How GitHub Stars Mislead Package Selection
·PkgPulse Team
TL;DR
GitHub stars are a vanity metric that correlate poorly with package reliability. Stars measure a moment of interest, not ongoing maintenance. Packages with fewer stars but higher download velocity, recent commits, and responsive maintainers consistently outperform high-star abandoned repos. The best signals: weekly download trends (not counts), issue close rate, release recency, and whether the package has active maintainers — not whether it was featured on Hacker News in 2021.
Key Takeaways
- Stars lag reality by 12-36 months — packages peak in stars after the hype cycle
- Downloads ≠ healthy growth — Legacy packages accumulate downloads forever
- Abandoned packages have high stars — Create React App has 100K+ stars and is deprecated
- The best metrics: download velocity (week-over-week), commit activity, issue response time
- PkgPulse health scores factor in maintenance, community, popularity, and security
The Star Inflation Problem
# Real examples of star-to-health mismatch (2026 data):
# Create React App: 102K stars ← very high
# Status: DEPRECATED. No releases since 2022. Official React docs removed it.
# npm downloads: ~1.5M/week (legacy, not new installs)
# What the stars say: "Popular and trusted"
# Reality: "Don't use for new projects"
# Moment.js: 47K stars ← very high
# Status: Maintenance mode. No new features. Official recommendation: migrate away.
# npm downloads: ~14M/week (legacy projects not migrating)
# Stars tell you: "Battle-tested and popular"
# Reality: "Use Day.js or date-fns for new projects"
# Redux: 60K stars ← extremely high
# Status: Active, but Redux Toolkit is the recommended API (different package)
# The nuance stars miss: "redux" ≠ "@reduxjs/toolkit"
# Raw downloads: 8M/week but 60%+ are redux-toolkit indirect installs
# Zustand: 50K stars
# Status: Active, fast-growing, modern alternative
# Downloads: 8M/week and accelerating
# Both have similar stars — downloads and velocity tell the real story
What Stars Actually Measure
The GitHub Star Lifecycle:
1. Creator launches project → posts to HN, dev.to, Twitter
2. Developer sees it → stars it as "bookmark for later"
3. Stars accumulate during the hype cycle (3-6 months)
4. Stars plateau once it's no longer news
5. Package may continue to improve — or may stagnate
6. Stars never go down, even if the package dies
What stars measure:
✅ "This was interesting to somebody at some point"
✅ "People bookmarked this to try later"
✅ "It got coverage in developer media"
What stars don't measure:
❌ "This is currently maintained"
❌ "This is growing in adoption"
❌ "This solves the problem well in 2026"
❌ "This has responsive maintainers"
❌ "Security vulnerabilities are being patched"
Better Signals: What Actually Predicts Package Health
Signal 1: Download Velocity (Not Count)
# Weekly download COUNT vs VELOCITY:
# Package A: 5M downloads/week, flat for 18 months
# → Established but not growing. May be legacy-heavy.
# Package B: 500K downloads/week, +15% month-over-month
# → Growing adoption. Developers are actively choosing this.
# Package C: 10M downloads/week, -20% year-over-year
# → Actively being replaced. Decline trend matters.
# The velocity signal is more predictive than the count.
# Use npmtrends.com or PkgPulse to see the trend chart.
Signal 2: Commit Activity
# What to look for on GitHub Pulse:
# ✅ Commits in last 30 days → active maintainer
# ✅ Issues being closed → maintainer is responsive
# ✅ PR merge rate → community contributions accepted
# ⚠️ Last commit 6+ months ago → potentially stagnant
# ❌ Last commit 2+ years ago → abandoned (unless deliberately stable)
# "Deliberately stable" packages are fine:
# lodash: rarely needs updates — it's utility functions
# uuid: low-level stable utility
# Express: maintenance mode but intentionally stable
# "Abandoned but pretending otherwise":
# Package with open security vulnerabilities and no response
# Maintainer's last activity was a comment saying "I'll look at this"
# Dozens of open PRs with no review
Signal 3: Issue Response Time
# Issue response time as a proxy for maintainer commitment:
# Excellent: Issues triaged within 48 hours
# Good: Issues triaged within 2 weeks
# Concerning: Issues sitting 30+ days with no response
# Red flag: Critical security issues with no response
# Dead: Issues are locked or have "won't fix" on valid bugs
# The nuance: "triaged" doesn't mean "fixed"
# A maintainer who says "confirmed, working on it" is
# 10x more valuable than silence.
Signal 4: Release Cadence
# Release patterns and what they indicate:
# Monthly releases → active development, responds to issues
# Every 2-3 months → healthy cadence for stable libraries
# Once a year → possibly stable (like Node.js LTS) or neglected
# Last release 2+ years ago → research needed:
# - Is it stable by design? (POSIX tools, stable specs)
# - Or abandoned?
# Pro tip: check CHANGELOG.md, not just release dates
# "Patch: dependency bumps only" for 12 months = no real maintenance
Case Study: The "Stars vs Health" Divergence
Comparing Zustand (~50K stars) vs XState (~28K stars):
Zustand health signals (2026):
- Downloads: 8M/week, +25% YoY → strongly growing
- Last commit: this week
- Issues closed last month: ~45
- Release cadence: monthly
- TypeScript: native
- Bundle: 2KB
XState health signals (2026):
- Downloads: 4M/week, +10% YoY → growing
- Last commit: this week
- Issues closed: consistent
- Release cadence: monthly
- TypeScript: native
- Bundle: 25KB+
Stars predict nothing here — both are healthy.
But Zustand's download velocity shows much stronger adoption.
The use case matters more: Zustand for simple client state,
XState for complex statecharts and workflows.
The point: look at health signals, not star counts.
The Real Metrics to Check
Before installing any npm package, check:
1. PkgPulse Health Score
→ Composite score across maintenance, community, popularity, security
2. npm download trend (last 12 months)
→ npmtrends.com or pkgpulse.com/compare
→ Is it growing, flat, or declining?
3. Last release date
→ npm package page shows this prominently
→ Warning: >12 months for an active-use library
4. Open issues and PRs
→ GitHub → Issues tab → filter "is:open"
→ Are they being triaged? Any P0 security issues?
5. TypeScript support
→ Does it ship types natively (package.json "types" field)?
→ Or rely on @types/ (external, possibly out of date)?
6. Bundle size
→ bundlephobia.com
→ Is it tree-shakeable?
7. Alternatives
→ Are maintainers pointing to a replacement?
→ Does the README say "use X instead"?
Stars: useful for discovering packages.
Useless for evaluating them.
Packages Where Stars Actively Mislead (2026)
| Package | Stars | Reality |
|---|---|---|
| Create React App | 102K | Deprecated since 2023 |
| Moment.js | 47K | Maintenance mode, migrate away |
| request (HTTP) | 25K | Deprecated by maintainer |
| node-fetch v2 | 8K | Succeeded by native fetch and v3 |
| Bower | 15K | Dead since 2018 |
| Grunt | 12K | Superseded by Webpack/Vite |
| CoffeeScript | 16K | Obsolete since TypeScript won |
See health scores, download trends, and real metrics for any package at PkgPulse.
See the live comparison
View zustand vs. jotai on PkgPulse →