Deeply Nested
Tier 1deeply_nested Control structures nested deeper than 4 levels. Reasoning about deeply nested code requires tracking many simultaneous states. ND ≥ 8 is a strong refactoring signal.
appsmith's bundled ECharts tops activity risk — 5 functions to address first
Four of appsmith's five top-ranked hotspots live inside a single bundled third-party file. The fifth — evaluateTree, in the data evaluation worker — is genuine application logic that will move to rank one after the ECharts bundle is excluded. For the four bundle entries, the action isn't a refactoring sprint; it's an exclusion rule and a package-manager migration.
graphify's extract layer carries the highest activity risk — 2 functions to address first
graphify's extraction layer is carrying extreme structural complexity while being actively changed — a combination that makes regressions likely with every commit touching extract.py.
cal.com's booking layer carries the highest activity risk — 5 functions to address first
Three of cal.com's top five hotspots are named `handler` — all in the booking layer. One has a cyclomatic complexity of 243.
agent-browser's React bridge has top activity risk — 5 functions to address first
A Hotspots analysis of vercel-labs/agent-browser at commit 82eadce, surfacing React instrumentation, CLI, and command-parser functions with the highest activity-weighted risk.
novuhq/novu's framework layer carries the highest activity risk — 2 functions to address first
The two highest-scoring functions in novu's codebase aren't application code at all — they're vendored library internals bundled directly into packages/framework/src/jsonSchemaFaker.js, and they're being attributed commit activity right now. That conflation of third-party complexity with first-party churn is itself the finding worth unpacking.
GitNexus's ingestion core carries the highest activity risk — 2 functions to address first
At the heart of GitNexus's ingestion pipeline, two functions are simultaneously the most structurally complex and the most actively changed code in the entire codebase — a combination that turns every commit into a live regression risk. With 544 critical-band functions across 3,612 total, the scope of structural debt here is significant, but two functions demand attention right now.
3x-ui's bot and inbound paths carry the highest risk — 5 functions to address first
Five functions in 3x-ui are both structurally complex and actively changing right now — one with a cyclomatic complexity of 101. That combination is a live regression risk, not a cleanup backlog item.
NervJS/taro's transformer layer carries the highest structural debt — 5 functions to fix
The riskiest code in NervJS/taro isn't what's changing right now — it's what stopped changing 133 days ago and was already too complex to reason about when it did. Five functions in the transformer and convertor packages have accumulated cyclomatic complexity scores between 55 and 88, nesting depths up to 10, and fan-out counts as high as 163, with zero commits in the last 30 days and no active owners visible in the data.
supabase's type parser and storage explorer are the highest risks — all 5 touched today
Every function in supabase's top-five hotspot list was touched in the last day. Two of them share a single file in the docs layer. One has fan-out into 173 distinct callees. The structural debt isn't theoretical — it's actively compounding.
mattermost/mattermost's API and notification layer carries the highest activity risk — 5 functions to address first
Five functions across mattermost's server API, frontend notification logic, and admin console are simultaneously the hardest to reason about and the most recently changed — meaning any engineer shipping code this week is working right next to live regression risk. The top hotspot, `getUsers` in `server/channels/api4/user.go`, carries an activity-weighted risk of 20.86 with a cyclomatic complexity of 33, a nesting depth of 8, and 55 distinct callees — and it was changed 0 days ago.
jan's proxy and provider UI carry the highest first-party risk — 2 functions to address first
Three of jan's top five hotspots are bundled Swagger UI code; the two first-party functions to act on are proxy_request (CC 191, fan-out 64) in the Tauri server layer and ProviderDetail (fan-out 106) in the provider settings UI.
chakra-ui's codemod layer carries the highest activity risk — 2 functions to address first
Chakra-ui's codemod layer is where structural complexity and live commit activity collide: two functions in that package hold critical-band risk scores and were each touched within the past month, making them live regression risks rather than backlog items. If you're shipping codemod tooling for a major migration, these are the two functions that deserve a closer look before the next release.
