Method boundary

Fast mode and full mode observe different temporal questions.

The study reran selected high-deviation cases in full-history mode to test whether recent-window readings represented the deeper structural profile of mature projects.

Fast mode and full mode are not contradictory. They observe different temporal questions.

Why These Cases Were Rerun

encode/httpx

The project was used as a methodological example because the recent-window reading differed meaningfully from its full-history structural profile. It should not be described as insecure because of this comparison.

spf13/cobra

The same boundary appears in another mature project: recent activity can look more AI-shaped or less volatile than the long-term contributor structure suggests.

Fast / Full Comparison

Metric comparison from the paper. Values are methodological examples and are not security ratings.
Metric httpx fast httpx full cobra fast cobra full
Top contributor share0.36900.46680.09680.1453
Bus factor 50p22711
Bus factor 75p16131875
Gini coefficient0.52320.79740.37150.6441
Developer turnover0.06790.90940.02310.9104
AI influence score0.43620.14540.39590.0875
Effective SDLC modehybridhumanhybridhuman

Note: Turnover refers to contributor-base churn across the analyzed window, not organizational attrition.

Interpretation

01

Recent-window analysis may underrepresent historical concentration in mature projects.

02

Recent-window analysis may overestimate inferred AI influence when recent activity is cleaner or more uniform than the full history.

03

Fast mode is appropriate for screening and prioritization, while full-history analysis is the validation step for higher-stakes decisions.

When to Escalate

Critical dependencies

Escalate packages that sit in sensitive or high-impact paths.

Onboarding decisions

Use full history before adding strategically important dependencies.

Supply-chain sensitivity

Validate structure when compromise or disruption would carry high operational cost.

Unusual deviations

Rerun cases where recent behavior diverges strongly from expected structure.

Mature projects

Be cautious when recent activity may not represent a long accessible history.

Low confidence

Treat confidence warnings as a reason to inspect, not as a security verdict.