←back to thread

Show HN: CLI that spots fake GitHub stars, risky dependencies and licence traps

(github.com)

121 points artski | 3 comments | 12 May 25 12:59 UTC | HN request time: 0.607s | source

When I came across a study that traced 4.5 million fake GitHub stars, it confirmed a suspicion I’d had for a while: stars are noisy. The issue is they’re visible, they’re persuasive, and they still shape hiring decisions, VC term sheets, and dependency choices—but they say very little about actual quality.

I wrote StarGuard to put that number in perspective based on my own methodology inspired with what they did and to fold a broader supply-chain check into one command-line run.

It starts with the simplest raw input: every starred_at timestamp GitHub will give. It applies a median-absolute-deviation test to locate sudden bursts. For each spike, StarGuard pulls a random sample of the accounts behind it and asks: how old is the user? Any followers? Any contribution history? Still using the default avatar? From that, it computes a Fake Star Index, between 0 (organic) and 1 (fully synthetic).

But inflated stars are just one issue. In parallel, StarGuard parses dependency manifests or SBOMs and flags common risk signs: unpinned versions, direct Git URLs, lookalike package names. It also scans licences—AGPL sneaking into a repo claiming MIT, or other inconsistencies that can turn into compliance headaches.

It checks contributor patterns too. If 90% of commits come from one person who hasn’t pushed in months, that’s flagged. It skims for obvious code red flags: eval calls, minified blobs, sketchy install scripts—because sometimes the problem is hiding in plain sight.

All of this feeds into a weighted scoring model. The final Trust Score (0–100) reflects repo health at a glance, with direct penalties for fake-star behaviour, so a pretty README badge can’t hide inorganic hype.

I added for the fun of it it generating a cool little badge for the trust score lol.

Under the hood, its all uses, heuristics, and a lot of GitHub API paging. Run it on any public repo with:

python starguard.py owner/repo --format markdown It works without a token, but you’ll hit rate limits sooner.

Please provide any feedback you can.

1. catboybotnet ◴[13 May 25 03:14 UTC] No.43969381[source]▶

>>43962427 (OP) #

Why care about stars in the first place? Github is a repo of source repos, using it like social media is pretty silly. If I like a project, it goes into a folder in my bookmarks, that's the 'star' everyone should use. For VCs? What, are you looking to make an open source todo app into a multi million dollar B2B SaaS? VCs are the almighty gods of the world, and us humble peons do not need to lend our assistance into helping them lose money :-)

Outside of that, neat project.

replies(1): >>43976817 #

2. never_inline ◴[13 May 25 19:40 UTC] No.43976817[source]▶

>>43969381 (TP) #

The social-ification of tech is indeed a worrying trend.

This is exacerbated by low-quality / promotional medium articles, linkedin etc.. which promote Nth copycat HTML GPT wrapper app or kubernetes dashboard as the best thing after sliced bread, and not-so-technical programmers falling for it.

This applies to some areas more than others (eg, generative AI, cloud observability)

replies(1): >>44018262 #

3. catboybotnet ◴[18 May 25 01:22 UTC] No.44018262[source]▶

I feel like it promotes younger folks getting into programming by having them follow trends instead of what they might want to do. Don't bother starting to learn, AI will take your job if you do. Vibe code up a SaaS startup and sell it! Look at levelsio, he's making millions and is an influencer!

There's even websites that are dedicated to dumping your SaaSes, like acquire.com!

Stay off social media, ignore trends, and learn the basics. JS frameworks come and go like flies, don't get too invested in the latest and greatest!