CowAgent's LLM protocol layer carries the highest activity risk — 2 functions to address first
Two functions in CowAgent are both structurally extreme and changing right now — CC 120+ with nesting 7–11 deep, touched repeatedly in the last 30 days. That combination makes regressions a live risk rather than a cleanup backlog item.
go-gorm/gorm's schema debt leads the risk list — 5 functions to address first
gorm's highest-risk functions are mostly quiet right now, but they carry heavy structural debt: schema field setup, condition building, association saving, schema parsing, and create-value conversion all combine high branching with deep nesting or broad fan-out. The next change in these paths will inherit months of dormancy plus dense control flow.
portainer's Kubernetes and API layer — 5 high-activity-risk functions to address first
Five functions in portainer/portainer sit in the 'fire' quadrant right now — structurally complex and touched within the last week. Any engineer shipping changes to the Kubernetes ingress UI or the endpoint/registry update handlers this week is working inside the highest-risk surface in the codebase.
pi's AI provider and tooling layers carry the highest activity risk — 5 functions to address first
Pi's AI provider layer is its leading regression hotspot, but the top five also include model-data generation, autocomplete, and response-stream processing.
rustfs storage and protocol hotspots — 5 functions to address first
In rustfs, the highest-priority functions are not concentrated in one subsystem: storage healing, Swift request handling, scanner traversal, lifecycle evaluation, and object listing all appear in the top five. The common theme is structural density — every listed function combines complex branching, deep nesting, exit-heavy flow, god-function scope, and long-function shape.
cherry-studio's AI core and MCP layer carry the highest activity risk — 5 functions to address first
Two functions deep in cherry-studio's MCP integration and AI reasoning layer are both structurally extreme and actively changing — a combination that makes regressions not a future concern, but a pres
outline/outline's editor and WebSocket queue carry the highest activity risk — 5 hotspots
A Hotspots analysis of outline/outline at commit 7e252f0, surfacing the top functions by activity-weighted risk score.
BMAD-METHOD's installer module carries the highest activity risk — 5 functions to address first
Five functions in BMAD-METHOD's installer layer combine high cyclomatic complexity with deep nesting and active churn — making the module management subsystem the repo's highest-priority refactoring target.
Remotion's compositor and media-parser carry the highest activity risk — two to fix first
The two highest-risk functions in remotion-dev/remotion were both modified yesterday and together exhibit cyclomatic complexity scores of 53 and 118 — meaning each one branches across dozens of independent execution paths while still actively receiving changes. That combination is a live regression risk, not a backlog item.
twentyhq/twenty sandbox and rendering hotspots — 5 functions to address first
Two critical-band functions — a spreadsheet recalculation engine buried inside a sandbox script and a halftone canvas renderer with 140 distinct callees — are both structurally complex and were touched just three days ago, making them live regression risks rather than backlog cleanup items. With 647 critical functions across 16,560 total, Twenty's codebase is actively scaling, and these two hotspots sit at the intersection of structural complexity and ongoing churn.
alibaba/canal's adapters carry the highest activity risk — 5 functions to address first
A Hotspots analysis of alibaba/canal at commit cf97b2a, surfacing the top functions by activity-weighted risk score.
Kong/insomnia's rendering and sync layer carries the highest activity risk — 5 functions to address first
Five functions in Kong/insomnia are both structurally complex and actively changing right now — the top-ranked `clientAction` carries an activity-weighted risk score of 18.66 with a cyclomatic complexity of 63, and it was touched 9 days ago. For any engineer shipping against this codebase this week, that combination is a live regression risk, not a backlog item.
chrome-devtools-mcp's response layer carries the highest risk — 2 functions to fix first
Two functions in a single file are driving nearly all of chrome-devtools-mcp's live regression risk — and both were touched in the last two days.
alist's WebDAV XML layer carries the highest activity risk — 3 functions to address first
Four of alist's top five hotspots sit in the internal WebDAV XML implementation; unmarshal leads with CC 36 and fan-out 66, while UploadByMultipart's fan-out of 48 makes it the clearest storage-driver refactoring target.
headscale's policy/v2 layer carries the highest activity risk — 2 functions to address first
headscale's policy engine is where structural complexity meets live development pressure: the two highest-risk functions are both actively changing right now, making them live regression risks rather
langextract's batch provider and extraction carry the highest activity risk — 5 hotspots
langextract's core extraction and OpenAI batch provider are both structurally overloaded and actively changing right now — a combination that puts live regression risk on the table, not just future cleanup. With 72 critical-band functions across 348 total, the codebase has meaningful structural debt concentrated in exactly the modules users interact with most.
