Abandonware Detection

Detect usage of libraries and packages that appear to have been abandoned by their author.


Open source libraries and packages are maintained by a single developer or group of developers. This work is generally unpaid and is often in addition to work the developer(s) may be performing as part of a full time job.

As a result of this, libraries are often abandoned, forgotten or simply fall by the wayside. Any packages that are abandoned are unlikely to receive updates, bug fixes or feature improvements.

Packages are deemed abandoned if they:

  • Have not received updates in 2+ years
  • Open issues exist in the issue tracker without a response from the package maintainer(s)
  • Unmerged PRs exist that are largely ignored by the package author(s)


Abandoned packages are unlikely to receive updates. If a critical security issue is discovered, it may remain unresolved for the foreseeable future.

Risk Domains

Engineering, Author

Impact on the Phylum Package Score

The impact to the package score is commensurate to the length of time the package has been abandoned. The longer a package is considered abandoned, the lower the package score will be.

Examples from the past


Did this page help you?