encode/httpx
The project was used as a methodological example because the recent-window reading differed meaningfully from its full-history structural profile. It should not be described as insecure because of this comparison.
The study reran selected high-deviation cases in full-history mode to test whether recent-window readings represented the deeper structural profile of mature projects.
Fast mode and full mode are not contradictory. They observe different temporal questions.
The project was used as a methodological example because the recent-window reading differed meaningfully from its full-history structural profile. It should not be described as insecure because of this comparison.
The same boundary appears in another mature project: recent activity can look more AI-shaped or less volatile than the long-term contributor structure suggests.
| Metric | httpx fast | httpx full | cobra fast | cobra full |
|---|---|---|---|---|
| Top contributor share | 0.3690 | 0.4668 | 0.0968 | 0.1453 |
| Bus factor 50p | 2 | 2 | 7 | 11 |
| Bus factor 75p | 16 | 13 | 18 | 75 |
| Gini coefficient | 0.5232 | 0.7974 | 0.3715 | 0.6441 |
| Developer turnover | 0.0679 | 0.9094 | 0.0231 | 0.9104 |
| AI influence score | 0.4362 | 0.1454 | 0.3959 | 0.0875 |
| Effective SDLC mode | hybrid | human | hybrid | human |
Note: Turnover refers to contributor-base churn across the analyzed window, not organizational attrition.
Recent-window analysis may underrepresent historical concentration in mature projects.
Recent-window analysis may overestimate inferred AI influence when recent activity is cleaner or more uniform than the full history.
Fast mode is appropriate for screening and prioritization, while full-history analysis is the validation step for higher-stakes decisions.
Escalate packages that sit in sensitive or high-impact paths.
Use full history before adding strategically important dependencies.
Validate structure when compromise or disruption would carry high operational cost.
Rerun cases where recent behavior diverges strongly from expected structure.
Be cautious when recent activity may not represent a long accessible history.
Treat confidence warnings as a reason to inspect, not as a security verdict.