Provide a risk data for dependencies based on a number of factors

Problem to solve

Provide a risk data for dependencies based on a number of factors

• number of maintainers
• number of contributors
• countrie(s) of code origin
• age of dependency (maturity)
• frequency of updates
• responsiveness to bug reports
• responsiveness to security reports

Intended users

Further details

There are multiple aspects to dependencies that people want to evaluate

• known vulnerabilities
• age from current (how far behind is it, minor, major, eol?)
• licenses
• risk of the dependency

Proposal

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references