Maintained

Is the project maintained?

This check determines whether the project is actively maintained.

Reference: OpenSSF Scorecard - Maintained.

A project which is not active might not be patched, have its dependencies patched, or be actively tested and used. It might hold possibly unpatched vulnerabilities.

However, a lack of active maintenance is not necessarily always a problem. Some software, especially smaller utility functions, does not normally need to be maintained. For example, a library that determines if an integer is even would not normally need maintenance unless an underlying implementation language definition changed.

A lack of active maintenance should signal that potential users should investigate further to judge the situation.

If the project is archived, it receives the lowest score with FAIL compliance.

The activity considered on the project during the previous period (of 90 days by default) is:

If the activity per week (number of commits or issue changes) exceeds the minimum activity threshold per week, the project receives a PASS with maximum score.

If the activity is below this threshold, the project receives a PARTIAL compliance.

There is no remediation work needed from projects not passing this checkpoint. The check simply provides insight into the project activity and maintenance commitment.

External users should determine whether the software is the type that would not normally need active maintenance.