Package Scores

Socket Scores and Alerts

Socket scores and alerts are broken down into the following categories:

  • Supply chain risk
  • Quality
  • Maintenance
  • Vulnerabilities
  • License

We compute the score for each category as a normalized weighted sum of various metrics. These metrics are subject to change as we make improvements to our product. Each metric may also optionally apply a limit.

Given a category i, let xi,j be the value of metric j with normalization function Nj and weight wj and limit li,j.

Then the score Si is

Si = 100 · min ( max (0, minj li,j), j wj Nj(xj)/j wj )γ

Where γ is a power scaling constant based on the size and popularity of the project:

γ ≈ 1/2 + c0 log(lines of code) + c1 log(popularity)

Currently socket supports the following metrics:

Metric Category Weight Normalization Limit
Critical Alerts Any 1 e-10x { 1/4 if x > 0
1 otherwise }
High Alerts Any 2 e-x max { 1/4, 1 - x/10 }
Medium Alerts Any 2 e-x/20 max { 1/2, 1.15 - x/20 }
Low Alerts Any 3 e-x/40 1
License Quality License 12 x/100 1
Maintainer Count Maintenance 5 -(ex/3 - 1) { 0 if x = 0
1 otherwise }
Versions Last Year Maintenance 5 -(e-x/12 - 1) 1
Versions Last Two Months Maintenance 3 -(e-x - 1) 1
Versions Last Month Maintenance 2 -(e-x - 1) 1
Versions Last Week Maintenance 1 -(e-x/0.25 - 1) 1
Open Issues Maintenance 1 e-x/100 1
Closed Issues Maintenance 1 -(e-x/1000 - 1) 1
Commits Last Week Maintenance 1 -(e-x/4 - 1) 1
Commits Last Month Maintenance 1 -(e-x/6 - 1) 1
Commits Last Two Months Maintenance 1 -(e-x/32 - 1) 1
Commits Last Year Maintenance 1 -(e-x/208 - 1) 1
Commits Maintenance 1 -(e-x/300 - 1) 1
Version Count Maintenance 0.5 -(e-x/10 - 1) 1
Readme Length Quality 5 x/100 1
Bundle Size Quality 2 e-x/16384 1
Stargazers Quality 1 -(e-x/100 - 1) 1
Forks Quality 1 -(e-x - 1) 1
Watchers Quality 1 -(e-x - 1) 1
Lines of Code Quality 0.5 x/50 1
Download Count Supply Chain Risk 5 -(e-x/10000 - 1) 1
Transitive Dependency Count Supply Chain Risk 1 e-x/1000 1
Total Dependency Count Supply Chain Risk 1 e-x/1000 1
Dependency Count Supply Chain Risk 1 e-x/50 1
Dev Dependency Count Supply Chain Risk 0.5 e-x/100 1
Dependency Vulnerability Count Vulnerability 1 1 - x { 0.5 if x > 0
1 otherwise }
Vulnerability Count Vulnerability 1 1 - x/3 1

Please note that these metrics are subject to change and may be revised as we make changes to our system. The contents of this document may not exactly represent the scoring system as deployed in Socket at this point in time as we are continuously making adjustments to these systems.