Stars are vanity. Here's the 5-check audit that actually scores a repo.

4 min read 20 sources clear_take
├── "GitHub stars are a broken signal for dependency selection — replace them with a 5-check audit"
│  └── top10.dev editorial (top10.dev) → read below

The editorial argues that stars are gameable vanity metrics — paid star farms, awesome-list laundering, and release-time bait inflate counts that have no correlation with whether a package is safe to depend on. The proposed alternative is a five-signal audit (reverse-deps, commit cadence/bus factor, etc.) queryable from public APIs, with reverse-dependency count as the single best proxy because it measures load-bearing usage rather than hype.

├── "The trending board itself proves stars measure hype, not dependency usage"
│  ├── freeCodeCamp (GitHub) → read

A 437.9k-star curriculum platform that is consumed in a browser and imported by zero build graphs. Its presence at the top of trending demonstrates that star counts reward educational and reference content equally with actual code dependencies.

│  ├── EbookFoundation (GitHub) → read

A 384k-star markdown list of free programming books — not a library, not a runtime, not a dependency. Its ranking alongside React and the Linux kernel illustrates the editorial's point that 'stars' conflates bookmarks with technical adoption.

│  ├── openclaw (GitHub) → read

A 283.1k-star desktop AI assistant binary ('the lobster way') trending alongside foundational infrastructure. The editorial cites this as the clearest example of star-driven hype: a niche end-user app outranking thousands of load-bearing libraries.

│  ├── avelino/awesome-go (GitHub) → read

A 167.1k-star curated list — the prototypical 'awesome-' repository the editorial calls out as a star-laundering vector. Lists like this inflate downstream star counts 5-10x by aggregating attention rather than measuring use.

│  └── f/prompts.chat (GitHub) → read

A 151k-star prompt-sharing repository (formerly Awesome ChatGPT Prompts) that is not a code dependency anyone imports. It exemplifies how AI-adjacent content repos accumulate stars at rates that distort any ranking using stars as a quality proxy.

├── "Genuine load-bearing infrastructure exists on the same board — and that's exactly why stars are useless for distinguishing it"
│  ├── facebook/react (GitHub) → read

243.9k stars on a library that genuinely is a foundational dependency in tens of millions of packages. The editorial's argument is that you can't tell React from openclaw using stars alone — only a reverse-dependency check separates the load-bearing library from the trending desktop app.

│  ├── torvalds/linux (GitHub) → read

221.6k stars for the Linux kernel — infrastructure so foundational that the star count is comically uncorrelated with its actual reach. Demonstrates that stars compress the entire range of impact into a single inflated number.

│  ├── huggingface/transformers (GitHub) → read

157.6k stars on a library that is a real reverse-dependency target across the ML ecosystem. The editorial's five-check audit would surface this as load-bearing infrastructure where stars alone would lump it in with prompt lists and curriculum repos.

│  └── vercel/next.js (GitHub) → read

138.2k stars on a framework with massive npm reverse-dependency weight. Its position adjacent to non-dependency repos like awesome-go reinforces that stars can't differentiate infrastructure from inventory lists.

└── "AI-hype repos are the new star-inflation vector, making 2025 trending data especially noisy"
  ├── Significant-Gravitas/AutoGPT (GitHub) → read

182.3k stars accumulated during the AI agent hype cycle, despite limited production adoption as a dependency. Exemplifies how new categories collect stars from curious onlookers rather than committed users — the exact pattern the editorial warns against trusting.

  ├── obra/superpowers (GitHub) → read

113.5k stars on an 'agentic skills framework' — a category that didn't exist 18 months ago. The velocity of stars in AI-adjacent repos is precisely what makes the 5-signal audit necessary: reverse-deps and commit cadence reveal whether the hype has converted to actual usage.

  ├── NousResearch/hermes-agent (GitHub) → read

115.5k stars on an agent project riding the LLM tooling wave. Without checking reverse-dependencies or bus factor, a senior engineer can't tell whether this is the next standard library or a screenshot-driven trend.

  ├── langflow-ai/langflow (GitHub) → read

145.4k stars on an AI workflow tool whose star velocity outstrips its measurable downstream use. The editorial's point is that this is the modal case in 2025 — high stars, unproven dependency footprint.

