Skip to main content

Package Maintenance Scores: Who's Keeping Up?

·PkgPulse Team
npmmaintenanceopen-sourcepackage-selectionhealth-scores2026
0

TL;DR

Maintenance quality is the single best predictor of a package's long-term reliability — more than stars, downloads, or age. A package with 100K downloads and weekly releases beats one with 5M downloads and no commits in 18 months. Four signals matter: release recency, issue response time, dependency freshness, and contributor activity. Packages that score high on all four are safe to build on; packages that fail more than two of them warrant a migration plan.

Key Takeaways

  • Release recency — last release date signals maintainer activity better than any other metric
  • Issue response time — responsive maintainers fix bugs fast; silent ones don't
  • Dependency freshness — outdated transitive deps accumulate security debt silently
  • Contributor count — single-maintainer packages have high bus factor risk
  • Packages in "maintenance mode" are intentionally stable, not abandoned — context matters

The Four Maintenance Signals

Signal 1: Release Recency

# Check last release date:
npm view package-name time --json | tail -5
# Or: npmjs.com/package/package-name → shows "last published" prominently

# What the date tells you:
# < 30 days: active development
# 1-3 months: healthy cadence for stable libraries
# 3-6 months: watch closely — is this intentional stability or drift?
# 6-12 months: investigate — check GitHub for activity
# > 12 months: likely stagnant or intentionally stable

# The "intentionally stable" exception:
# lodash: rare updates because it's feature-complete, not abandoned
# uuid: stable utilities don't need frequent releases
# semver: specification-driven, changes slowly by design
# These are fine. The red flag is: active use library + no releases

# Check release history (not just latest):
npm view package-name --json | jq '.time | to_entries | last(.[])? | .key'

Signal 2: Issue Response Time

# How to check on GitHub:
# github.com/org/repo/issues?q=is:open

# Look for:
# ✅ Issues with maintainer responses within 1-2 weeks
# ✅ Bug reports with "confirmed" or "investigating" labels
# ✅ Recent closed issues (within last 3 months)

# Red flags:
# ❌ 100+ open issues, newest response 6+ months ago
# ❌ Security issues labeled but no response
# ❌ PR with "LGTM" from contributors but no maintainer review for months
# ❌ Repo says "we're looking for maintainers"

# Automation tools that measure this:
# https://isitmaintained.com/ — shows: % open issues, average resolution time
# github.com/org/repo/pulse — activity summary last 30 days

Signal 3: Dependency Freshness

# Your package's own dependencies can be outdated
# Check with npm audit in the package's repo:
git clone https://github.com/org/package
cd package && npm audit

# Or check programmatically:
npm view package-name dependencies
# Then check if each listed dependency is on a current version

# Common pattern: package uses outdated deps with known vulnerabilities
# The package itself has no vulnerabilities but SHIPS vulnerable deps
# npm audit will catch this: "HIGH severity in package > dep > sub-dep"

# npm overrides: patch it yourself without waiting
{
  "overrides": {
    "semver": ">=7.5.2"  // Force patch a transitive vulnerable dep
  }
}

Signal 4: Contributor Activity

# Bus factor: how many people could be hit by a bus and kill the project?

# Check on GitHub:
# github.com/org/repo/graphs/contributors

# Healthy patterns:
# ✅ 5+ active contributors in last 6 months
# ✅ Mix of maintainers + external contributors
# ✅ Code review happening on PRs (not just owner merging)

# Risky patterns:
# ⚠️  Single maintainer, high-use package
# ⚠️  Corporate-sponsored project that went quiet (company interest changed)
# ⚠️  Open PRs from contributors, never merged

# High-risk examples (historically):
# - event-stream (2018): single maintainer transferred to malicious actor
# - node-ipc (2022): single maintainer added protestware deliberately
# - left-pad (2016): single maintainer unpublished, broke the internet

Maintenance Score Examples

Tier A: Excellent Maintenance

# Vite — maintenance score: 97/100
# Release cadence: weekly or biweekly
# Issue response: < 24 hours on most issues
# Contributor count: 15+ active contributors
# Dependency health: always fresh
# Corporate backing: Vercel + multiple companies employ contributors

# Fastify — maintenance score: 95/100
# OpenJS Foundation project
# LTS releases: defined support windows (like Node.js)
# Security team: formal CVE disclosure process
# Issue SLA: critical bugs fixed within 24-48h
# Enterprise support available

