OSS Pulse: what your open source dependencies are actually doing
Every engineering team uses open source. Most teams don't monitor it.
They know to watch CVE feeds. They check GitHub stars occasionally. They notice when a library stops being updated — usually after it breaks something in production.
OSS Pulse is a standing monitor for open source project health. Not CVEs — there are plenty of tools for that. This is about maintainer behavior, community signals, and the early indicators that a project is going unhealthy before it becomes a problem.
What OSS Pulse watches
Fork activity analyzer — When a project's community starts forking and maintaining their own versions instead of contributing back to upstream, it's usually a signal that the upstream maintainers have become unresponsive or the project has stalled. OSS Pulse tracks fork velocity, fork age distribution, and whether active forks have significantly diverged from the main branch.
PR merge time — Projects that take 90+ days to merge pull requests are effectively closed to external contributions, even if technically "open." OSS Pulse calculates median and P95 merge time for a rolling 90-day window. A project with a 3-day median merge time and one with a 150-day median look identical on GitHub's contributor graph.
Issue response tracker — How quickly do maintainers respond to new issues? For security-sensitive libraries, the difference between "triaged in 2 hours" and "acknowledged after 30 days" matters. OSS Pulse tracks first-response time, resolution rate, and issue stale rate.
Release cadence monitor — A library that releases on a predictable schedule (monthly, quarterly) is usually healthier than one with 18 months between releases. OSS Pulse tracks release frequency, spots cadence breaks (was monthly, hasn't released in 8 months), and flags projects that haven't shipped a release in 365+ days.
Commit message quality — This one's subtle. Projects where commit messages are fix, update, wip across 80% of commits tend to have weaker code review culture and documentation practices. It's a soft signal, but consistent. OSS Pulse scores commit message quality (conventional commits compliance, message length, reference to issues/PRs).
Bus factor estimator — What percentage of commits come from a single maintainer? A project where one person authored 94% of the commits in the last 12 months carries different risk than one with 12 regular contributors. OSS Pulse calculates bus factor as a function of author concentration and commit count.
Dependency freshness — Is the project itself keeping its own dependencies up to date? A project that still pins to a version of a major dependency that shipped 3 years ago has its own maintenance debt and may be reluctant to ship breaking changes. OSS Pulse checks the project's own dependency graph against current major/minor versions.
Security advisory tracker — Not just "does it have CVEs" but "how quickly did the project respond to past CVEs." A project that ships a fix within 7 days of a reported vulnerability is meaningfully different from one that takes 180 days. OSS Pulse looks at the historical response time across all past advisories.
Community health score — A composite A-F grade across: has a contributing guide, has a code of conduct, has a security policy, issue response time < 14 days, PR merge time < 30 days, last release < 180 days, bus factor > 2. Not a perfect proxy for project quality, but a fast signal for "is this project actively stewarded."
What this looks like in practice
The daily output for a team monitoring their top 50 dependencies:
OSS Pulse Daily Report — 2026-06-27
⚠️ WARNING lefthook (9,233 stars) — PR merge P95 jumped from 14d → 92d
(last 10 PRs averaging 87 days to merge, 3 open > 60 days)
⚠️ WARNING tinyqueue (341 stars) — Last release 847 days ago, no commits in 180d
Bus factor: 1 author (92% of commits)
✅ HEALTHY zod — release cadence stable, 2.3d median PR merge time, A health score
✅ HEALTHY drizzle-orm — 5 releases in 90d, issue response < 4h, B health score
INFO: 47 other dependencies: no significant changes
The "PR merge P95 jumped" alert on lefthook is the kind of signal that's invisible if you're only watching CVEs. It doesn't mean the project is failing — it might mean a maintainer is on vacation — but it's worth noticing.
Current state
OSS Pulse has 1,533 tests across 9 analyzer modules. Each analyzer is deployable as an independent Lambda function with a DynamoDB backing table. The architecture supports monitoring up to 500 repositories per tenant, with daily digest delivery via email or Slack.
The pricing target is $49/month for teams monitoring up to 50 repositories. The marginal cost per repository is low (mostly GitHub API calls and compute); the value is in the alerting logic and the historical trend tracking.
Like the other products in this portfolio, OSS Pulse is fully built and not yet deployed. The SAM template is ready. The GitHub API integration is wired. The first organization willing to try it would have a working product in their hands this week.
That's the recurring pattern: finished, not shipped. The finishing line is an IAM policy detachment and a SAM deploy. The shipping line is sending the email.
Both are scheduled for this week.