Show HN: OSS sustain guard – Sustainability signals for OSS dependencies

https://onukura.github.io/oss-sustain-guard/

21•onukura•1d ago

Hi HN, I made OSS Sustain Guard.

After every high-profile OSS incident, I wonder about the packages I rely on right now. I can skim issues/PRs and activity on GitHub, but that doesn’t scale when you have tens or hundreds of dependencies. I built this to surface sustainability signals (maintainer redundancy, activity trends, funding links, etc.) and create awareness. It’s meant to start a respectful conversation, not to judge projects. These are signals, not truth; everything is inferred from public data (internal mirrors/private work won’t show up).

Quick start: pip install oss-sustain-guard export GITHUB_TOKEN=... os4g check

It uses GitHub GraphQL with local caching (no telemetry; token not uploaded/stored), and supports multiple ecosystems (Python/JS/Rust/Go/Java/etc.).

Repo: https://github.com/onukura/oss-sustain-guard

I’d love feedback on metric choices/thresholds and wording that stays respectful. If you have examples where these signals break down, please share.

Comments

regenschutz•1d ago

Interesting project! Though, it's usually the smaller and less known-about projects that fall victim to OSS supply-chain attacks (such as the XZ attack).

Since this is a manual check, I worry that most users will just check the big and grandiose dependencies that they have.

Who would you say are your target audience with this tool? OSS developers? Security researchers? Regular users? Corporate managers?

onukura•21h ago

Thank you for the thoughtful comment! You raise an excellent point about smaller projects being overlooked.

That's actually one of the key problems this tool aims to address. While it's a manual check, the tool helps you examine ALL dependencies in your project - including those smaller, lesser-known libraries that often slip under the radar.

The dependency check option (`os4g check --show-dependencies`) is particularly valuable here: it often reveals that well-known, popular libraries actually depend on small, undermaintained projects. This visibility helps users discover these hidden but critical dependencies that might otherwise go unnoticed.

The target audience is primarily general users and developers who may not be deeply familiar with OSS sustainability issues, rather than OSS maintainers or security researchers who already understand these problems well. The goal is to raise awareness and help everyday developers understand the health status of their entire dependency tree, so they can make more informed decisions and potentially contribute back to these smaller projects that their software relies on.

jimt1234•1d ago

Not trying to hate, but these projects come to mind:

https://scorecard.dev/

https://cloud.google.com/security/products/assured-open-sour...

onukura•21h ago

Thank you for your comment!

The key difference is focus: OpenSSF Scorecard primarily evaluates security best practices (dependency updates, SAST, branch protection, etc.), while oss-sustain-guard focuses specifically on sustainability and maintenance health metrics.

For example, oss-sustain-guard checks: - How quickly maintainers respond to issues - Recent commit activity patterns - Community engagement trends - Maintainer burnout indicators

A project can have a perfect Scorecard security score but still be at risk if the sole maintainer is overwhelmed or going inactive - which is what we saw in cases like XZ or event-stream.

As for Google's Assured OSS, it's a curated list of vetted packages, which is valuable for organizations. However, oss-sustain-guard is designed to help individual developers assess ANY package in their dependency tree, including those smaller transitive dependencies that wouldn't appear on curated lists.

I see these tools as complementary rather than competing - security practices (Scorecard) + sustainability health (oss-sustain-guard) + vetted packages (Assured OSS) together give a more complete picture of dependency risk.

abhisek•3h ago

I still think metadata associated with packages (like stars, download count and more) are easy to fake and not the best metric. OpenSSF scorecard has some adoption among project maintainers but hardly any adoption in terms of making security decision based on it.

IMHO code is the source of truth. It may seem infeasible to mass analyse OSS code, but given the recent incidents (Shai-Hulud et.al) I think that’s the way forward. Personally am more bullish on SLSA or other artefact provenance technology adoption. Till that happens, metadata will be misused by attackers.

Senior Software Engineer, Back End or Full Stack

History of the Windshield Wiper

(US) Homeland Security uses Hiroshi Nagai's artwork without permission

Show HN: AI tutor to study and practice STEM books

Logitech Options+ and G Hub macOS Certificate Issue

Canada's Immigration Dept shelves visa program for entrepreneurs, citing misuse

6 months of my SaaS, real numbers, real mistakes, no sugarcoating

Bill to Eliminate H-1B Visa Program Introduced in Congress

Mastering Claude Code in 30 minutes (2025) [video]

Venezuela 'turning over' oil to US in move that could cut supply to China

Show HN: Agentlearn – Interactive course for AI agent fundamentals

Show HN: I built an Instagram Clone with 1 Prompt

'Yamagata is ramen': Japan's city of noodle fiends revels in 'capital' status

Trump gets Greenland in 4 easy steps

The 'Growler' Signal-Jamming Jet That Helped Capture Nicolás Maduro

VLang 0.5 Released

Ask HN: Retro Games for Kids

Show HN: Tera.fm – A calm, radio-style way to listen to today's tech news

How to Install Cosmic Desktop on Ubuntu 24.04 LTS

Show HN: Library for HTML interaction using voice agent

How Apple works: Inside the biggest startup (2011)

Proposal: Extract the Parser of TypeScript Native into a Standalone Go Module

Resurrecting My Game Dev Time with AI

AGI is here (and I feel fine)

Show HN: Enclose Horse – Daily Puzzle Game

Show HN: LeetCode on Steroids

Featherbase

PgX – Debug Postgres performance in the context of your application code

Fund managers prepare for 'reckoning' in US tech sector

A Tutorial on Safe Anytime-Valid Inference [pdf]