dusan-maintains/oss-maintenance-log

# OSS 维护日志 [](https://github.com/dusan-maintains/oss-maintenance-log/actions/workflows/evidence-daily.yml) [](https://github.com/dusan-maintains/oss-maintenance-log/actions/workflows/validate.yml) [](./LICENSE) [](#currently-tracked-projects) [](#-live-data) [](#contributions) [](https://github.com/dusan-maintains/oss-maintenance-log/actions) ## 🔬 扫描你的依赖 —— 一条命令搞定 ``` npx oss-health-scan express lodash moment react ``` ``` OSS Health Scan Results ────────────────────────────────────────────────── Scanned: 4 packages Average health: 72.5/100 ● Critical: 0 ● Warning: 1 ● Healthy: 3 🟡 WARNING moment ██████████░░░░░░░░░░ 50.8/100 last push 582d ago 25.8M/wk 🟢 HEALTHY react ████████████████░░░░ 80.9/100 81.0M/wk lodash ████████████████░░░░ 79.6/100 102.7M/wk express ████████████████░░░░ 78.8/100 71.7M/wk ``` **零依赖。v1.5.0。** 扫描任意 npm 包，评分 0–100，检测过时版本（libyear），通过 OSV.dev 检查已知 CVE，失败时自动重试，发现严重问题时以代码 1 退出。GitHub GraphQL 批量处理（50 个包仅需 1 次 API 调用）。SARIF 输出支持 GitHub Code Scanning。提供编程式 API 用于自定义集成。CI 就绪。 `npm audit` 仅发现 CVE。**本工具可发现被废弃的包、过时的依赖以及漏洞 —— 一条命令搞定。**

CLI flags

``` npx oss-health-scan # Scan ./package.json npx oss-health-scan pkg1 pkg2 # Scan specific packages npx oss-health-scan --dev # Include devDependencies npx oss-health-scan --outdated # Show installed vs latest + libyear metric npx oss-health-scan --vulns # Check OSV.dev for known CVEs npx oss-health-scan --unused # Detect unused dependencies npx oss-health-scan --json # JSON output for CI npx oss-health-scan --sarif # SARIF 2.1.0 for GitHub Code Scanning npx oss-health-scan --markdown # Markdown table for PR comments npx oss-health-scan --threshold 40 # Only unhealthy npx oss-health-scan --sort name # Sort by: score, name, downloads, risk ```

Programmatic API

``` const { scanPackages, scanPackageJson } = require('oss-health-scan'); // Scan specific packages const { results } = await scanPackages(['react', 'lodash', 'moment']); for (const r of results) { console.log(`${r.name}: ${r.health_score}/100 [${r.risk_level}]`); } // Scan a project's package.json const { results, pkgName } = await scanPackageJson('.', { dev: true }); ```

Config file

添加到 `package.json` 或创建 `.oss-health-scanrc.json`： ``` { "oss-health-scan": { "threshold": 40, "exclude": ["moment"], "dev": true } } ```