trpc/trpc's HTTP core carries the highest structural debt — 5 functions to address first
The most structurally risky code in trpc/trpc isn't in active churn right now — it's sitting untouched for nearly two months while accumulating the kind of fan-out and branching complexity that makes the next change to it a genuine regression risk. Of 1,438 functions analyzed, 50 landed in the critical band, and the top two haven't been touched in 59 days.
echo's binding layer carries the highest activity-weighted risk — 5 functions to address
echo's request binding owns the top two risk slots — `bindData` calls 41 distinct functions while `bindValue` branches across 29 execution paths, both in actively committed code across a framework trusted by thousands of Go services.
career-ops' analysis layer carries the highest activity risk — 5 functions to address first
The top-ranked function in career-ops has 54 outbound calls and 42 execution paths — and it was touched just 27 days ago. That combination makes it a live regression risk, not a cleanup backlog item.
WxJava's member card and serialization layers carry the highest structural risk — 5 functions to address first
WxJava's highest-risk function has CC 42 and 72 callees, so the next developer to open it faces a high blast-radius change.
Folo's UI and integration layer has the highest activity risk — 5 functions to address
Across 3,823 functions in RSSNext/Folo, the five highest-risk functions are all fire-quadrant — structurally complex and actively changing at the same time, not backlog items. The most striking case is a JSON tokenizer duplicated across two packages with a cyclomatic complexity of 47, sitting in the fire quadrant alongside a keyboard-simulation function carrying a CC of 61.
rust-course's rustlings-zh entry points carry the highest structural debt — 2 functions to address first
The two highest-risk functions in rust-course haven't been touched in over three years — but their complexity means the next developer who does will face a steep blast radius.
minimind's RL trainers carry the highest activity risk — 3 functions to address first
minimind's RL training layer is both its most complex and most actively changing code — two trainer functions at CC 52 with commits landing days ago, making refactoring a live risk.
FlowiseAI/Flowise's agent execution layer carries the highest activity risk — 5 functions to address first
The functions powering Flowise's agent execution are not just complex — they're changing constantly, making every commit a regression risk. Five functions in the agent and graph layers all sit in the
eslint's rule engine carries the highest activity risk — 2 functions to address first
The eslint rule most developers rely on to catch dead code also has 114 independent execution paths — and it's still being actively changed. That combination is a live regression risk, not a cleanup b
TanStack/query's persistence and devtools layers carry the highest activity risk — 3 functions to address first
TanStack/query's persistence layer is its hottest code right now — the top-ranked function is both structurally dense and seeing heavy recent commit activity, a combination that makes regressions far
OpenCut's timeline and audio layer carries the highest activity risk — 5 functions to address first
OpenCut's timeline drag-drop hook is simultaneously its most structurally complex and most actively changing function — a combination that turns every commit into a regression gamble.
tldraw's Editor.ts carries the highest activity risk — 3 functions to address first
Three of tldraw's five highest-risk functions live in one file — and they're all actively changing. That's not a cleanup backlog; it's a live regression surface.
chatbox's UI and knowledge-base layers carry the highest activity risk — 5 functions to address first
The main input component in chatbox packs 117 execution paths and touches 142 distinct callees — and it's still being actively committed to, which turns a complexity problem into a live regression ris
jsoncrack.com's json2go and parser layers carry the highest activity risk — 5 functions to address first
The json2go converter in jsoncrack.com carries CC 32 and fan-out 47 — deep structural debt untouched for 40 days that represents a high blast-radius risk for any future development on these files.
hexojs/hexo's post-rendering layer carries the highest activity risk — 5 functions to address first
The function that escapes Swig template tags in hexo's post pipeline has a cyclomatic complexity of 61 and hasn't been touched in 114 days — structural debt with a high blast radius that warrants refactoring before the next development push.
oh-my-openagent's event and hooks layer carries the highest activity risk — 5 functions to address first
The event plugin and pre/post tool-use hooks in oh-my-openagent are simultaneously the most structurally complex and the most actively changed code in the repo — a combination that makes them live reg
lerna's oidc and command initializers carry the highest activity risk — 3 to prioritize
lerna's oidc function hits CC 35 — structurally complex with a high blast radius when next changed. At 127 days untouched, it's overdue for refactoring before the next development push on the authentication layer.
full-stack-fastapi-template's HTTP client layer carries the highest activity risk — 2 functions to address first
The HTTP client layer in full-stack-fastapi-template carries a cyclomatic complexity of 15 and 5 levels of nesting while seeing active commit churn — a live regression risk, not a future cleanup item.
