typescript Code Health
55 open-source typescript repositories analyzed by activity-weighted risk — complexity × recent commit frequency. Sorted highest risk first.
appsmith's bundled ECharts tops activity risk — 5 functions to address first
Four of appsmith's five top-ranked hotspots live inside a single bundled third-party file. The fifth — evaluateTree, in the data evaluation worker — is genuine application logic that will move to rank one after the ECharts bundle is excluded. For the four bundle entries, the action isn't a refactoring sprint; it's an exclusion rule and a package-manager migration.
cal.com's booking layer carries the highest activity risk — 5 functions to address first
Three of cal.com's top five hotspots are named `handler` — all in the booking layer. One has a cyclomatic complexity of 243.
novuhq/novu's framework layer carries the highest activity risk — 2 functions to address first
The two highest-scoring functions in novu's codebase aren't application code at all — they're vendored library internals bundled directly into packages/framework/src/jsonSchemaFaker.js, and they're being attributed commit activity right now. That conflation of third-party complexity with first-party churn is itself the finding worth unpacking.
GitNexus's ingestion core carries the highest activity risk — 2 functions to address first
At the heart of GitNexus's ingestion pipeline, two functions are simultaneously the most structurally complex and the most actively changed code in the entire codebase — a combination that turns every commit into a live regression risk. With 544 critical-band functions across 3,612 total, the scope of structural debt here is significant, but two functions demand attention right now.
NervJS/taro's transformer layer carries the highest structural debt — 5 functions to fix
The riskiest code in NervJS/taro isn't what's changing right now — it's what stopped changing 133 days ago and was already too complex to reason about when it did. Five functions in the transformer and convertor packages have accumulated cyclomatic complexity scores between 55 and 88, nesting depths up to 10, and fan-out counts as high as 163, with zero commits in the last 30 days and no active owners visible in the data.
supabase's type parser and storage explorer are the highest risks — all 5 touched today
Every function in supabase's top-five hotspot list was touched in the last day. Two of them share a single file in the docs layer. One has fan-out into 173 distinct callees. The structural debt isn't theoretical — it's actively compounding.
mattermost/mattermost's API and notification layer carries the highest activity risk — 5 functions to address first
Five functions across mattermost's server API, frontend notification logic, and admin console are simultaneously the hardest to reason about and the most recently changed — meaning any engineer shipping code this week is working right next to live regression risk. The top hotspot, `getUsers` in `server/channels/api4/user.go`, carries an activity-weighted risk of 20.86 with a cyclomatic complexity of 33, a nesting depth of 8, and 55 distinct callees — and it was changed 0 days ago.
jan's proxy and provider UI carry the highest first-party risk — 2 functions to address first
Three of jan's top five hotspots are bundled Swagger UI code; the two first-party functions to act on are proxy_request (CC 191, fan-out 64) in the Tauri server layer and ProviderDetail (fan-out 106) in the provider settings UI.
chakra-ui's codemod layer carries the highest activity risk — 2 functions to address first
Chakra-ui's codemod layer is where structural complexity and live commit activity collide: two functions in that package hold critical-band risk scores and were each touched within the past month, making them live regression risks rather than backlog items. If you're shipping codemod tooling for a major migration, these are the two functions that deserve a closer look before the next release.
portainer's Kubernetes and API layer — 5 high-activity-risk functions to address first
Five functions in portainer/portainer sit in the 'fire' quadrant right now — structurally complex and touched within the last week. Any engineer shipping changes to the Kubernetes ingress UI or the endpoint/registry update handlers this week is working inside the highest-risk surface in the codebase.
pi's AI provider and tooling layers carry the highest activity risk — 5 functions to address first
Pi's AI provider layer is its leading regression hotspot, but the top five also include model-data generation, autocomplete, and response-stream processing.
cherry-studio's AI core and MCP layer carry the highest activity risk — 5 functions to address first
Two functions deep in cherry-studio's MCP integration and AI reasoning layer are both structurally extreme and actively changing — a combination that makes regressions not a future concern, but a pres
outline/outline's editor and WebSocket queue carry the highest activity risk — 5 hotspots
A Hotspots analysis of outline/outline at commit 7e252f0, surfacing the top functions by activity-weighted risk score.
Remotion's compositor and media-parser carry the highest activity risk — two to fix first
The two highest-risk functions in remotion-dev/remotion were both modified yesterday and together exhibit cyclomatic complexity scores of 53 and 118 — meaning each one branches across dozens of independent execution paths while still actively receiving changes. That combination is a live regression risk, not a backlog item.
twentyhq/twenty sandbox and rendering hotspots — 5 functions to address first
Two critical-band functions — a spreadsheet recalculation engine buried inside a sandbox script and a halftone canvas renderer with 140 distinct callees — are both structurally complex and were touched just three days ago, making them live regression risks rather than backlog cleanup items. With 647 critical functions across 16,560 total, Twenty's codebase is actively scaling, and these two hotspots sit at the intersection of structural complexity and ongoing churn.