GitHub Code Scanning (SARIF)

``` - name: Scan dependency health run: npx oss-health-scan --sarif > health.sarif - uses: github/codeql-action/upload-sarif@v3 with: sarif_file: health.sarif ```

## 📊 交互式仪表盘 [**➜ 打开实时仪表盘**](https://dusan-maintains.github.io/oss-maintenance-log) 支持暗黑模式的仪表盘，基于 Chart.js —— 健康评分仪表、npm 下载分布、雷达图细分、操作队列。每 6 小时自动更新最新数据。 ## 问题背景 成千上万的包实际上已被废弃，但每周仍被下载数十万次。Issue 追踪器堆积如山，安全补丁无人合并，下游团队默默继承了风险。`npm audit` 能捕捉 CVE —— 但**无法发现被废弃的包**。 ## 本项目功能 基于配置驱动的 PowerShell + GitHub Actions，可自动： - **轮询 GitHub API** —— 获取每个仓库的 star 数、fork 数、issue 数、最后推送日期 - **拉取 npm 下载量** —— 滚动窗口统计周数据 - **追踪 PR** —— 你的贡献的状态、可合并性、差异统计 - **监控审查 SLA** —— 当维护者反馈过时发出标记 - **计算健康评分 (0–100)** —— 加权引擎生成 SVG 徽章 - **检测趋势** —— 180 天历史，7 天和 30 天增量 - **触发警报** —— 当包降至临界阈值以下时自动创建 GitHub Issue - **生成操作队列** —— 按紧急程度排序 - **提交快照** —— 每 6 小时生成机器可读 JSON + 人可读 Markdown - 在 GitHub Pages 上渲染**交互式暗黑模式仪表盘** ## 当前追踪项目 | Project | Stars | npm/week | Status | Health | My PRs | |---------|-------|----------|--------|--------|--------| | [grafana/grafana](https://github.com/grafana/grafana) | 72.8k | — | 🟢 Open |  | [#119212](https://github.com/grafana/grafana/pull/119212) | | [lingdojo/kana-dojo](https://github.com/lingdojo/kana-dojo) | 1.9k | — | ✅ **Merged** |  | [#6309](https://github.com/lingdojo/kana-dojo/pull/6309) | | [kylefox/jquery-modal](https://github.com/kylefox/jquery-modal) | 2.6k | 11.3k | 🟡 Maintainers Wanted |  | [#315](https://github.com/kylefox/jquery-modal/pull/315), [#316](https://github.com/kylefox/jquery-modal/pull/316), [#317](https://github.com/kylefox/jquery-modal/pull/317) | | [kylefox/jquery-tablesort](https://github.com/kylefox/jquery-tablesort) | 258 | 1.9k | 🟡 Maintainers Wanted |  | [#49](https://github.com/kylefox/jquery-tablesort/pull/49) | | [extrabacon/python-shell](https://github.com/extrabacon/python-shell) | 2.2k | 106.4k | 🔴 Maintainer Gap |  | [#320](https://github.com/extrabacon/python-shell/pull/320) | | [jkbrzt/rrule](https://github.com/jkbrzt/rrule) | 3.7k | 644.6k | 🔴 Open Backlog |  | [#664](https://github.com/jkbrzt/rrule/pull/664) | | [Hellenic/react-hexgrid](https://github.com/Hellenic/react-hexgrid) | 351 | 713 | 🟡 Maintainer Needed |  | [#123](https://github.com/Hellenic/react-hexgrid/pull/123) | *跨追踪项目：* **83.8k stars · 765k downloads/week across tracked projects · refreshed 03/21/2026** ## 健康评分 每个包获得一个**加权健康评分 (0–100)**： | Dimension | Weight | Metrics | |-----------|--------|---------| | **Maintenance** | 40% | Last push recency (exponential decay), last npm publish, open issues ratio | | **Community** | 25% | GitHub stars (log-scaled), forks | | **Popularity** | 20% | npm downloads/week (log-scaled) | | **Risk** | 15% | Inactivity penalty, issue backlog, stale publish, license risk | **即时标记：** DEPRECATED → 5/100, ARCHIVED → 8/100。 ## 贡献 ### 已合并 - **kana-dojo [#6309](https://github.com/lingdojo/kana-dojo/pull/6309)** — content: add new japanese idiom. Merged 02/27/2026. ### 打开 - **grafana [#119212](https://github.com/grafana/grafana/pull/119212)** — Emails: Remove external Google Fonts and logo URL from email templates - **jquery-modal [#315](https://github.com/kylefox/jquery-modal/pull/315)** — fix: harden close button rendering and refresh docs/examples - **jquery-modal [#316](https://github.com/kylefox/jquery-modal/pull/316)** — fix: keep ajax callbacks scoped to their originating modal - **jquery-modal [#317](https://github.com/kylefox/jquery-modal/pull/317)** — fix: make plugin initialization idempotent for multiple imports - **jquery-tablesort [#49](https://github.com/kylefox/jquery-tablesort/pull/49)** — Fix stale tablesort.