findcrit

This tool finds the most depended upon maintainers across multiple Open Source ecosystems, using data from ecosyste.ms.

Status

A lot of important parts are in place, but more work needs to be done before this tool can be generally used.

Explanation

Here's how this broadly works:

1. ecosyste.ms collects data about packages across multiple ecosystems (npm, PyPI and so on), including package download data.
2. We find critical packages for each ecosystem — the packages that, when their downloads are summed up, they together make up 80% of the downloads for that ecosystem. See the origin of this calculation and the calculation source code.
3. We find the maintainers that maintain those packages. Sometimes ecosystems can tell us who maintains a package. But sometimes it's more complicated.
4. We try to find each package's repository, and go through its commit statistics. We find the committers with the highest commit count who, when summed up, make up at least 30% of the repo's commits. We call these “significant committers”, and include them in the maintainer list.
5. We can also use GitHub issues to identify maintainers. GitHub issue comments can bear specific badges, such as “Collaborator” or “Member”, which signify that the user who left that commit has been granted certain permissions on that repository. We add Members, Owners and Collaborators to the maintainer list for that package.

Limitations

This method has multiple limitations:

• It only handles source-level dependencies, such as in manifests like package.json. It does not handle binary dependencies, so misses out the maintainers of Linux, PostgreSQL, build tools and so on.
• It cannot identify human maintainers when packages are maintained by an organisation account, such as rubygems/awscloud.
• It overrepresents small ecosystems, such as NuGet.
• Only some ecosystems are supported. Only ecosystems that publish per-package download statistics can be supported. For example, it does not seem possible to get download statistics for Go packages.
• Data is incomplete. Some critical packages have no committer information and no commit data, so maintainers cannot be identified.
• Some heuristics are used, which can lead to incorrect data. For example, maintainers are deduplicated by merging maintainer data where two ostensibly different maintainers have the same username, name or email address. This should mostly yield correct results, but has the potential to merge unrelated maintainers with identical names, for example.

Useful ecosyste.ms resources

• Get all critical packages
  https://packages.ecosyste.ms/api/v1/packages/critical?page=1&per_page=1000
• Get all critical packages for a registry
  https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages?critical=true&page=1&per_page=1000
• Get all registries
  https://packages.ecosyste.ms/api/v1/registries/
• Look up a project's summary by repository URL (particularly, see committers and issues)
  https://summary.ecosyste.ms/api/v1/projects/lookup?url=https://github.com/pythonadelaide/karmabot
• Get data about GitHub Sponsors accounts and their sponsors
  https://sponsors.ecosyste.ms/docs/index.html
• Get high-level info about a user (eg funding links, total stars etc)
  https://repos.ecosyste.ms/api/v1/hosts/Github/owners/andrew

Contact

This tool is maintained by Vlad-Stefan Harbuz — contact him with questions and suggestions.

License

Licensed under Apache-2.0.

© 2025 Functional Software, Inc. d/b/a Sentry