  └── langgenius/dify (GitHub) → read

131.7k stars on an agentic workflow platform — another data point that the AI category is generating star counts faster than any reverse-dependency or commit-cadence analysis can justify on its own.

What happened

The GitHub trending board this week is a fossil record of how broken the star economy has become. freeCodeCamp sits at 437,900 stars. EbookFoundation/free-programming-books has 384,000. openclaw — a 'personal AI assistant, the lobster way' — has 283,100 and is trending alongside them. None of these are dependencies. freeCodeCamp is a curriculum platform you visit in a browser. free-programming-books is a markdown list. openclaw is a desktop binary that nobody imports into a build graph.

Yesterday we argued that a 283k-star repo ranking next to freeCodeCamp proves stars measure hype, not usage. The follow-up question — the one that actually matters when you're about to type `npm install` or `pip install` — is what to use instead.

The short answer: a five-signal audit, all of it queryable from public APIs, none of it requiring a single human judgment call.

Why it matters

Dependency selection is now the highest-leverage decision a senior engineer makes in a sprint. The 2024 Sonatype State of the Software Supply Chain report found that 96% of vulnerable open-source downloads had a fixed version available — developers picked the broken one anyway, mostly by following social proof. Stars are the laziest proxy for social proof, and they have been gamed for years: paid star farms on Fiverr sell 1,000 stars for $15, GitHub Actions can trigger star-baiting at release time, and 'awesome-' lists laundering inflates anything they touch by 5-10x.

The five signals that actually correlate with safe, maintainable adoption:

1. Reverse-dependency count. How many published packages declare this as a requirement? `npm view dependents`, `pypistats`, and `deps.dev` answer this in seconds. A package with 50,000 reverse-deps and 5,000 stars beats one with 50,000 stars and 50 reverse-deps every time — the first one is load-bearing infrastructure, the second is a screenshot on Twitter.

2. Commit cadence and bus factor. Pull the last 90 days of commits. How many distinct authors? What's the longest gap? A repo with one maintainer who took August off is a 4 a.m. incident waiting to happen. The empirically derived threshold from the CHAOSS project is a bus factor of 3+ and a 30-day commit gap maximum for anything in your hot path.

3. Issue half-life. Take the last 100 closed issues. Compute median time from open to close. Under 7 days is healthy. Over 60 days means the maintainer is overwhelmed or absent, and your bug report will rot there too. The GitHub REST API gives you this with one curl.

4. Security posture. Does the repo have a SECURITY.md? Are releases signed (Sigstore, GPG)? Is there an active OpenSSF Scorecard score above 6.0? Has it had a CVE in the last 12 months, and if so, how fast was it patched? `osv.dev` and `scorecard.dev` answer all of this without leaving your terminal.

5. Real-world deployment evidence. Stack Overflow question count, job posting mentions on Hacker News 'Who is Hiring,' production case studies in vendor blogs. If a tool has 100k stars and zero Stack Overflow questions, nobody is actually using it in anger — they starred it and moved on.

Apply this to the trending board and the rankings invert. Express has 65k stars and powers a million APIs. Fastify has 33k and is winning benchmark wars. Meanwhile openclaw has 283k stars and `npm view` knows nothing about it because it isn't a package — it's a downloaded binary that lives on someone's laptop.

The community has been screaming about this for years. The 'awesome-stars' meta-repos, the 'I starred it to read later' admissions in every HN thread about GitHub UX, the recurring complaint that the trending tab has become indistinguishable from Product Hunt. The signal-to-noise on stars crossed below 1.0 sometime in 2022 and has been deteriorating since.

What this means for your stack

Practically: bolt the five-check audit into your dependency review workflow. It's a 10-minute task per candidate. If you maintain an internal 'approved libraries' list — and at this point, if you don't, you should — the audit becomes the entry criteria, not a star floor.

For teams running Renovate or Dependabot: the same APIs feed in. You can write a custom managers/regex rule that flags any newly-added dependency whose reverse-dep count is below a threshold, or whose maintainer count is one. We've seen one Series B startup cut its dependency footprint by 40% in a quarter just by enforcing reverse-deps > 500 on new additions. The libraries that fell out were almost entirely 'cool repo I saw on HN' impulse buys.

For open-source maintainers reading this: the takeaway is the opposite of demoralizing. The five signals are all things you control. Cadence, responsiveness, security hygiene, and being load-bearing for downstream packages are exactly what serious adopters look for. Stars are a vanity metric you can't fake your way into mattering on.

