How to use Trusty in Visual Studio Code to flag risky open source libraries

Knowing whether an open source package is being actively maintained before you import it into your code is key for avoiding rework and quality issues down the road. Here’s how Trusty’s activity score can help.

5 mins read
Nov 15, 2023

Last week, we announced the launch of Trusty, a free-to-use service that helps developers make safer dependency choices. Trusty uses statistical analysis of dimensions like author and repo activity, along with a package’s source of origin, to help you understand whether an open source package is actively maintained and not malicious. 

A recent report from Sonatype indicates that 18.6% of open source projects across Java and JavaScript that were maintained in 2022 are no longer maintained today. Taking a dependency on a library that’s unmaintained means you’ll likely be facing quality and security issues down the road. But it takes time to research an open source package to understand whether it has an active community supporting it, especially considering that most software projects have multiple external dependencies. 

In this post, we’ll walk you through how to use Trusty’s activity scoring to get a faster signal on a package’s repo and author activity. and make a more informed decision about whether to use that package. 

Challenges with searching for open source packages

Let’s say you’re working on a Python project, and you need a library to handle oauth authentication. Your first step might be to go search in Google for “Python oauth library,” and pick one of the first search results. For example, you might click on “python-oauth2” link that shows up second in the search results below, since you can see that’s coming from the PyPI repo:

Google search results for python-oauth2

But when you click through to install the package from PyPI, you might not notice that the latest version is actually from 2019:

python-oauth2 on PyPI repo

Worse yet, many developers using AI coding tools are often bringing in dependencies without even this level of inspection, with many of the underlying models being trained on data that is at least a few years old.

Using Trusty to search for and vet open source packages

If you’re using Visual Studio Code as your IDE, you can install the Trusty extension to get a quick signal on whether an external dependency is risky, right when you’re importing the library into your code. This can help you flag potentially unmaintained libraries and proactively avoid installing them. 

In the example below, the Trusty extension has already been installed in VS Code. You can see that when you import the “oauth2” package, Trusty underlines this package, showing that it has a low Trusty Score and and warning you that there could be a security risk:

Trusty IDE plug-in screenshot

Clicking on the “Visit for details” link takes you to the Trusty web app, where you can view more information about the oauth2 package, and see the full scoring breakdown. You can see in the screenshot below that python-oauth2 has a Trusty Score of 4.8, and a particularly low repo activity score of 3.3. This scoring indicates that there’s a low level of open issues, recent commits, and forks, among other factors, signaling that it could be risky to take a dependency on this library. 

In this case, we can see from the description and Trusty's "Deprecated" flag that the package is unmaintained, which explains why the repo activity score is low. The author activity score here is higher though, which indicates that the package author has a significant number of followers and may be actively contributing to other projects, but not this one.

In cases like this in which a package has a low Trusty Score, you can use Trusty’s Alternative Packages feature to find a less-risky alternative:

How is Trusty’s activity scoring calculated? 

Trusty’s scoring model is based on repo and author activity, and uses statistics and Principal Component Analysis as a mechanism to assess the relative activity rating of a given package versus other open source packages. Our model retrieves public metadata on “features” of the repository and “features” of the top maintainers and committers to a project, and ranks a package in the context of how these features compare to other packages.

Here are the types of features that we currently take into account for repo and author activity scoring:

Features taken into account for repo activity scoring: 

  • Stars

  • Forks

  • Watchers

  • Subscribers 

  • Open issues

  • Networks

  • Active contributors

Features taken into account for author activity scoring:

  • The number of public repos someone contributes to

  • Public gists submitted

  • Followers

  • Following counts

This scoring approach helps us identify whether there is an active community around an open source package. While we can’t say for sure whether a package with a higher Trusty Score will still be maintained in a year, our scoring can give you a much better signal as to whether it will be. (Read more about how our scoring works here.)

What’s next for Trusty?

Trusty is an experimental service, and we’ll continue to make improvements to our scoring and add new features based on community feedback. A few features that are next on our roadmap include: 

  1. New scoring dimensions and risk flags: Beyond activity scoring, we plan to introduce additional scoring factors such as security and transitive dependencies. We also plan to bring in additional risk flags such as frequency of releases. 

  2. Expanding supported languages: Working with the community, we are driving efforts to include provenance information for Python and Rust packages, and also plan to expand Trusty to include Java and Go packages (among others).

  3. Additional metadata and context: We plan to show known vulnerabilities for packages as well as license information, and also will provide more context on why a package received a specific score.

To get started with Trusty now, you can download our VS Code extension or visit

Stacklok logo
© 2023 Stacklok