From Commits to Confidence: Towards Stability-Informed Risk Assessment in Open Source Software

TL;DR

This paper investigates the stability of open source software projects by analyzing commit patterns, revealing that most projects are unstable and highlighting the importance of stability for assessing project resilience and risk.

Contribution

It introduces a stability measurement framework based on commit patterns and compares stable versus unstable repositories, emphasizing the need for multi-dimensional stability assessment.

Findings

Only 2% of repositories are daily stable

29% are weekly stable, 50% are monthly stable

Stable repositories have more evenly distributed contributions

Abstract

Open source software (OSS) generates trillions of dollars in economic value and has become essential to the technical infrastructures that power organizations worldwide. As these systems increasingly depend on OSS, understanding the evolution of these projects is critical. While existing metrics provide insights into project health, one dimension remains understudied: project resilience, or the ability to return to normal operations after disturbances such as contributor departures,security vulnerabilities and bug report spikes. We hypothesize that stable commit patterns may serve as an indicator of underlying project characteristics such as mature governance, sustained contributors, and robust development processes, factors that existing research associates with resilience. Our findings reveal that only 2% of repositories exhibit daily stability, 29% achieve weekly stability, and 50\% demonstrate monthly stability, while the remaining half are unstable across all levels of granularity. Analysis of the 50 unstable repositories indicate that 86% of activity is concentrated among a few maintainers, with the top 3 contributors accounting for over 50% of commits in the past 5 years. In contrast, the 50 stable repositories distribute work more evenly, with the top 3 contributors representing less than 50% of commits. Our insights thus far indicate the fragile and multi-dimensional nature of OSS project stability, suggesting a need to go beyond commits to understand how our understanding of stability can be enriched with other considerations such as community engagement metrics and issue or pull request churn. Though our efforts only identified two repositories that achieved stability at all three temporal commit granularities, further investigation into their processes and policies can provide insights and foundations for stability-informed risk assessment in practice.