can signal maintenance strain.

PR responsiveness

The median time to respond to pull requests. Slower responses can indicate operational bottlenecks.

Scorecard score

An OpenSSF hygiene indicator used as security-practice context, not as a standalone trust verdict.

Signal completeness

A feature showing how much of the expected public evidence was actually available for a dependency snapshot.

Archived repos push risk up sharply.

Older pushes and releases increase fragility.

Thin maintainer depth increases concentration risk.

Scorecard is context, not proof of trust.

Missing signals lower confidence instead of being hidden.

Model path

The ML layer reuses these signals and evaluates them with calibration-first metrics like Brier score. See ML Results.