DEV Community: sab0tajue

I scraped every Show HN post from May 2025 to May 2026 that crossed 200 points and ran a quick analysis. There were 334 of them. Here is what landed.

sab0tajue — Sat, 16 May 2026 14:25:08 +0000

Rank	Points	Comments	Title
1	3346	965	Gemini Pro 3 imagines the HN front page 10 years from now
2	1557	363	Jmail – Google Suite for Epstein files
3	1539	197	I'm an airline pilot – I built interactive graphs/globes of my flights
4	1325	241	isometric.nyc – giant isometric pixel art map of NYC
5	1278	209	I built a synth for my daughter
6	1184	333	A store that generates products from anything you type in search
7	1145	144	I spent 6 years building a ridiculous wooden pixel display
8	1094	144	Term.everything – Run any GUI app in the terminal
9	1032	323	I recreated Windows XP as my portfolio
10	1030	263	Tinder but it's only pictures of my wife and I can only swipe right
11	1003	361	Kitten TTS – 25MB CPU-Only, Open-Source TTS Model
12	964	187	A game where you build a GPU
13	958	495	Ten years of running every day, visualized
14	935	234	Draw a fish and watch it swim with the others
15	915	134	I built a tiny LLM to demystify how language models work

github.com is the dominant domain on Show HN

Domain	Posts that crossed 200 pts	Avg points
github.com	134	334
huggingface.co	2	471
gitlab.com	2	330

134 out of 334 successful Show HN posts pointed straight at a github.com URL — about 40%. No fancy landing page, no marketing site, just README.md doing the selling.

If you are about to ship a Show HN, the data says you can absolutely point at the repo. A polished landing page will not save a weak idea, and a strong README will not be punished for being on github.com.

What were the top github.com Show HN's actually about?

Term.everything – run any GUI app in the terminal (1094 pts)
Kitten TTS – 25MB CPU-only open-source TTS model (1003 pts)
A tiny LLM to demystify how language models work (915 pts)
Workout.cool – open-source fitness coaching platform (827 pts)
Needle – distilling Gemini tool calling into a 26M model (751 pts)
Unregistry – docker push directly to servers without a registry (726 pts)
ChartGPU – WebGPU-powered charting library (670 pts)
Whispering – open-source local-first dictation (591 pts)
WhatCable – tiny menu bar app for inspecting USB-C cables (566 pts)

The pattern is clear: small, single-purpose, often local-first, often open-source. Tools developers might actually use tomorrow.

Most-mentioned keywords in titles

Keyword	Posts
AI	20
open-source / open source	22
browser	17
LLM	11
Claude	10
Rust	10
macOS	10
agent	8
MCP	3

AI/LLM/Claude/agent show up in roughly 50 of the 334 top posts. The "open-source" framing is more popular than the platform-specific ones (macOS, Rust). The browser is having a moment, with 17 posts about browser-related projects.

Aggregates

334 Show HN posts crossed 200 points
Total: 132,288 points and 44,998 comments
325 unique authors (most made it to the leaderboard once)
187 unique domains
Median Engagement Score: 70 / 100

Reproduce on your own data

I packaged the analysis as an Apify Actor — search the entire HN archive by query, tags, or date range, or just capture the live front page.

Hacker News Insights on Apify Store

Source code (MIT): github.com/sab0tajue/hackernews-insights. Engagement Score formula is in src/insights.py, around 30 lines.

Tell me what other slices you would like to see. Show HN of the last 3 months? Specific keyword cohorts? Drop a comment and I will run it.

Related: I previously analyzed 200 popular Python repos on GitHub and the top 100 PyPI packages for supply-chain risk.

Top 100 PyPI packages have 1502 open advisories - I scanned them

sab0tajue — Sat, 16 May 2026 14:10:20 +0000

I built a small Apify Actor that joins PyPI, pypistats.org, Google deps.dev, and OSV.dev and rolls them into one row per package: download trends, dependency graph depth, release cadence, license, and known vulnerabilities with severity. Each package gets a transparent Risk Score 0 to 100.

