Show HN: CLI that spots fake GitHub stars, risky dependencies and licence traps
14 comments
·May 12, 2025edoceo
Could you add support for PHP via package.json? Accept patch?
the__alchemist
> It checks contributor patterns too. If 90% of commits come from one person who hasn’t pushed in months, that’s flagged.
IMO this is a slight green flag; not red.
artski
Fair take—it's definitely context-dependent. In some cases, solo-maintainer projects can be great, especially if they’re stable or purpose-built. But from a trust and maintenance standpoint, it’s worth flagging as a signal: if 90% of commits are from one person who’s now inactive, it could mean slow responses to bugs or no updates for security issues. Doesn’t mean the project is bad—just something to consider alongside other factors.
sethops1
I have to agree - the highest quality libraries in my experience are the ones maintained that one dedicated person as their pet project. There's no glory, no money, no large community, no Twitter followers - just a person with a problem to solve and making the solution open source for the benefit of others.
lispisok
It's gonna flag most of the clojure ecosystem
knowitnone
Great idea. This should be done by Github though. I'm surprised Github hasn't been sued for serving malware.
nottorp
Of course, github could just drop the stars, but everything has to entshittify towards "engagement" and add social network features.
Or users could ignore the stars and go old school and you know, research their dependencies before they rely on them.
Vanclief
Stars are just a signal. When I am looking at multiple libraries that do the same, I am going to trust more a repo with 200 starts that one with 0. Its not perfect, but I don't have the time to go through the entire codebase and try it out. If the repo works for me I will star it to contribute to the signal.
hungryhobbit
Dependencies: PyPI, Maven, Go, Ruby
This looks like a cool project, but why on earth would it need Python, Java, Go, AND Ruby?
deltaknight
I think these are just the package managers that it supports parsing dependencies for. The actual script seems to just be a single python file.
It does seem like the repo is missing some files though; make is mentioned in the README but no makefile and no list of python dependencies for the script that I can see.
artski
Yeah to be fair I need to clean it up, was stuck in the testing diff strategies and making it work and just wanted to get feedback asap before moving on to the next step (didn't want to spend too much time on something and turns out I was wrong about something badly) - next step is to get it all cleaned up.
27theo
It doesn't need them, it parses SBOMs and manifests from their ecosystems. I think you misunderstood this section of the README.
> Dependencies | SBOM / manifest parsing across npm, PyPI, Maven, Go, Ruby; flags unpinned, shadow, or non-registry deps.
The project seems like it only requires Python >= 3.9!
Am4TIfIsER0ppos
What is a license trap? This "AGPL sneaking into a repo claiming MIT"? Isn't that just a plain old license violation?
artski
Basically what I mean by it is for example a repository appears to be under a permissive license like MIT, Apache, or BSD, but actually includes code that’s governed by a much stricter or viral license—like GPL or AGPL—often buried in a subdirectory, dependency, or embedded snippet. The problem is, if you reuse or build on that code assuming it’s fully permissive, you could end up violating the terms of the stricter license without realising it. It’s a trap because the original authors might have mixed incompatible licenses, knowingly or not, and the legal risk then falls on downstream users. So yeah essentially a plain old license violation which are relatively easy to miss or not think about
When I came across a study that traced 4.5 million fake GitHub stars, it confirmed a suspicion I’d had for a while: stars are noisy. The issue is they’re visible, they’re persuasive, and they still shape hiring decisions, VC term sheets, and dependency choices—but they say very little about actual quality.
I wrote StarGuard to put that number in perspective based on my own methodology inspired with what they did and to fold a broader supply-chain check into one command-line run.
It starts with the simplest raw input: every starred_at timestamp GitHub will give. It applies a median-absolute-deviation test to locate sudden bursts. For each spike, StarGuard pulls a random sample of the accounts behind it and asks: how old is the user? Any followers? Any contribution history? Still using the default avatar? From that, it computes a Fake Star Index, between 0 (organic) and 1 (fully synthetic).
But inflated stars are just one issue. In parallel, StarGuard parses dependency manifests or SBOMs and flags common risk signs: unpinned versions, direct Git URLs, lookalike package names. It also scans licences—AGPL sneaking into a repo claiming MIT, or other inconsistencies that can turn into compliance headaches.
It checks contributor patterns too. If 90% of commits come from one person who hasn’t pushed in months, that’s flagged. It skims for obvious code red flags: eval calls, minified blobs, sketchy install scripts—because sometimes the problem is hiding in plain sight.
All of this feeds into a weighted scoring model. The final Trust Score (0–100) reflects repo health at a glance, with direct penalties for fake-star behaviour, so a pretty README badge can’t hide inorganic hype.
I added for the fun of it it generating a cool little badge for the trust score lol.
Under the hood, its all uses, heuristics, and a lot of GitHub API paging. Run it on any public repo with:
python starguard.py owner/repo --format markdown It works without a token, but you’ll hit rate limits sooner.
Please provide any feedback you can.