Zod's JSON schema layer carries the highest activity risk — 5 functions to address first
Zod's JSON schema conversion layer is actively changing while carrying extreme structural complexity — one function alone has 114 execution paths and calls 79 distinct functions.
lossless-cut's renderer layer leads activity risk — 5 functions to address first
lossless-cut's App function has a cyclomatic complexity of 143 and calls 394 distinct functions — and it's still being actively changed, making every commit a regression gamble.
styled-components' CSS parsing layer carries the highest activity risk — 4 functions to address first
styled-components' CSS parsing layer mixes structural debt (sanitizeCSS, hasUnbalancedBraces — untouched 39 days) with actively changing fire-quadrant functions, making it a high blast-radius refactoring target.
typeorm's query-builder and driver layer carries the highest activity risk — 5 functions to address first
typeorm's WHERE-clause builder and Postgres type-conversion functions are simultaneously the most complex and most actively changed code in the repo — where structural debt meets commit velocity.
react-hook-form's control layer carries the highest activity risk — 3 functions first
The function that powers every react-hook-form instance has CC 174 and touched 112 distinct callees — still being actively changed. That combination turns complexity into regression risk.
marked's Tokenizer and Instance layers carry the highest activity risk — 3 functions to address first
marked's list tokenizer scores CC 51 with fan-out 31 — structural debt that hasn't been touched in 33 days and carries a high blast radius when next changed.
context7's CLI commands carry the highest activity risk — 5 functions to address first
context7's CLI command layer is where complexity and commit churn collide: generateCommand has a fan-out of 99 and is actively changing, making every edit a regression risk.
google/zx's markdown layer is the live regression risk — 4 structural debt functions follow
zx's markdown transformer is the live regression risk — CC 18 and actively changing. _pipe and formatCmd are structural debt: equally complex, but stable for months and overdue for proactive refactoring.
bruno's OpenAPI sync and CLI runner carry the highest activity risk — 3 functions to address first
Two anonymous god-functions in openapi-sync.js (CC 135, CC 100) and a CLI runner function (CC 169) are both structurally extreme and actively changing, making them live regression risks in bruno's request execution layer.
get-shit-done's CLI core carries the highest activity risk — 5 functions to address first
Every top hotspot in get-shit-done lives in the CLI layer — and all five are actively changing right now. The command dispatcher alone has 181 execution paths and calls 108 distinct functions.
lx-music-desktop's renderer layer carries the highest structural risk — 5 functions to address first
183 critical functions in lx-music-desktop — and the riskiest ones sit untouched in the renderer layer, accumulating structural debt that will bite hard the next time anyone opens them.
learn-claude-code's agent layer carries highest activity risk — 5 functions to address
The agent loop functions in learn-claude-code are both structurally complex and actively changing right now — a combination that makes regressions easy to introduce and hard to catch.
gstack's browse layer carries the highest activity risk — 5 functions to address first
gstack's browse layer is under live regression pressure: its top command handlers combine extreme cyclomatic complexity with high recent commit activity, putting every active change at elevated risk.
drawdb's editor and SQL layer carry the highest activity risk — 5 functions to address first
drawdb's diagram editor hides a live regression risk: its ControlPanel component is both deeply complex and actively changing right now — CC 55, nesting depth 15, and 163 distinct callees.
ai-hedge-fund's frontend layer carries the highest activity risk — 3 files to address first
All five of ai-hedge-fund's top hotspots sit in the frontend layer — and every one is a god function flagged as structural debt with a blast radius waiting to be triggered.
bubbletea's core runtime carries the highest activity risk — 3 functions to address first
Three functions in bubbletea's core runtime are both structurally complex and changing right now — making them live regression risks, not just cleanup items on a backlog.
casey/just's parser and lexer carry the highest activity risk — 5 functions to address first
just's parser and lexer are both deeply complex and under active development right now — a combination that puts live regressions well within reach as the codebase continues to evolve.