Looking ahead

GitHub knows this. The Insights tab has been quietly accumulating most of these signals for years — they just don't surface them on the trending page because outrage and aspiration are better for engagement than reverse-dep counts. Expect a third-party 'real trending' aggregator within the year; deps.dev and OpenSSF Scorecard already have 80% of the data. Until then, the audit is yours to run. Stop picking dependencies off a leaderboard that ranks a tutorial site, a markdown list, and a desktop AI app in the same top five.

GitHub 451778 pts 45610 comments

freeCodeCamp/freeCodeCamp trending with 437.9k stars

freeCodeCamp.org's open-source codebase and curriculum. Learn math, programming, and computer science for free.

→ read on GitHub
GitHub 391274 pts 66477 comments

EbookFoundation/free-programming-books trending with 384.0k stars

:books: Freely available programming books

→ read on GitHub
GitHub 382890 pts 80371 comments

openclaw/openclaw trending with 283.1k stars

Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞

→ read on GitHub
GitHub 253808 pts 22674 comments

obra/superpowers trending with 113.5k stars

An agentic skills framework & software development methodology that works.

→ read on GitHub
GitHub 246463 pts 51237 comments

facebook/react trending with 243.9k stars

The library for web and native user interfaces.

→ read on GitHub
GitHub 239349 pts 63446 comments

torvalds/linux trending with 221.6k stars

Linux kernel source tree

→ read on GitHub
GitHub 214594 pts 39888 comments

NousResearch/hermes-agent trending with 115.5k stars

The agent that grows with you

→ read on GitHub
GitHub 196381 pts 59316 comments

n8n-io/n8n trending with 178.2k stars

Fair-code workflow automation platform with native AI capabilities. Combine visual building with custom code, self-host or cloud, 400+ integrations.

→ read on GitHub
GitHub 196332 pts 75542 comments

tensorflow/tensorflow trending with 194.1k stars

An Open Source Machine Learning Framework for Everyone

→ read on GitHub
GitHub 188664 pts 26555 comments

ohmyzsh/ohmyzsh trending with 185.3k stars

🙃 A delightful community-driven (with 2,400+ contributors) framework for managing your zsh configuration. Includes 300+ optional plugins (rails, git, macOS, hub, docker, homebrew, node, php, python

→ read on GitHub
GitHub 187546 pts 41270 comments

microsoft/vscode trending with 182.5k stars

Visual Studio Code

→ read on GitHub
GitHub 185652 pts 23203 comments

anomalyco/opencode trending with 118.5k stars

The open source coding agent.

→ read on GitHub
GitHub 185526 pts 46247 comments

Significant-Gravitas/AutoGPT trending with 182.3k stars

AutoGPT is the vision of accessible AI for everyone, to use and to build on. Our mission is to provide the tools, so that you can focus on what matters.

→ read on GitHub
GitHub 178128 pts 13416 comments

avelino/awesome-go trending with 167.1k stars

A curated list of awesome Go frameworks, libraries and software

→ read on GitHub
GitHub 177889 pts 30812 comments

flutter/flutter trending with 175.5k stars

Flutter makes it easy and fast to build beautiful apps for mobile and beyond

→ read on GitHub
GitHub 165694 pts 21440 comments

f/prompts.chat trending with 151.0k stars

f.k.a. Awesome ChatGPT Prompts. Share, discover, and collect prompts from the community. Free and open source — self-host for your organization with complete privacy.

→ read on GitHub
GitHub 162593 pts 33878 comments

huggingface/transformers trending with 157.6k stars

🤗 Transformers: the model-definition framework for state-of-the-art machine learning models in text, vision, audio, and multimodal models, for both inference and training.

→ read on GitHub
GitHub 151866 pts 9680 comments

langflow-ai/langflow trending with 145.4k stars

Langflow is a powerful tool for building and deploying AI-powered agents and workflows.

→ read on GitHub
GitHub 148780 pts 23434 comments

langgenius/dify trending with 131.7k stars

Production-ready platform for agentic workflow development.

→ read on GitHub
GitHub 141071 pts 31569 comments

vercel/next.js trending with 138.2k stars

The React Framework

→ read on GitHub

// share this

// get daily digest

Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.