Blog · How to
How to evaluate open source software before adopting it
A 12-point checklist for evaluating an open source project before depending on it. The fast triage pass is 15 minutes; the deeper evaluation is 2-4 hours.
Published July 13, 2026 · ~5 min read
The fast triage (15 min)
- License — MIT/Apache/BSD/GPL. Anything else, slow down.
- Last commit — within 3 months for active libs, 12 months for stable.
- Last release — within 6 months for active libs, 24 months for stable.
- Bus factor —
git shortlog -sn --all. 2+ is healthy, 1 is fragile. - Open issues — 100+ with no response = signal. 10+ with response = healthy.
The 12-point checklist
A complete evaluation, in priority order:
- License compatibility. MIT, Apache 2.0, BSD, GPL — all fine for most use cases. AGPL is a viral license; some companies refuse to touch it. Custom "source available" licenses (BSL, SSPL, Elastic) may have use restrictions.
- Last commit and last release. Within 3 months for active, 12 months for stable. 18+ months = candidate for adoption.
- Bus factor. 2+ maintainers with commit access. See the bus factor explainer.
- Open issues and PR response time. Median first-response within 7 days for active projects. 30+ days = warning sign.
- Test coverage and CI status. Look for the CI badge. Click through to see the last green build. A red CI for 3+ months is a real signal.
- Security history. Check the GitHub Security tab for published CVEs. Run your language's audit tool. A project with no published CVEs in 5 years is unusual (could be good or could be that no one is looking).
- Documentation quality. A README with a quickstart, a CHANGELOG, and an examples directory = healthy. A README that's just a project description = probably not.
- Issue template and PR template. Projects with ISSUE_TEMPLATE and PULL_REQUEST_TEMPLATE files have a maintainer who cares about the workflow. A project without them is running on autopilot.
- Sponsoring or institutional backing. GitHub Sponsors, Open Collective, Tidelift, or a company behind the project. A sponsored maintainer is less likely to disappear.
- Downstream users. For npm:
npm dependents. For PyPI: pypistats.org. For Rust: lib.rs reverse deps. A package with 100+ direct dependents is a much bigger commitment than one with 5. - Roadmap or "next steps" section. A project with a clear roadmap or "what's left to do" section has a maintainer who is planning for the future. A project with no roadmap is on autopilot.
- Adoption signals. The GitHub
adopt-metopic, thelooking-for-maintainerbadge, the npmdeprecatedfield, the PyPIdevelopment_status = 7classifier. Any of these means the project is in transition.
The soft signals
The hard signals (bus factor, license, last commit) are necessary but not sufficient. The soft signals — how the maintainer talks in issues, how the PR reviews feel, whether the README reads like it was written for a new user — are the difference between "this project will be there in 3 years" and "this project is one maintainer-burnout away from abandonment." When in doubt, talk to the maintainer. The way they respond to a thoughtful question is itself a signal.
Related reading
Get rescued projects in your inbox
A short Monday-morning note on the projects abandoned last week and who adopted them. No spam, unsubscribe anytime.
Related reading on BreakPoint
The concepts, guides, and reports behind this post.