Problem
A package can be clean on every existing check - no CVE, no bad override, no phantom import - and still represent a significant dependency health risk because it is unmaintained and constrains a transitive dependency below its latest safe version.
gray-matter@4.0.3 is the worked example. Last release: 2018. It pins js-yaml ^3.x. When a CVE landed in js-yaml <4.x, the only correct fix was to replace gray-matter entirely - no upstream fix was ever coming. Every project that added a js-yaml >=4.2.0 override floor was patching around a package that had been effectively abandoned for six years. npm audit reported clean. No scanner flagged the root cause.
Why existing tools miss this:
- CVE scanners check advisories - no advisory on the abandonware itself
- Override hygiene checks the pin config - not what caused the need for the pin
- Dependency bots open upgrade PRs - but cannot upgrade a package that has no new release
Proposed solution
A blended, drag-weighted maintenance risk score (DM001) for packages in the dependency graph.
Scoring dimensions
| Signal |
Weight |
Source |
| Downstream drag |
High |
Does the package hold a transitive dep below its latest non-vulnerable version? Maxed when it blocks a CVE fix. |
| Release staleness |
Medium |
Time since last published version on npm registry |
| npm deprecated flag |
High |
Package marked deprecated in npm registry metadata |
| GitHub archive/read-only |
Medium |
Repo archived or no commits in 2+ years (opt-in, requires network) |
Output
MEDIUM gray-matter@4.0.3 maintenance risk
Last release: 2018 (6 years ago)
Drags js-yaml to ^3.x - blocks fix for GHSA-xxxx (js-yaml >=4.2.0 required)
npm: not deprecated GitHub: archived
Action: replace gray-matter or find an actively maintained fork
CI gate
Opt-in flag --fail-on-maintenance high (or integrated with existing --fail-on). Off by default - maintenance risk is advisory, not a build-breaking signal for most teams.
Data sources
- npm registry packuments (already fetched for fix validation)
- OSV advisories (already loaded)
- GitHub API (opt-in, for archive/activity signals)
All three data sources are already consumed by CVE Lite CLI for other purposes. DM001 is a new analysis layer over shared context, not a new data pipeline.
Acceptance criteria
- DM001 fires for unmaintained packages that constrain a transitive dep below its latest safe version
- Score reflects downstream drag severity (CVE-blocking drag ranked highest)
- Output includes the specific transitive dep being constrained and the version gap
- Opt-in CI gate via flag
- Works offline using cached packument data when available
Related
Part of the dependency hygiene engine - see umbrella issue #733. DM001 reuses OA's parent graph data and OSV advisories. A DM "replace" recommendation resolves an OA stale floor and a PD phantom in one action.
Problem
A package can be clean on every existing check - no CVE, no bad override, no phantom import - and still represent a significant dependency health risk because it is unmaintained and constrains a transitive dependency below its latest safe version.
gray-matter@4.0.3is the worked example. Last release: 2018. It pinsjs-yaml ^3.x. When a CVE landed injs-yaml <4.x, the only correct fix was to replacegray-matterentirely - no upstream fix was ever coming. Every project that added ajs-yaml >=4.2.0override floor was patching around a package that had been effectively abandoned for six years.npm auditreported clean. No scanner flagged the root cause.Why existing tools miss this:
Proposed solution
A blended, drag-weighted maintenance risk score (DM001) for packages in the dependency graph.
Scoring dimensions
Output
CI gate
Opt-in flag
--fail-on-maintenance high(or integrated with existing--fail-on). Off by default - maintenance risk is advisory, not a build-breaking signal for most teams.Data sources
All three data sources are already consumed by CVE Lite CLI for other purposes. DM001 is a new analysis layer over shared context, not a new data pipeline.
Acceptance criteria
Related
Part of the dependency hygiene engine - see umbrella issue #733. DM001 reuses OA's parent graph data and OSV advisories. A DM "replace" recommendation resolves an OA stale floor and a PD phantom in one action.