Skip to main content

How GitHub Stars Mislead Package Selection

·PkgPulse Team
npmgithubopen-sourcepackage-selectionhealth-scores2026
0

TL;DR

GitHub stars are a vanity metric that correlate poorly with package reliability. Stars measure a moment of interest, not ongoing maintenance. Packages with fewer stars but higher download velocity, recent commits, and responsive maintainers consistently outperform high-star abandoned repos. The best signals: weekly download trends (not counts), issue close rate, release recency, and whether the package has active maintainers — not whether it was featured on Hacker News in 2021.

Key Takeaways

  • Stars lag reality by 12-36 months — packages peak in stars after the hype cycle
  • Downloads ≠ healthy growth — Legacy packages accumulate downloads forever
  • Abandoned packages have high stars — Create React App has 100K+ stars and is deprecated
  • The best metrics: download velocity (week-over-week), commit activity, issue response time
  • PkgPulse health scores factor in maintenance, community, popularity, and security

The Star Inflation Problem

# Real examples of star-to-health mismatch (2026 data):

# Create React App: 102K stars ← very high
# Status: DEPRECATED. No releases since 2022. Official React docs removed it.
# npm downloads: ~1.5M/week (legacy, not new installs)
# What the stars say: "Popular and trusted"
# Reality: "Don't use for new projects"

# Moment.js: 47K stars ← very high
# Status: Maintenance mode. No new features. Official recommendation: migrate away.
# npm downloads: ~14M/week (legacy projects not migrating)
# Stars tell you: "Battle-tested and popular"
# Reality: "Use Day.js or date-fns for new projects"

# Redux: 60K stars ← extremely high
# Status: Active, but Redux Toolkit is the recommended API (different package)
# The nuance stars miss: "redux" ≠ "@reduxjs/toolkit"
# Raw downloads: 8M/week but 60%+ are redux-toolkit indirect installs

# Zustand: 50K stars
# Status: Active, fast-growing, modern alternative
# Downloads: 8M/week and accelerating
# Both have similar stars — downloads and velocity tell the real story

What Stars Actually Measure

The GitHub Star Lifecycle:

1. Creator launches project → posts to HN, dev.to, Twitter
2. Developer sees it → stars it as "bookmark for later"
3. Stars accumulate during the hype cycle (3-6 months)
4. Stars plateau once it's no longer news
5. Package may continue to improve — or may stagnate
6. Stars never go down, even if the package dies

What stars measure:
✅ "This was interesting to somebody at some point"
✅ "People bookmarked this to try later"
✅ "It got coverage in developer media"

What stars don't measure:
❌ "This is currently maintained"
❌ "This is growing in adoption"
❌ "This solves the problem well in 2026"
❌ "This has responsive maintainers"
❌ "Security vulnerabilities are being patched"

Better Signals: What Actually Predicts Package Health

Signal 1: Download Velocity (Not Count)

# Weekly download COUNT vs VELOCITY:

# Package A: 5M downloads/week, flat for 18 months
# → Established but not growing. May be legacy-heavy.

# Package B: 500K downloads/week, +15% month-over-month
# → Growing adoption. Developers are actively choosing this.

# Package C: 10M downloads/week, -20% year-over-year
# → Actively being replaced. Decline trend matters.

# The velocity signal is more predictive than the count.
# Use npmtrends.com or PkgPulse to see the trend chart.

Signal 2: Commit Activity

# What to look for on GitHub Pulse:
# ✅ Commits in last 30 days → active maintainer
# ✅ Issues being closed → maintainer is responsive
# ✅ PR merge rate → community contributions accepted
# ⚠️  Last commit 6+ months ago → potentially stagnant
# ❌ Last commit 2+ years ago → abandoned (unless deliberately stable)

# "Deliberately stable" packages are fine:
# lodash: rarely needs updates — it's utility functions
# uuid: low-level stable utility
# Express: maintenance mode but intentionally stable

# "Abandoned but pretending otherwise":
# Package with open security vulnerabilities and no response
# Maintainer's last activity was a comment saying "I'll look at this"
# Dozens of open PRs with no review

Signal 3: Issue Response Time

# Issue response time as a proxy for maintainer commitment:

# Excellent: Issues triaged within 48 hours
# Good: Issues triaged within 2 weeks
# Concerning: Issues sitting 30+ days with no response
# Red flag: Critical security issues with no response
# Dead: Issues are locked or have "won't fix" on valid bugs

# The nuance: "triaged" doesn't mean "fixed"
# A maintainer who says "confirmed, working on it" is
# 10x more valuable than silence.

Signal 4: Release Cadence

# Release patterns and what they indicate:

# Monthly releases → active development, responds to issues
# Every 2-3 months → healthy cadence for stable libraries
# Once a year → possibly stable (like Node.js LTS) or neglected
# Last release 2+ years ago → research needed:
#   - Is it stable by design? (POSIX tools, stable specs)
#   - Or abandoned?

# Pro tip: check CHANGELOG.md, not just release dates
# "Patch: dependency bumps only" for 12 months = no real maintenance

Case Study: The "Stars vs Health" Divergence

Comparing Zustand (~50K stars) vs XState (~28K stars):

Zustand health signals (2026):
- Downloads: 8M/week, +25% YoY → strongly growing
- Last commit: this week
- Issues closed last month: ~45
- Release cadence: monthly
- TypeScript: native
- Bundle: 2KB

XState health signals (2026):
- Downloads: 4M/week, +10% YoY → growing
- Last commit: this week
- Issues closed: consistent
- Release cadence: monthly
- TypeScript: native
- Bundle: 25KB+

Stars predict nothing here — both are healthy.
But Zustand's download velocity shows much stronger adoption.
The use case matters more: Zustand for simple client state,
XState for complex statecharts and workflows.

The point: look at health signals, not star counts.

The Real Metrics to Check

Before installing any npm package, check:

1. PkgPulse Health Score
   → Composite score across maintenance, community, popularity, security

2. npm download trend (last 12 months)
   → npmtrends.com or pkgpulse.com/compare
   → Is it growing, flat, or declining?

3. Last release date
   → npm package page shows this prominently
   → Warning: >12 months for an active-use library

4. Open issues and PRs
   → GitHub → Issues tab → filter "is:open"
   → Are they being triaged? Any P0 security issues?

5. TypeScript support
   → Does it ship types natively (package.json "types" field)?
   → Or rely on @types/ (external, possibly out of date)?

6. Bundle size
   → bundlephobia.com
   → Is it tree-shakeable?

7. Alternatives
   → Are maintainers pointing to a replacement?
   → Does the README say "use X instead"?

Stars: useful for discovering packages.
Useless for evaluating them.

Packages Where Stars Actively Mislead (2026)

PackageStarsReality
Create React App102KDeprecated since 2023
Moment.js47KMaintenance mode, migrate away
request (HTTP)25KDeprecated by maintainer
node-fetch v28KSucceeded by native fetch and v3
Bower15KDead since 2018
Grunt12KSuperseded by Webpack/Vite
CoffeeScript16KObsolete since TypeScript won

See health scores, download trends, and real metrics for any package at PkgPulse.

See the live comparison

View zustand vs. jotai on PkgPulse →

The 2026 JavaScript Stack Cheatsheet

One PDF: the best package for every category (ORMs, bundlers, auth, testing, state management). Used by 500+ devs. Free, updated monthly.