Package Health Scoring

CodeStax evaluates the health of your third-party dependencies beyond just known vulnerabilities. Package health scoring helps you identify risky dependencies before they become security liabilities.

What It Measures

Each dependency in your project receives a health score from 0 to 100 based on multiple signals:

Factor	Weight	Description
Maintainer count	High	Number of active maintainers. Single-maintainer packages carry higher risk.
Update frequency	High	How often the package publishes new versions. Stale packages may have unpatched issues.
Version count	Medium	Total published versions. Very few versions may indicate an immature package.
Last publish date	Medium	Time since the last release. Packages not updated in over a year are flagged.
Open issues ratio	Low	Ratio of open to closed issues on the source repository.

Health Levels

Healthy (80-100) — Actively maintained, multiple contributors, regular releases.
Fair (50-79) — Moderately maintained. May have a single maintainer or infrequent updates.
At Risk (0-49) — Potentially abandoned, single maintainer, or very infrequent updates. Review alternatives.

Where to Find It

Package health scores appear in several places:

SCA > Dependencies — The health column shows a color-coded score for each dependency.
Dependency detail view — Click any dependency to see the full health breakdown with individual factor scores.
SCA > Cross-Repo Analytics — Identify at-risk packages used across multiple repositories.

How to Use It

Package health is most useful during dependency review and upgrade planning:

Sort dependencies by health score to find the riskiest packages first.
For at-risk packages, check the AI Recommendations tab for suggested alternatives.
Prioritize upgrading or replacing packages with low health scores, especially those with known vulnerabilities.

Data Sources

Health data is fetched from package registries (npm, PyPI) and source repository metadata (GitHub, GitLab). Scores are refreshed during each SCA scan.