Kong/insomnia's rendering and sync layer carries the highest activity risk — 5 functions to address first
Five functions in Kong/insomnia are both structurally complex and actively changing right now — the top-ranked `clientAction` carries an activity-weighted risk score of 18.66 with a cyclomatic complexity of 63, and it was touched 9 days ago. For any engineer shipping against this codebase this week, that combination is a live regression risk, not a backlog item.
chrome-devtools-mcp's response layer carries the highest risk — 2 functions to fix first
Two functions in a single file are driving nearly all of chrome-devtools-mcp's live regression risk — and both were touched in the last two days.
trpc/trpc's HTTP core carries the highest structural debt — 5 functions to address first
The most structurally risky code in trpc/trpc isn't in active churn right now — it's sitting untouched for nearly two months while accumulating the kind of fan-out and branching complexity that makes the next change to it a genuine regression risk. Of 1,438 functions analyzed, 50 landed in the critical band, and the top two haven't been touched in 59 days.
elysiajs/elysia's core index carries the highest activity risk — 5 functions to address first
Across 282 functions in elysiajs/elysia, I found 12 in the 'fire' quadrant — structurally complex and actively changing right now — with the worst concentrated inside a single file. If you're shipping code against this repo this week, `src/index.ts` is where regressions are most likely to originate.
Folo's UI and integration layer has the highest activity risk — 5 functions to address
Across 3,823 functions in RSSNext/Folo, the five highest-risk functions are all fire-quadrant — structurally complex and actively changing at the same time, not backlog items. The most striking case is a JSON tokenizer duplicated across two packages with a cyclomatic complexity of 47, sitting in the fire quadrant alongside a keyboard-simulation function carrying a CC of 61.
typescript-cheatsheets/react's tooling layer carries the highest activity risk — 2 functions to address first
Even documentation-focused repos accumulate structural and operational risk in their tooling. In typescript-cheatsheets/react, the readme generator and the homepage component are the two functions most worth watching right now — both touched within the last day, and both carrying fan-out that means changes ripple into several downstream dependencies.
FlowiseAI/Flowise's agent execution layer carries the highest activity risk — 5 functions to address first
The functions powering Flowise's agent execution are not just complex — they're changing constantly, making every commit a regression risk. Five functions in the agent and graph layers all sit in the
TanStack/query's persistence and devtools layers carry the highest activity risk — 3 functions to address first
TanStack/query's persistence layer is its hottest code right now — the top-ranked function is both structurally dense and seeing heavy recent commit activity, a combination that makes regressions far
OpenCut's timeline and audio layer carries the highest activity risk — 5 functions to address first
OpenCut's timeline drag-drop hook is simultaneously its most structurally complex and most actively changing function — a combination that turns every commit into a regression gamble.
tldraw's Editor.ts carries the highest activity risk — 3 functions to address first
Three of tldraw's five highest-risk functions live in one file — and they're all actively changing. That's not a cleanup backlog; it's a live regression surface.
chatbox's UI and knowledge-base layers carry the highest activity risk — 5 functions to address first
The main input component in chatbox packs 117 execution paths and touches 142 distinct callees — and it's still being actively committed to, which turns a complexity problem into a live regression ris
type-challenges' automation scripts carry the highest activity risk — 3 functions to address first
The riskiest code in type-challenges isn't the type puzzles — it's the automation layer. Three scripts with CC up to 27 and fan-out up to 25 carry deep structural debt that warrants refactoring before the next development push.
jsoncrack.com's json2go and parser layers carry the highest activity risk — 5 functions to address first
The json2go converter in jsoncrack.com carries CC 32 and fan-out 47 — deep structural debt untouched for 40 days that represents a high blast-radius risk for any future development on these files.
ant-design-pro's request and mock layers carry the highest activity risk — 4 functions to address first
The error-handling config in ant-design-pro is both the most structurally complex function in the codebase and a high blast-radius refactoring candidate — structural debt that's been untouched for 60 days.
hexojs/hexo's post-rendering layer carries the highest activity risk — 5 functions to address first
The function that escapes Swig template tags in hexo's post pipeline has a cyclomatic complexity of 61 and hasn't been touched in 114 days — structural debt with a high blast radius that warrants refactoring before the next development push.
oh-my-openagent's event and hooks layer carries the highest activity risk — 5 functions to address first
The event plugin and pre/post tool-use hooks in oh-my-openagent are simultaneously the most structurally complex and the most actively changed code in the repo — a combination that makes them live reg
umami's API and tracker layer carry the highest activity risk — 5 functions to address first
umami's event ingestion endpoint and client tracker are structurally complex and still actively changing — a combination that makes regressions hard to catch and fixes expensive to ship.
lerna's oidc and command initializers carry the highest activity risk — 3 to prioritize
lerna's oidc function hits CC 35 — structurally complex with a high blast radius when next changed. At 127 days untouched, it's overdue for refactoring before the next development push on the authentication layer.
full-stack-fastapi-template's HTTP client layer carries the highest activity risk — 2 functions to address first
The HTTP client layer in full-stack-fastapi-template carries a cyclomatic complexity of 15 and 5 levels of nesting while seeing active commit churn — a live regression risk, not a future cleanup item.