$th reference after header clicks - **python-shell [#320](https://github.com/extrabacon/python-shell/pull/320)** — Fix runString temp path to use tmpdir() and add regression test - **rrule [#664](https://github.com/jkbrzt/rrule/pull/664)** — fix: handle WeekdayStr arrays when serializing BYDAY - **react-hexgrid [#123](https://github.com/Hellenic/react-hexgrid/pull/123)** — test: add coverage for GridGenerator.ring and .spiral ## 自行使用 ### 快速扫描（无需安装） ``` npx oss-health-scan express lodash moment ``` ### 完整监控设置 1. Fork 本仓库 2. 编辑 `config/tracked-repositories.json` —— 你的包、PR、SLA 设置 3. 推送 —— GitHub Actions 每 6 小时运行 4. `evidence/` 中会填满 JSON + Markdown 快照 5. 健康评分 + SVG 徽章自动生成 ``` { "version": 1, "contributor": "your-github-username", "default_sla_hours": 24, "repositories": [ { "owner": "org", "repo": "package-name", "package": "npm-package-name", "tracked_pr_numbers": [42] } ] } ``` ### CI 集成 ``` # .github/workflows/health-check.yml name: Dependency Health Check on: schedule: - cron: "0 9 * * 1" pull_request: jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 - run: npx oss-health-scan --threshold 30 # Optional: upload to GitHub Code Scanning sarif: runs-on: ubuntu-latest permissions: security-events: write steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 - run: npx oss-health-scan --sarif > health.sarif - uses: github/codeql-action/upload-sarif@v3 with: sarif_file: health.sarif ``` ### GitHub Action（可复用） ``` - uses: dusan-maintains/oss-maintenance-log@main id: health with: github-token: ${{ secrets.GITHUB_TOKEN }} - name: Fail on critical if: steps.health.outputs.critical-count > 0 run: | echo "Found ${{ steps.health.outputs.critical-count }} critical packages" echo "Average health: ${{ steps.health.outputs.avg-health }}" exit 1 ``` ## 📊 实时数据 - [📊 Interactive Dashboard](https://dusan-maintains.github.io/oss-maintenance-log) — health scores, charts, action queue - [Health Scores](./evidence/health-scores.md) — weighted 0-100 per package - [Ecosystem Status](./evidence/ecosystem-status.md) — aggregated snapshot - [Action Queue](./evidence/action-queue.md) — prioritized tasks - Per-repo SLA: [grafana](./evidence/review-sla-grafana.md) · [kana-dojo](./evidence/review-sla-kana-dojo.md) · [jquery-modal](./evidence/review-sla.md) · [tablesort](./evidence/review-sla-tablesort.md) · [python-shell](./evidence/review-sla-python-shell.md) · [rrule](./evidence/review-sla-rrule.md) · [react-hexgrid](./evidence/review-sla-react-hexgrid.md) ## 项目结构 ``` config/tracked-repositories.json ← All configuration scripts/ common.ps1 ← Shared functions (DRY) update-all-evidence.ps1 ← Single orchestrator (full pipeline) compute-health-scores.ps1 ← Health scoring (0-100) compute-trends.ps1 ← 180-day trend engine check-alerts.ps1 ← Auto GitHub Issues update-readme-stats.ps1 ← Auto-regenerates all README sections cli/ bin/scan.js ← CLI entry point lib/api.js ← Programmatic API (scanPackages, scanPackageJson) lib/scoring.js ← JS health algorithm lib/sarif.js ← SARIF 2.1.0 output for GitHub Code Scanning lib/outdated.js ← Libyear metric + drift classification lib/osv.js ← CVE check via OSV.dev API lib/unused.js ← Unused dependency detection lib/github-graphql.js ← GitHub GraphQL batch API (1 query for N repos) lib/fetcher.js ← HTTP client with retry + 429 handling + ETag cache lib/reporter.js ← Colored terminal output evidence/ *.json, *.md ← Machine + human snapshots badges/*.svg ← Health badges tests/ common.Tests.ps1 ← Pester v5 tests (21 passing) health-score.Tests.ps1 cli/test/ *.test.js ← 71 JS tests .github/workflows/ evidence-daily.yml ← Cron: full pipeline every 6 hours validate.yml ← CI: config + Pester + CLI tests publish-cli.yml ← Publish to npm on release ``` ## 许可证 MIT *由 [GitHub Actions](https://github.com/dusan-maintains/oss-maintenance-log/actions) 每 6 小时自动更新。*

标签：AI合规, CMS安全, GitHub Actions, GNU通用公共许可证, JavaScript, MITM代理, Node.js, NPM包管理, npx, 云安全监控, 依赖健康检查, 图数据库, 威胁情报, 安全可观测性, 开发者工具, 开源软件维护, 版本控制, 生态系统监控, 自动化日志, 自动更新, 自动笔记, 自定义脚本, 软件供应链安全, 远程方法调用, 静态分析, 项目元数据