Chat2DB's SQL processing layer carries the highest activity risk — 3 functions to address first
Chat2DB has 385 critical functions across 6,984 analyzed — and its SQL split processor alone carries a cyclomatic complexity of 58 with 38 distinct callees. Here's what to fix first.
paperclip's server layer carries the highest activity risk — 5 functions to address first
Two server files in paperclip are changing fast while carrying extreme structural complexity — the kind of combination that makes regressions nearly invisible until they're already in production.
Preact's diff engine carries the highest activity risk — 3 functions to address first
Preact's virtual DOM differ is both its most structurally complex code and its most actively changed — a combination that makes every commit to src/diff/index.js a live regression risk right now.
exo's benchmarking layer carries the highest activity risk — 5 functions to address first
exo has 191 critical functions out of 1,549 — and its highest-risk hotspot is a god-function with cyclomatic complexity of 93 that's actively changing right now, making it a live regression risk.
filebrowser's frontend and HTTP layer carry the highest activity risk — 5 functions to address first
Five of filebrowser's most critical functions are complex AND actively changing simultaneously — the search API, file listing view, and config handler are live regression risks, not backlog items.
conductor-oss/conductor's UI layer carries the highest activity risk — 5 functions to address first
conductor's biggest structural risk isn't in its Java core — it's in the UI layer, where actively-changing JSON utility functions carry cyclomatic complexity scores of 99 and 120, making them live reg
ink's output and keypress layers carry the highest risk — 4 functions to address first
ink's terminal output and keypress parsing are changing right now — and they're also the most structurally complex code in the repo. That's the combination that causes regressions.
jadx's decompiler core carries the highest activity risk — 5 functions to address first
jadx has 795 critical-band functions, and its top five are all in the 'fire' quadrant — complex code that's actively changing. That combination is live regression risk, not future cleanup.
pretext's analysis core carries the highest activity risk — 5 functions to address first
Five functions in pretext's analysis and line-breaking core are both structurally extreme and actively changing right now — the highest-risk combination for regressions during ongoing development.
hackathon-starter's auth and API layer carries the highest activity risk — 5 functions to address first
All five of hackathon-starter's top hotspots sit in the auth and API layer — and every single one is in the 'fire' quadrant, meaning complexity and active commits are colliding right now.
MediaCrawler's JS bundle dominates the top 5 hotspots — exclude to surface Python risk
Every top hotspot in MediaCrawler lives inside a single minified JS bundle — meaning the real Python risk profile is entirely hidden until that file is excluded from analysis.
croc's core transfer layer carries the highest activity risk — 5 functions to address first
Four of croc's five riskiest functions are actively changing right now — and they all live in the same two files that orchestrate every file transfer. That's a live regression risk, not a backlog item
gson's type resolution and parsing carry the highest structural risk — 5 functions to address first
Five critical functions in google/gson carry extreme structural complexity — and none are being actively refactored. When the next development push arrives, the blast radius will be wide.
vercel/hyper's UI reducer and config migrator carry the highest real activity risk
Two first-party functions in vercel/hyper are both structurally complex and actively changing right now — making them live regression risks, not backlog items. Here's where the real exposure sits.
awesome-claude-code's scripts carry the highest activity risk — 5 to address first
The scripts powering awesome-claude-code's automation are its riskiest code right now: process_resources has a cyclomatic complexity of 59 and is actively changing — a live regression risk hiding in p
Xray-core's proxy layer carries the highest activity risk — 5 functions to address first
Xray-core's VLESS inbound handler is the most complex and most actively changed function in the codebase — all five top hotspots sit in the fire quadrant, making refactoring urgent.
iced's winit and widget layers carry the highest structural risk — 5 functions to address first
Two functions in iced's winit and widget layers carry extreme cyclomatic complexity — one topping CC 166 — making them the highest blast-radius targets before the next development push.
Redisson's cron layer carries the highest activity risk — 5 functions to address first
Redisson's cron scheduling and async batch execution layer is both structurally extreme and actively changing — a combination that makes every commit a live regression risk right now.
OpenSpec's core and schema layers carry the highest activity risk — 5 functions to address first
OpenSpec has 91 critical functions out of 814 — and the highest-risk ones are clustered in two files. One is a structural debt bomb with CC 63 and nesting depth 9. Another is actively changing right n
cobra's completion subsystem carries the highest activity risk — 5 functions to address first
cobra's completion layer is its most structurally fragile subsystem — one function alone calls 39 distinct callees, making any future change there a high-blast-radius event.
