New Committer Detection

Identify projects in a dependency tree that were recently contributed to by a new developer.

Description

A package is typically controlled and maintained by a small number of authors. These open source packages generally welcome contributions from any author that meaningfully improves the project (e.g. bug fixes, feature additions, etc).

However, in many instances authors contributing to a project are new and in some instances, completely unknown. It is not always clear what impact their contributions will have on a project and the allure of infecting a large number of developers may be an attractive target for nefarious authors.

This heuristic identifies recent commits to a project. From these commits, we identify any contributions from new authors.

Importance

New authors are not, in and of themselves, a bad thing. We simply cannot know beforehand if an author is intending to contribute meaningfully to a project, or to undermine the project with a malicious modification or breaking addition.

Risk Domains

Author

Impact on Phylum Package Score

New committers will have a small negative impact on the package score. In conjunction with other heuristics, this heuristic may have a larger negative effect on the final score. For example, a new committer that contributes large blobs of obfuscated code would have a detrimental negative impact on the package score.

Examples from the Past

N/A


Did this page help you?