Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature]: Show and score packages based on popularity, quality, maintenance, and community. #8964

Open
JonDouglas opened this issue Jan 27, 2022 · 2 comments
Open

[Feature]: Show and score packages based on popularity, quality, maintenance, and community. #8964

JonDouglas opened this issue Jan 27, 2022 · 2 comments
Labels
feature-request Customer feature request Need spec

Comments

@JonDouglas
Copy link
Contributor

Related Problem

No response

The Elevator Pitch

With over 290,000 unique NuGet packages and over 4,000,000 package versions available to download, developers face an even harder challenge of being able to validate the quality of a package to be used in their projects.

There's many challenges to the quality of a package such as how many dependencies the package takes on, the amount of downloads the package has, and being maintained by a large company to name a few.

NuGet has many different types of packages such as frameworks, dependencies, tools, templates, and many more. With each package, there is metadata & package contents that are used to help define the overall package.

A high quality or "healthy" package is one that follows the following characteristics:

  • It is actively maintained. Either with recent commits or an annual update/notice that the package is up-to-date.
  • It is documented. It provides enough documentation to install, get started, and has public API documentation on it's members.
  • It has a way to report bugs. It provides a centralized location or repository in which issues are regularly triaged & resolved in future releases.
  • It resolves security flaws quickly. It fixes known vulnerabilities & releases an unaffected release quickly.
  • It is not deprecated. It is in an active state meeting all the criteria above.

This is a small list of the many different characteristics that may make a package of high quality or "healthy".

Having packages of high quality that depend on other packages of high quality will make the overall software supply chain of higher quality and thus more secure & reliable for those using .NET tooling.

This proposal introduces the concept known as Package Scoring or NET Score for short.

TL;DR packages have a combined score of four categories that helps developers make trust decisions. Those categories might be:

  • Popularity- How popular a package is & recognized in the ecosystem.
  • Quality - The completeness of a package following best practices & providing documentation.
  • Maintenance - The state of maintenance & free of security vulnerabilities.
  • Community - The sustainability of an active community for the package.

dotnet/designs#216

Additional Context and Details

No response
@JonDouglas JonDouglas added the feature-request Customer feature request label Jan 27, 2022
This was referenced Feb 7, 2022
Closed
Closed
@JonDouglas JonDouglas mentioned this issue Feb 3, 2023
Closed
@JonDouglas JonDouglas mentioned this issue Mar 21, 2023
Open
17 tasks
@Meir017
Copy link

Meir017 commented Sep 20, 2024

see how deno does this https://jsr.io/docs/scoring

@erdembayar
Copy link
Contributor

cc @kartheekp-ms

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request Customer feature request Need spec
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JonDouglas @erdembayar @Meir017