Warn about unmaintained packages

[SCjona]

What problem are you trying to solve?

I want to see if I have unmaintained packages installed so I can avoid using those

Describe the solution you’d like

soft-warn about dependencies that have not been updated in a configured amount of time (default e. g. 1 year). this info can be obtained by running curl https://registry.npmjs.org/package | jq .time or npm view package time.modified

this logic is only suitable as an indicator of not being maintained and has false positives (e. g. lodash)

Describe any alternatives you’ve also considered

No response

[WarningImHack3r]

Hi Jona! That’s a good idea, however that’s kinda subjective in my opinion… A duration can be considered unmaintained for a project but normal for another Also (my most concerns): some projects can be "done", and that’s doesn’t mean the dev won’t fix an issue within a week if there happen to be one (Obviously there should be an "ignore" button on a per package/version basis to fix that)

My overall feel is that there is no real "metric" to measure whether a project is abandoned or not you see?

I like the idea but I’m not sure about how to do it right

[SCjona]

Well usually most packages update their dependencies, which will result in a new release (with just updated package.json and maybe minor code fixes). Technically there are also indicators e.g. Github issues open? when was the last issue closed? activity in the repository, etc. but I believe this is too complex to implement.

[WarningImHack3r]

Yeah there's a lot to take in account + subjectivity, I think it's not that trivial to do. If you have a straightforward way to do that I'm totally open to it!

[SCjona]

Well the logic I described above has a pretty much 100% correct hit rate on my projects.

If you want to try it out:

import subprocess
import json
from datetime import datetime, timezone

ls = subprocess.getoutput("npm ls --json")
data = json.loads(ls)
now = datetime.now(timezone.utc)
for dep in list(data["dependencies"].keys()):
    updated_at_str = subprocess.getoutput("npm view " + dep + " time.modified")
    try:
        updated_at = datetime.fromisoformat(updated_at_str)
        update_days = (now - updated_at).days
        outdated = update_days > 365
        print(dep, update_days, "OK" if not outdated else "!!!OUTDATED!!!")
    except Exception as e:
        print(dep, "ERROR", e)

cd node-project
npm install
python3 <path/to/file-of-the-content-above>.py

interesting example: react-query is not shown as update-able by your plugin, but this check catches that the package is "unmaintained" because it has been renamed

[WarningImHack3r]

Yeah that's a basic "1 year old version" script, we hit the same problems we mentioned (For the react-query, that's not the job of this feature, Tanner should've used the deprecated field though)

I guess I should just implement that, make it configurable and tell the user to go check themselves whether the package is actually unmaintained? Sort of a "likely unmaintained" thing?

[SCjona]

would be nice, as i said, should probably just be a weak warning as this is more of a heuristic rather then fact. its true that some things don't need updates, but it is still nice to see which dependencies could become a problem later on

[WarningImHack3r]

Agree! I'll do that :D