Every attempt to score open source is not accurate.

The most consequential mistake is treating the absence of a signal as a low value of that signal.

Missing FUNDING file

Easy to collect doesn't mean something

Stars on Github (ICU only 3.5k, 2.5k), CVE counts (compare the Linux kernel to

One number, many units

npm "download" is mostly a count of CIcache misses. Dependent counts are different between a string-padding helper on npm and a C compression library that is statically linked and distributed as vendor or a git submodule.

Github as the visible universe

Not everything is on GitHub. Contributors (so the bus factor count too)

Project identity is different on different platform

curl has many names across platforms.

Invisible funding

The most common funding arrangement for critical infrastructure is none of those. It’s a maintainer employed by Red Hat, Google, Intel, Canonical, or a hardware vendor, with the project as some or all of their job, and that arrangement leaves no trace in any file a crawler can fetch. The second most common is consulting and support contracts around the project, which is similarly invisible.

and it compounds because the project doesn't look like an npm package. "The quiet system library with one tired maintainer and no dashboard footprint is exactly what we built all of this tooling to find, and it remains the thing the tooling is structurally worst at seeing."