OSS Sustain Guard: Signals and metrics for open-source dependency health

TL;DR

OSS Sustain Guard is an open-source tool that analyzes the sustainability of software dependencies across many ecosystems, surfacing maintainer activity, community engagement, security posture, and funding signals. It produces scored metrics (CHAOSS-aligned), trend views, and integrates with CI systems to help teams monitor and act on dependency health.

What happened

A new open-source project, OSS Sustain Guard (v0.20.0), offers a multi-language analyzer that evaluates the health of package dependencies across ecosystems. The tool collects a broad set of indicators — including maintainer activity, community engagement, project maturity, security posture, and funding links — and reports 24 core sustainability metrics, each scored on a 0–10 scale. Analyses can be tracked over time with trend windows and scored using predefined or custom profiles (e.g., security-first or long-term-stability). The software is designed to be extensible via plugins for custom metrics, resolvers, and VCS providers, and supports local caching to reduce API calls. Developers can run it locally or incorporate it into CI workflows; installation is available via pip. The project emphasizes empathetic, nonjudgmental language and displays funding links for community-driven projects where available.

Why it matters

• Gives teams a scalable way to surface risks across dozens or hundreds of dependencies rather than inspecting repos manually.
• Provides standardized, CHAOSS-aligned indicators that help compare projects on maintainer and community health.
• Encourages responsible stewardship by highlighting funding links and using nonjudgmental language to support maintainers.
• Integrates into developer workflows (CI, pre-commit, actions) so sustainability checks can be automated as part of development.

Key facts

• OSS Sustain Guard is open source and distributed under the MIT License.
• The project reports 24 core sustainability metrics, each scored from 0 to 10, plus trend analysis across multiple time windows.
• Metrics and models align with CHAOSS and include five CHAOSS-aligned models: Stability, Sustainability, Community Engagement, Project Maturity, and Contributor Experience.
• Supports many ecosystems out of the box, including Python (PyPI), JavaScript/TypeScript (npm), Rust (Cargo), Java (Maven), PHP (Packagist), Ruby (RubyGems), Go (Go Modules), C#/.NET (NuGet), Kotlin, Dart, Elixir, Haskell, Perl, R, and Swift.
• Installation is via pip (pip install oss-sustain-guard) and the tool offers manifest auto-detection for common package files (requirements.txt, package.json, Cargo.toml, etc.).
• Requires a GitHub token for most repository analyses; a GitLab token is needed only for gitlab.com sources; demo mode can use snapshot data.
• Features a pluggable architecture allowing custom metrics, language resolvers, and VCS providers to be added as plugins.
• Integration-ready: supports GitHub Actions, GitLab CI/CD, and pre-commit hooks; also offers options to exclude internal or legacy packages and to scan recursively for monorepos.
• Includes a local cache to reduce repeated API calls and a 'Gratitude Vending Machine' feature to surface projects that could use support.

What to watch next

• Adoption within CI/CD pipelines and how teams embed sustainability checks into standard workflows via GitHub Actions and GitLab CI/CD.
• Expansion of VCS and ecosystem plugin support through the pluggable architecture (extensible VCS support is a stated capability).
• not confirmed in the source
• not confirmed in the source

Quick glossary

• CHAOSS: A community-driven project that defines metrics and models for understanding open-source community health and sustainability.
• Dependency graph: A representation of a project's direct and transitive package dependencies and their relationships.
• Maintainer activity: Indicators of how actively maintainers commit, review, and respond to issues and pull requests in a repository.
• CI/CD: Continuous Integration and Continuous Delivery/Deployment practices that automate building, testing, and deploying code.
• Plugin (pluggable architecture): A modular extension that adds functionality—such as new metrics, language resolvers, or VCS providers—without changing core code.

Reader FAQ

How do I install OSS Sustain Guard?
Installable via pip: pip install oss-sustain-guard.

Which package ecosystems does it support?
The tool lists built-in support for many ecosystems including PyPI, npm, Cargo, Maven, Packagist, RubyGems, NuGet, Go Modules, and others.

Do I need API tokens to run analyses?
A GitHub token covers most repository analyses; a GitLab token is required only for gitlab.com sources. Demo mode can use snapshot data.

Is the project open source and what license is used?
Yes; the project is open source and distributed under the MIT License.

Does OSS Sustain Guard provide commercial support?
not confirmed in the source

OSS Sustain Guard Documentation¶ OSS Sustain Guard is a multi-language package sustainability analyzer that helps you understand the health of your dependencies across ecosystems. The tool provides constructive insights about…

Sources

• Show HN: OSS sustain guard – Sustainability signals for OSS dependencies
• An introduction to using metrics to assess the health and …
• Sustaining Maintenance Labor for Healthy Open Source …

Related posts

• Local-first: Why the Term Defies a Clean Definition and Needs Nuance
• Reverse engineering an abandoned app: restoring TileCreatorPro access
• Brave’s Rust adblock engine refactor saves 75% memory with FlatBuffers