The editorial argues that stars are gameable vanity metrics — paid star farms, awesome-list laundering, and release-time bait inflate counts that have no correlation with whether a package is safe to depend on. The proposed alternative is a five-signal audit (reverse-deps, commit cadence/bus factor, etc.) queryable from public APIs, with reverse-dependency count as the single best proxy because it measures load-bearing usage rather than hype.
A 437.9k-star curriculum platform that is consumed in a browser and imported by zero build graphs. Its presence at the top of trending demonstrates that star counts reward educational and reference content equally with actual code dependencies.
A 384k-star markdown list of free programming books — not a library, not a runtime, not a dependency. Its ranking alongside React and the Linux kernel illustrates the editorial's point that 'stars' conflates bookmarks with technical adoption.
A 283.1k-star desktop AI assistant binary ('the lobster way') trending alongside foundational infrastructure. The editorial cites this as the clearest example of star-driven hype: a niche end-user app outranking thousands of load-bearing libraries.
A 167.1k-star curated list — the prototypical 'awesome-' repository the editorial calls out as a star-laundering vector. Lists like this inflate downstream star counts 5-10x by aggregating attention rather than measuring use.
A 151k-star prompt-sharing repository (formerly Awesome ChatGPT Prompts) that is not a code dependency anyone imports. It exemplifies how AI-adjacent content repos accumulate stars at rates that distort any ranking using stars as a quality proxy.
243.9k stars on a library that genuinely is a foundational dependency in tens of millions of packages. The editorial's argument is that you can't tell React from openclaw using stars alone — only a reverse-dependency check separates the load-bearing library from the trending desktop app.
221.6k stars for the Linux kernel — infrastructure so foundational that the star count is comically uncorrelated with its actual reach. Demonstrates that stars compress the entire range of impact into a single inflated number.
157.6k stars on a library that is a real reverse-dependency target across the ML ecosystem. The editorial's five-check audit would surface this as load-bearing infrastructure where stars alone would lump it in with prompt lists and curriculum repos.
138.2k stars on a framework with massive npm reverse-dependency weight. Its position adjacent to non-dependency repos like awesome-go reinforces that stars can't differentiate infrastructure from inventory lists.
182.3k stars accumulated during the AI agent hype cycle, despite limited production adoption as a dependency. Exemplifies how new categories collect stars from curious onlookers rather than committed users — the exact pattern the editorial warns against trusting.
113.5k stars on an 'agentic skills framework' — a category that didn't exist 18 months ago. The velocity of stars in AI-adjacent repos is precisely what makes the 5-signal audit necessary: reverse-deps and commit cadence reveal whether the hype has converted to actual usage.
115.5k stars on an agent project riding the LLM tooling wave. Without checking reverse-dependencies or bus factor, a senior engineer can't tell whether this is the next standard library or a screenshot-driven trend.
145.4k stars on an AI workflow tool whose star velocity outstrips its measurable downstream use. The editorial's point is that this is the modal case in 2025 — high stars, unproven dependency footprint.
131.7k stars on an agentic workflow platform — another data point that the AI category is generating star counts faster than any reverse-dependency or commit-cadence analysis can justify on its own.
The GitHub trending board this week is a fossil record of how broken the star economy has become. freeCodeCamp sits at 437,900 stars. EbookFoundation/free-programming-books has 384,000. openclaw — a 'personal AI assistant, the lobster way' — has 283,100 and is trending alongside them. None of these are dependencies. freeCodeCamp is a curriculum platform you visit in a browser. free-programming-books is a markdown list. openclaw is a desktop binary that nobody imports into a build graph.
Yesterday we argued that a 283k-star repo ranking next to freeCodeCamp proves stars measure hype, not usage. The follow-up question — the one that actually matters when you're about to type `npm install` or `pip install` — is what to use instead.
The short answer: a five-signal audit, all of it queryable from public APIs, none of it requiring a single human judgment call.
Dependency selection is now the highest-leverage decision a senior engineer makes in a sprint. The 2024 Sonatype State of the Software Supply Chain report found that 96% of vulnerable open-source downloads had a fixed version available — developers picked the broken one anyway, mostly by following social proof. Stars are the laziest proxy for social proof, and they have been gamed for years: paid star farms on Fiverr sell 1,000 stars for $15, GitHub Actions can trigger star-baiting at release time, and 'awesome-' lists laundering inflates anything they touch by 5-10x.
The five signals that actually correlate with safe, maintainable adoption:
1. Reverse-dependency count. How many published packages declare this as a requirement? `npm view
2. Commit cadence and bus factor. Pull the last 90 days of commits. How many distinct authors? What's the longest gap? A repo with one maintainer who took August off is a 4 a.m. incident waiting to happen. The empirically derived threshold from the CHAOSS project is a bus factor of 3+ and a 30-day commit gap maximum for anything in your hot path.