Zod's JSON schema layer carries the highest activity risk — 5 functions to address first
Zod's JSON schema conversion layer is actively changing while carrying extreme structural complexity — one function alone has 114 execution paths and calls 79 distinct functions.
lossless-cut's renderer layer leads activity risk — 5 functions to address first
lossless-cut's App function has a cyclomatic complexity of 143 and calls 394 distinct functions — and it's still being actively changed, making every commit a regression gamble.
styled-components' CSS parsing layer carries the highest activity risk — 4 functions to address first
styled-components' CSS parsing layer mixes structural debt (sanitizeCSS, hasUnbalancedBraces — untouched 39 days) with actively changing fire-quadrant functions, making it a high blast-radius refactoring target.
typeorm's query-builder and driver layer carries the highest activity risk — 5 functions to address first
typeorm's WHERE-clause builder and Postgres type-conversion functions are simultaneously the most complex and most actively changed code in the repo — where structural debt meets commit velocity.
react-hook-form's control layer carries the highest activity risk — 3 functions first
The function that powers every react-hook-form instance has CC 174 and touched 112 distinct callees — still being actively changed. That combination turns complexity into regression risk.
marked's Tokenizer and Instance layers carry the highest activity risk — 3 functions to address first
marked's list tokenizer scores CC 51 with fan-out 31 — structural debt that hasn't been touched in 33 days and carries a high blast radius when next changed.
context7's CLI commands carry the highest activity risk — 5 functions to address first
context7's CLI command layer is where complexity and commit churn collide: generateCommand has a fan-out of 99 and is actively changing, making every edit a regression risk.
xyflow's system layer carries the highest activity risk — 5 functions to address first
xyflow's drag system is carrying a CC of 42 and fans out to 32 distinct callees — structural debt that will bite hard the next time anyone touches it.
lx-music-desktop's renderer layer carries the highest structural risk — 5 functions to address first
183 critical functions in lx-music-desktop — and the riskiest ones sit untouched in the renderer layer, accumulating structural debt that will bite hard the next time anyone opens them.
learn-claude-code's agent layer carries highest activity risk — 5 functions to address
The agent loop functions in learn-claude-code are both structurally complex and actively changing right now — a combination that makes regressions easy to introduce and hard to catch.
gstack's browse layer carries the highest activity risk — 5 functions to address first
gstack's browse layer is under live regression pressure: its top command handlers combine extreme cyclomatic complexity with high recent commit activity, putting every active change at elevated risk.
paperclip's server layer carries the highest activity risk — 5 functions to address first
Two server files in paperclip are changing fast while carrying extreme structural complexity — the kind of combination that makes regressions nearly invisible until they're already in production.
ink's output and keypress layers carry the highest risk — 4 functions to address first
ink's terminal output and keypress parsing are changing right now — and they're also the most structurally complex code in the repo. That's the combination that causes regressions.
pretext's analysis core carries the highest activity risk — 5 functions to address first
Five functions in pretext's analysis and line-breaking core are both structurally extreme and actively changing right now — the highest-risk combination for regressions during ongoing development.
vercel/hyper's UI reducer and config migrator carry the highest real activity risk
Two first-party functions in vercel/hyper are both structurally complex and actively changing right now — making them live regression risks, not backlog items. Here's where the real exposure sits.
OpenSpec's core and schema layers carry the highest activity risk — 5 functions to address first
OpenSpec has 91 critical functions out of 814 — and the highest-risk ones are clustered in two files. One is a structural debt bomb with CC 63 and nesting depth 9. Another is actively changing right n
expo-router carries expo/expo's highest activity risk — 3 functions to address first
expo-router's navigation core is both one of the most structurally complex and most actively changing areas in expo/expo — a combination that makes it a live regression risk, not just a refactoring ba
PixiJS's rendering layer carries the highest activity risk — 3 functions to address first
PixiJS has 131 critical-band functions across 4,035 analyzed — and its most urgent risks are actively changing right now inside SVG parsing, tagged-text layout, and adaptive bezier rendering.
pi-mono's AI provider layer carries the highest activity risk — 3 functions to address first
Three functions in pi-mono's OpenAI provider layer are both structurally extreme and actively changing right now — a combination that makes regressions nearly inevitable without targeted refactoring.
slidevjs/slidev code health: no function data returned for commit 36f8a89
A hotspots scan of slidev came back empty — not because the codebase is risk-free, but because the analysis needs a configuration fix before it can surface real findings.
Vuetify's color utilities carry the highest activity risk — 5 functions to address first
Two functions in vuetifyjs/vuetify sit at the intersection of extreme structural complexity and active commit churn — making them live regression risks, not backlog items. One parses color values for