# Zustand — maintenance score: 95/100
# Small but dedicated: Daishi Kato + 3-4 regular contributors
# Responsive: GitHub issues typically answered within 1-3 days
# Releases: monthly, no missed months in 2 years
# Deps: zero runtime dependencies (nothing to go stale)

Tier B: Good Maintenance

# Express — maintenance score: 75/100
# "Maintenance mode" but with caveats:
# - Security patches: YES, typically within weeks
# - Feature development: NO (intentional freeze)
# - New APIs: NO
# - Node.js compatibility: maintained
# Assessment: Safe to use, will not get new features

# Webpack — maintenance score: 72/100
# - Still releasing (v5.x patches)
# - Issue response slowed vs 2020-2022
# - Core contributors reduced
# - Main dev focus shifted to Rspack (at Bytedance)
# Assessment: Fine for existing projects, evaluate alternatives for new ones

# Moment.js — maintenance score: 65/100
# Explicitly in "maintenance mode" since 2020
# - Security patches: yes
# - New features: no
# - Official recommendation: don't use for new projects
# Assessment: Your legacy app is fine; don't add new Moment usage

Tier C: Concerning Maintenance

# Create React App — maintenance score: 25/100
# - DEPRECATED (official React docs removed it)
# - Last release: 2022
# - Security vulnerabilities: unpatched
# - Maintainer activity: near zero
# Assessment: Do not use. Migrate to Vite.

# Bower — maintenance score: 5/100
# - Dead since 2018
# - No releases, no maintenance
# - Only downloaded as transitive dep of very old tooling
# Assessment: Remove all bower.json usage immediately

Maintenance Quality by Package Category

Package categories ranked by average maintenance quality (2026):

1. Build tools: 88/100 avg
   → High activity: Vite, Rollup, esbuild, Rspack all well-maintained
   → Tooling companies (Vercel, ByteDance) investing heavily

2. Testing frameworks: 86/100 avg
   → Vitest, Playwright, Testing Library all excellent
   → Jest: lower score (slower pace since Facebook reduced investment)

3. State management: 84/100 avg
   → TanStack, Pmndrs (Zustand/Jotai), Valtio all high-quality
   → Redux Toolkit still high quality

4. HTTP clients: 82/100 avg
   → Most are mature and well-maintained
   → Some older ones declining (request, got v11 chaos)

5. Date libraries: 78/100 avg
   → Day.js, date-fns excellent
   → Moment.js in maintenance mode, bringing down average

6. CSS-in-JS: 72/100 avg
   → Panda CSS, Stitches new and high quality
   → Emotion, styled-components declining with RSC adoption

7. Older Express middleware: 55/100 avg
   → Many middleware packages haven't been updated in years
   → body-parser, compression, helmet: varying maintenance

Automated Maintenance Monitoring

// Stay informed about maintenance changes:

// 1. Dependabot (GitHub)
// .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: npm
    directory: "/"
    schedule:
      interval: weekly
    # Automatically opens PRs when deps have updates
    # Security updates: immediate

// 2. Renovate (more powerful)
// renovate.json
{
  "extends": ["config:base"],
  "schedule": ["before 9am on Monday"],
  "automerge": true,  // Auto-merge patch/minor
  "packageRules": [{
    "matchDepTypes": ["devDependencies"],
    "automerge": true
  }]
}

// 3. Socket.dev monitoring
// npm install -g @socket/cli
// socket scan create  ← monitors for changes in your deps
// Alerts when: new maintainer, suspicious code added, CVE discovered

The Maintenance vs Feature Trade-Off

Developers often conflate:
"No new features" with "abandoned"

They're different:

Intentionally stable (safe):
- lodash: feature-complete since ~2019
- semver: follows a specification
- uuid: low-level, doesn't need changes
- Express: in maintenance mode, security still patched

Abandoned (unsafe):
- Create React App: deprecated, vulnerabilities unfixed
- Bower: dead, no activity
- node-fetch v2: CJS-only in ESM world, maintainer moved to v3
- request: explicitly deprecated by maintainer

How to tell the difference:
→ Read the README — does it say "maintenance mode" explicitly?
→ Check: are SECURITY issues being patched?
→ Is there a recommended migration path?
→ Are issues being TRIAGED (even if not resolved)?

"Maintenance mode" with security patches = acceptable
"Abandoned" with open CVEs = must migrate

Compare maintenance scores and health data for any npm package at PkgPulse.

See the live comparison

View fastify vs. express on PkgPulse →

The 2026 JavaScript Stack Cheatsheet

One PDF: the best package for every category (ORMs, bundlers, auth, testing, state management). Used by 500+ devs. Free, updated monthly.