RocketMQ's broker and client layers carry the highest activity risk — 5 functions to address first
RocketMQ's broker transaction checker and pop-revive service are both structurally complex and actively changing — a live regression risk hiding inside a high-throughput messaging core.
expo-router carries expo/expo's highest activity risk — 3 functions to address first
expo-router's navigation core is both one of the most structurally complex and most actively changing areas in expo/expo — a combination that makes it a live regression risk, not just a refactoring ba
docsify's YAML front-matter parser carries the highest activity risk — 3 functions to address first
docsify's YAML front-matter parser hides a nesting depth of 19 inside a single function — and the render layer is actively changing on top of CC 34 and fan-out of 80.
Puter's GUI layer carries the highest activity risk — 3 functions to address first
Puter's window and file-item rendering code is both extremely complex and actively changing right now — a combination that makes every commit a potential regression in the core desktop UI.
textgen's chat layer carries the highest activity risk — 3 functions to address first
textgen's chat prompt builder has a cyclomatic complexity of 152 and is actively changing right now — a live regression risk hiding in plain sight inside a single Python function.
PixiJS's rendering layer carries the highest activity risk — 3 functions to address first
PixiJS has 131 critical-band functions across 4,035 analyzed — and its most urgent risks are actively changing right now inside SVG parsing, tagged-text layout, and adaptive bezier rendering.
qlib's init and model layer carry the highest structural risk — 5 to refactor first
qlib's highest-risk functions aren't being actively changed right now — they're structural debt accumulating blast radius. Five god functions with CC scores up to 58 are overdue for refactoring before
React's compiler and hooks plugin carry the highest activity risk — 5 functions
React's new compiler and its exhaustive-deps lint rule are where structural complexity meets live development pressure — five functions account for the repo's highest combined complexity and recent ac
esbuild's JS parser carries the highest activity risk — 3 functions to address first
esbuild's JS parser is simultaneously its most complex and most actively changing subsystem — three functions inside it carry cyclomatic complexity scores that dwarf anything else in the codebase, and
Kubernetes's kubelet and apiserver carry the highest activity risk — 5 functions
The function converting container statuses in kubernetes's kubelet is both one of the most structurally complex and one of the most actively changing in the entire codebase — a live regression risk hi
fd's walk and exec subsystems carry the highest structural risk — 5 functions
fd's walk and exec subsystems concentrate the most complex, high-blast-radius code in the codebase — 11 critical functions across 274 total, with structural debt that warrants attention before the nex
xxl-job's cron scheduler carries the highest activity risk — 2 functions to address first
xxl-job's cron parsing layer is its most urgent structural risk: two functions in CronExpression.java are both maximally complex and actively changing — a combination that makes every commit a potential regression
pi-mono's AI provider layer carries the highest activity risk — 3 functions to address first
Three functions in pi-mono's OpenAI provider layer are both structurally extreme and actively changing right now — a combination that makes regressions nearly inevitable without targeted refactoring.
Scrapling's engine layer — 5 functions with the highest activity-weighted risk
Two files in Scrapling's engine layer account for the codebase's highest structural risk — and the top-ranked function has been touched 6 times in the last 30 days with a cyclomatic complexity of 41.
Vuetify's color utilities carry the highest activity risk — 5 functions to address first
Two functions in vuetifyjs/vuetify sit at the intersection of extreme structural complexity and active commit churn — making them live regression risks, not backlog items. One parses color values for
remote-jobs' link checker carries the highest risk — 5 functions to review first
A single script file, fix-links.mjs, concentrates the highest structural and activity risk in remote-jobs — its top function carries a cyclomatic complexity of 38.
nanobot's message and CLI layers carry the highest activity risk — 2 functions to address first
nanobot's top two hotspots are both complex AND changing right now — one was touched today. That combination makes them live regression risks, not backlog items.
labstack/echo's binding and middleware layers carry the highest activity risk — 5 functions to address first
Echo's request-binding layer is the most structurally complex part of the top-five hotspot set, while CSRF and CORS middleware add high-coupling factory functions.