Then I ran it across 101 of the most-downloaded Python packages. Aggregate result:

1,502 open advisories across the set
789 of them are HIGH severity
Combined 51,110,969,391 downloads / month
48 of 101 packages have no explicit license field declared in their PyPI metadata
Median Risk Score across the set: 20 / 100

Every Python project on the planet pulls a chunk of these into production. Below are the highlights.

Most HIGH severity advisories (open)

Package	Latest	HIGH	Open total	Risk
tensorflow	2.21.0	412	676	50
Django	6.0.5	96	275	60
pillow	12.2.0	59	118	60
langchain	1.3.1	28	37	50
urllib3	2.7.0	16	30	70
aiohttp	3.13.5	16	41	50
transformers	5.8.1	15	27	55
cryptography	48.0.0	13	28	70
Scrapy	2.15.2	11	18	65
pip	26.1.1	9	18	60

A few are surprising. pip is everyone's bootstrap tool. cryptography is the one library you trust by name. Both ship with HIGH severity advisories that have not been resolved across all referenced versions.

Most open advisories regardless of severity

Package	Open advisories	Downloads / month
tensorflow	676	22,248,213
Django	275	48,919,109
pillow	118	458,766,714
aiohttp	41	568,817,528
langchain	37	242,406,997
urllib3	30	1,617,997,614
cryptography	28	1,183,622,768
Twisted	27	11,978,196
transformers	27	146,255,058
pip	18	663,706,472

Note: an open advisory does not mean every version is broken. Most advisories are pinned to specific affected version ranges. The number is a measure of historical attack surface, not current exploitability. Still, it is a useful signal of how heavily a package has been audited and how active its threat model is.

Highest Risk Score (composite)

The Risk Score combines: open vulnerabilities, last-release age, license declared yes/no, source URL declared yes/no, total resolved transitive dependencies, and is dampened by very high download counts (many eyes assumption).

Package	Risk	Why
Jinja2	75	15 open vulns, last release 436d ago, no license field
urllib3	70	30 vulns (16 HIGH), no license field
numpy	70	16 vulns (7 HIGH), no license field
cryptography	70	28 vulns (13 HIGH), no license field
Scrapy	65	18 vulns, 36 transitive deps
Django	60	275 advisories total
pip	60	18 vulns, no license field
pillow	60	118 advisories
Flask	60	8 vulns, 8 deps

The "no license field" issue keeps popping up. 48 of 101 most-downloaded packages have no license field declared in their PyPI metadata. This does not mean the projects are unlicensed - almost all of them have a LICENSE file in the repository - but it does mean automated scanners and SBOM generators may flag them as license-unknown, which causes real procurement headaches at large orgs.

Stalest top packages

Package	Last release	Open advisories
vine	923 days ago	0
sniffio	810 days ago	0
python-dateutil	805 days ago	0
openpyxl	686 days ago	2
webdriver-manager	660 days ago	0
six	527 days ago	0
Jinja2	436 days ago	15
rsa	395 days ago	6

Jinja2 going 436 days without a release while sitting on 15 open advisories is the standout. Some of the others are stable-by-design (six, sniffio) and a long gap is fine.

How to reproduce / run on your own list

I packaged the audit as an Apify Actor - paste your requirements.txt, get the analysis as a clean JSON dataset row per package.

PyPI Package Insights on Apify Store

Source code (MIT): github.com/sab0tajue/pypi-package-insights. The Risk Score formula is in src/insights.py, around 80 lines, intentionally legible - re-weigh it for your threat model.

If you have a more interesting set of packages to score, drop a comment with the names and I will run it.

Related: I did the same exercise for 200 popular Python repositories on GitHub earlier.

12 huge Python projects on GitHub depend on a single person — I scored 200 of them

sab0tajue — Sat, 16 May 2026 13:14:28 +0000

Bus factor = 1: hugely popular projects, single point of failure

A repo's bus factor is the smallest number of top contributors who together hold ≥50% of all contributions. A bus factor of 1 means: one person is the project. If they stop, momentum stalls.

