Initial thought: https://mastodon.social/@andrewnez/112151957657701569
Based on https://en.wikipedia.org/wiki/Tier_list
Comments and critiques welcome
Usage ideas:
- Browser extension: detect you're looking at a webpage of a package or repo, show you the project's Tier for quick and easy classification
- SBOM analyser: Summerize an SBOM by grouping dependencies into Tiers, highlighting the good and bad ones
- Super Star Project
- Top 0.1% ranking in its ecosystem
- Minimal red flags
- Excellent Project
- Top 1% ecosystem ranking
- Minimal red flags
- Great Project
- Top 10% ecosystem ranking
- Few red flags
- Ok Project
- Some usage within OSS
- Default tier
- Unknown Project
- Little-to-no usage
- Some Red flag
- Problem Project
- Many red flags
- Bad Project
- No license
- Serious red flags
- No OSS license
- Not updated in years
- very slow or no response to issues
- No published releases in years
- If package, no source repo
- few maintainers
- few contributors
- unfixed security advisories
- elephant factor
- bus factor
- low tier dependencies
- brand new project
- typo-squatting name
- no changelog
- no tag with each releases
- thousands of open issues or pull requests
- no security policy
- no automated ci