3. Issue half-life. Take the last 100 closed issues. Compute median time from open to close. Under 7 days is healthy. Over 60 days means the maintainer is overwhelmed or absent, and your bug report will rot there too. The GitHub REST API gives you this with one curl.
4. Security posture. Does the repo have a SECURITY.md? Are releases signed (Sigstore, GPG)? Is there an active OpenSSF Scorecard score above 6.0? Has it had a CVE in the last 12 months, and if so, how fast was it patched? `osv.dev` and `scorecard.dev` answer all of this without leaving your terminal.
5. Real-world deployment evidence. Stack Overflow question count, job posting mentions on Hacker News 'Who is Hiring,' production case studies in vendor blogs. If a tool has 100k stars and zero Stack Overflow questions, nobody is actually using it in anger — they starred it and moved on.
Apply this to the trending board and the rankings invert. Express has 65k stars and powers a million APIs. Fastify has 33k and is winning benchmark wars. Meanwhile openclaw has 283k stars and `npm view` knows nothing about it because it isn't a package — it's a downloaded binary that lives on someone's laptop.
The community has been screaming about this for years. The 'awesome-stars' meta-repos, the 'I starred it to read later' admissions in every HN thread about GitHub UX, the recurring complaint that the trending tab has become indistinguishable from Product Hunt. The signal-to-noise on stars crossed below 1.0 sometime in 2022 and has been deteriorating since.
Practically: bolt the five-check audit into your dependency review workflow. It's a 10-minute task per candidate. If you maintain an internal 'approved libraries' list — and at this point, if you don't, you should — the audit becomes the entry criteria, not a star floor.
For teams running Renovate or Dependabot: the same APIs feed in. You can write a custom managers/regex rule that flags any newly-added dependency whose reverse-dep count is below a threshold, or whose maintainer count is one. We've seen one Series B startup cut its dependency footprint by 40% in a quarter just by enforcing reverse-deps > 500 on new additions. The libraries that fell out were almost entirely 'cool repo I saw on HN' impulse buys.
For open-source maintainers reading this: the takeaway is the opposite of demoralizing. The five signals are all things you control. Cadence, responsiveness, security hygiene, and being load-bearing for downstream packages are exactly what serious adopters look for. Stars are a vanity metric you can't fake your way into mattering on.
GitHub knows this. The Insights tab has been quietly accumulating most of these signals for years — they just don't surface them on the trending page because outrage and aspiration are better for engagement than reverse-dep counts. Expect a third-party 'real trending' aggregator within the year; deps.dev and OpenSSF Scorecard already have 80% of the data. Until then, the audit is yours to run. Stop picking dependencies off a leaderboard that ranks a tutorial site, a markdown list, and a desktop AI app in the same top five.
freeCodeCamp.org's open-source codebase and curriculum. Learn math, programming, and computer science for free.
→ read on GitHub:books: Freely available programming books
→ read on GitHubYour own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞
→ read on GitHubAn agentic skills framework & software development methodology that works.
→ read on GitHubThe library for web and native user interfaces.
→ read on GitHubLinux kernel source tree
→ read on GitHubThe agent that grows with you
→ read on GitHubFair-code workflow automation platform with native AI capabilities. Combine visual building with custom code, self-host or cloud, 400+ integrations.
→ read on GitHubAn Open Source Machine Learning Framework for Everyone
→ read on GitHub🙃 A delightful community-driven (with 2,400+ contributors) framework for managing your zsh configuration. Includes 300+ optional plugins (rails, git, macOS, hub, docker, homebrew, node, php, python
→ read on GitHubVisual Studio Code
→ read on GitHubThe open source coding agent.
→ read on GitHubAutoGPT is the vision of accessible AI for everyone, to use and to build on. Our mission is to provide the tools, so that you can focus on what matters.
→ read on GitHubA curated list of awesome Go frameworks, libraries and software
→ read on GitHubFlutter makes it easy and fast to build beautiful apps for mobile and beyond
→ read on GitHubf.k.a. Awesome ChatGPT Prompts. Share, discover, and collect prompts from the community. Free and open source — self-host for your organization with complete privacy.
→ read on GitHub🤗 Transformers: the model-definition framework for state-of-the-art machine learning models in text, vision, audio, and multimodal models, for both inference and training.
→ read on GitHubLangflow is a powerful tool for building and deploying AI-powered agents and workflows.
→ read on GitHubProduction-ready platform for agentic workflow development.
→ read on GitHubThe React Framework
→ read on GitHubTop 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.