Out of 200 popular Python projects, 41 have bus factor = 1. The most exposed:

Project	Stars	Maintainer holding 50%+
EbookFoundation/free-programming-books	388,403	@vhf
donnemartin/system-design-primer	348,823	@donnemartin
vinta/awesome-python	297,915	@vinta
AUTOMATIC1111/stable-diffusion-webui	163,078	@AUTOMATIC1111
521xueweihan/HelloGitHub	157,120	@521xueweihan
open-webui/open-webui	137,303	@tjbck
Comfy-Org/ComfyUI	113,135	@comfyanonymous
Shubhamsaboo/awesome-llm-apps	110,589	@Shubhamsaboo
openai/whisper	99,579	@jongwook
fastapi/fastapi	98,245	@tiangolo

Awesome-lists owning their bus factor is fine. But FastAPI, ComfyUI, Whisper, open-webui are critical infrastructure for a lot of people. Worth keeping in mind when you ship them in production.

"Active-looking" but actually dormant

These are not archived, they look maintained on the surface, yet nobody pushed a commit in the last 4 weeks:

donnemartin/system-design-primer — 348k stars, last push 57d ago
TheAlgorithms/Python — 221k stars, no commits in 4w
AUTOMATIC1111/stable-diffusion-webui — 163k stars, last push 75d ago
ytdl-org/youtube-dl — 140k stars, last push 85d ago
openai/whisper — 99k stars, last push 30d ago
3b1b/manim — 86k stars, last push 27d ago

Some are by design (curated lists, finished tools). Others are slowly going stale.

Release cadence extremes

Shipping fastest among popular projects:

Project	Avg gap between releases	Stars
FoundationAgents/OpenManus	0 days	56,279
PostHog/posthog	0.2 days	34,515
gradio-app/gradio	0.3 days	42,600
langchain-ai/langchain	0.4 days	136,866
langchain-ai/langgraph	0.4 days	32,160

Slowest cadence at 5k+ stars:

Project	Avg gap	Stars
trailofbits/algo	815 days	30,229
satwikkansal/wtfpython	698 days	36,933
deepfakes/faceswap	623 days	55,237
swisskyrepo/PayloadsAllTheThings	552 days	77,735
sherlock-project/sherlock	434 days	83,392

A long gap is not automatically bad — finished tools, security playbooks, and content collections do not need weekly releases.

What 5000+ star Python projects are about

Aggregates

Total stars across the 200 repos: 12,498,901
Total forks: 1,981,076
Median Health Score: 91 / 100
With explicit OSS license: 188 / 200 (12 repos still have no license — risky to depend on those)

How to reproduce / explore your own list

I packaged the analysis as a one-shot Apify Actor — you give it a search query (or a list of owner/repo) and a free GitHub token, you get one row per repo with all the metrics above plus a transparent breakdown of how the Health Score is computed.

GitHub Repository Insights on Apify Store

Free trial, then $0.005 per analyzed repo. You can also clone the input from this post (language: Python, minStars: 5000, pushedSince: 2025-12-01, maxResults: 200) and re-run it against any other language or topic.

If you find more interesting patterns, drop them in the comments — I am curious what your stack looks like.

DEV Community: sab0tajue

I scraped every **Show HN** post from May 2025 to May 2026 that crossed **200 points** and ran a quick analysis. There were 334 of them. Here is what landed.

Top 15 Show HN posts of the year

github.com is the dominant domain on Show HN

What were the top github.com Show HN's actually about?

Most-mentioned keywords in titles

Aggregates

Reproduce on your own data

Top 100 PyPI packages have 1502 open advisories - I scanned them

Most HIGH severity advisories (open)

Most open advisories regardless of severity

Highest Risk Score (composite)

Stalest top packages

How to reproduce / run on your own list

12 huge Python projects on GitHub depend on a single person — I scored 200 of them

Bus factor = 1: hugely popular projects, single point of failure

"Active-looking" but actually dormant

Release cadence extremes

What 5000+ star Python projects are about

Aggregates

How to reproduce / explore your own list

I scraped every Show HN post from May 2025 to May 2026 that crossed 200 points and ran a quick analysis. There were 334 of them. Here is what landed.