データと出典 — Quanteta Package Index

This page describes exactly what data we present, where each value comes from, and how every Quanteta-computed index is calculated. Official registry values are reproduced verbatim. The Quanteta indices are derived numbers, computed from those values with the formula published below — they are not measured registry metrics.

出典データ取得時点:

Scope: a package database, not a package manager

This site indexes software packages (libraries) published on npm, PyPI and crates.io. It is a reference database. It is not a package manager — it does not install, build or manage packages, and it is not affiliated with npm, pip or cargo. Where this site says "package", it means a published library record on one of those registries.

Official fields and their sources

Latest version
The most recent published version string, from the package's npm / PyPI / crates.io registry record.
Weekly downloads
Official download count for the package: npm's last-week downloads API, PyPI download statistics (pypistats), and crates.io download figures. Shown exactly as reported by the registry; not estimated by Quanteta.
License (SPDX)
The license the package declares, normalised to an SPDX identifier where the declaration maps cleanly. The declaration is the publisher's, not ours.
Direct dependencies
The count and list of direct runtime dependencies declared in the package manifest (optional/dev dependencies excluded).
Releases & last-release date
Total number of published versions and the date of the most recent one, from the registry.
GitHub stars
Repository star count from GitHub, shown only where the package links to a resolvable GitHub repository. Omitted otherwise — never imputed.

Quanteta indices — exact formula

Quanteta computes three indices from the official values above. Each is a relative score: for every input metric we compute the package's percentile rank (0–100) within the current dataset, then take a weighted average of those percentile ranks. A score of 70 therefore means "higher on this metric than about 70% of the packages in this database" — not an absolute measurement. Inputs that are missing for a package are dropped and the remaining weights are renormalised; if no input is available, the index is left blank rather than guessed.

Q-Vitality — maintenance activity

Q-Vitality = 0.40 · pct(weekly_downloads)
           + 0.30 · pct(release_frequency_90d)
           + 0.30 · pct(issue_close_rate)        # used only when GitHub data present
(weights renormalised over whichever inputs exist)

Q-Trust — adoption & stability

Q-Trust = 0.29 · pct(github_stars)
        + 0.42 · pct(github_contributors)
        + 0.29 · pct(package_age_days)
(3-input form; a download-stability term is added only once a time-series exists)

Q-Risk — dependency surface

Q-Risk = 0.30 · pct(direct_dependency_count)
       + 0.40 · pct(days_since_last_release)
       + 0.30 · pct(open_issue_ratio)
A higher Q-Risk means more risk factors were detected (more dependencies, staler
releases, higher open-issue ratio). It is a structural indicator, not advice.

pct(x) is the percentile rank of metric x across the dataset. These weights are the values used in this build and are versioned in our collector configuration.

Q-Momentum is not published

Q-Momentum would measure week-over-week growth and therefore requires at least two snapshots. Until a second snapshot exists, we do not publish a momentum number — we will not fabricate a trend from a single point in time.

At-a-glance factual tags

Each package may carry one or more plain factual flags, shown on the listing and at the top of its page. These are not ratings or opinions — each is a deterministic boolean computed only from official registry fields. Recency-based flags are measured against the data collection date (the "出典データ取得時点" timestamp), so they are reproducible from the snapshot rather than the wall-clock. A flag appears only when the underlying field is actually published; if a field is missing, no flag is shown (and none is implied).

最近公開
最新バージョンがデータ取得日から90日以内に公開されています。
2年以上リリースなし
最新の公開バージョンがデータ取得日より730日以上前です。
新しいパッケージ
初回公開がデータ取得日から180日以内です。
依存ゼロ
マニフェストに直接の実行時依存を宣言していません。
依存が多い(20件以上)
直接の実行時依存を20件以上宣言しています。
リリース1回のみ
レジストリ上に公開バージョンが1つだけ存在します。
メンテナ1名
npmレジストリ上のメンテナがちょうど1名です。 This flag is currently available for npm packages only, where the registry exposes a maintainer count; it is never shown for packages where that field is absent.

License-family filter (normalisation)

The registry's declared license string is always shown verbatim on the package page. For the listing filter, the raw string is additionally mapped to a coarse license family (MIT, Apache-2.0, BSD, GPL, LGPL, AGPL, ISC, MPL, BSL, PSF, Unlicense, Creative Commons, Multi-license, Proprietary / Custom, Other / Custom). This is a deterministic lookup so the filter is usable — some registries publish dozens of slightly different spellings, or even paste full licence text into the field. The family is a grouping aid; the canonical value is the verbatim string we display, never the family label.

Coverage & record selection

This build contains 2971 publishable packages across npm, PyPI and crates.io, declaring 138 distinct licenses. We track roughly the top packages by popularity in each ecosystem. A package is published here when it has a name and at least one official signal (a version, a download figure, or a description).

Update policy

Data is collected by automated collectors that query the live registries. Download counts and versions change over time, so pages are regenerated when the underlying data changes; the "出典データ取得時点" timestamp reflects the actual data collection time, never a cosmetic edit. We do not falsify freshness.

Data quality & integrity

Limitations & caveats

概要 · ホーム