Blog
Essays, playbooks, and product updates.
When Your Labels Lie: File-Level Bug Attribution Inflates Defect Rates
Stephen Collins · May 31, 2026
Most defect prediction pipelines share a quiet assumption: if a file was touched in a bug-fix commit, every function in that file was 'buggy' — and that assumption silently inflate…
How to Know If Fine-Tuning Will Help Before You Run It
Stephen Collins · May 25, 2026
Before you spend compute on per-repo fine-tuning, one scalar from the codebase's bug-fix history can tell you whether it's worth running. Here's how it works and what it can't pred…
JavaScript Code Health: Patterns Across 19 Open-Source Repositories
Stephen Collins · May 22, 2026
I analyzed 19 open-source JavaScript repositories and found exit-heavy functions in 89% of them. Here's what the data reveals about structural debt in the JavaScript ecosystem.
Python Code Health: Patterns Across 12 Open-Source Repositories
Stephen Collins · May 22, 2026
I analyzed 12 open-source Python repositories and found complex branching in 100% of them. Here's what the data reveals about Python code health patterns.
Rust Code Health: Patterns Across 11 Open-Source Repositories
Stephen Collins · May 22, 2026
I analyzed 11 popular Rust repositories to find the most common code health antipatterns. Every single one had exit-heavy functions and long functions — Rust's ownership model does…
TypeScript Code Health: Patterns Across 44 Open-Source Repositories
Stephen Collins · May 22, 2026
I analyzed 44 TypeScript repositories and found structural antipatterns in nearly all of them. Here's what the data shows about where complexity accumulates.
Go Code Health: Patterns Across 12 Open-Source Repositories
Stephen Collins · May 22, 2026
I analyzed 12 Go repositories and found the same structural antipatterns in every single one. Here's what the data shows.
Hotspots v1.18.0: Compact Storage
Stephen Collins · May 21, 2026
Snapshot history is valuable. Unbounded snapshot growth is not. v1.18.0 ships two compaction levels that shrink your .hotspots directory without losing the history that matters.
Hotspots v1.17.0: Model Risk Map and Monorepo Subsystems
Stephen Collins · May 20, 2026
Hotspots already tells you which functions are risky. v1.17.0 tells you which models those functions cluster around — and makes risk scores meaningful inside monorepo package bound…
Can a Fine-Tuned LLM Learn Which Code Is Risky?
Stephen Collins · May 16, 2026
I spent a few weeks running a controlled experiment: can a small language model, fine-tuned on a specific codebase's history, learn to rank code by defect risk better than a hand-t…
Hotspots now handles monorepos — what changed from v1.11 to v1.15.1
Stephen Collins · Apr 24, 2026
The diff command shipped in v1.11. Since then: four months of OOM fixes, a new SQLite pipeline, hybrid touch mode, and --auto-analyze. Hotspots now handles 28k-function monorepos a…
TypeScript produces less exit-heavy code than Go or Python — and more branching
Stephen Collins · Apr 17, 2026
exit_heavy averages 5.3 in non-TypeScript repos and 4.5 in TypeScript. complex_branching has the highest max-out rate of any pattern in TS. The flip is structural, not stylistic — …
Hub functions are a frontend framework problem — here's the data
Stephen Collins · Apr 17, 2026
hub_function barely appears in Go, Rust, or Python repos. In TypeScript UI framework code it's concentrated in coordinator functions with fan-out values of 37–112. Here's why.
Five structural patterns appear in nearly every TypeScript OSS repo I've analysed
Stephen Collins · Apr 17, 2026
Five structural patterns — god_function, long_function, exit_heavy, complex_branching, deeply_nested — appear in 86–100% of the 28 TypeScript OSS repos I've analysed. Here's what t…
Running Hotspots on expo/expo Without Running Out of Memory
Stephen Collins · Apr 12, 2026
expo/expo crashed Hotspots with an OOM. Here's the full account: what broke, the systematic fixes across memory and CPU, and the new escape-hatch flags that make very large repos p…
hotspots diff: Compare Complexity Between Any Two Branches, Tags, or Commits
Stephen Collins · Mar 26, 2026
Delta mode compares a commit to its parent. That's fine for local development — but CI needs to compare a PR branch to main, and tag comparisons need to reach back further. hotspot…
What Happens When You Run Hotspots on 102,000 Functions
Stephen Collins · Mar 14, 2026
I stress-tested Hotspots against VS Code (102k functions) and found an O(N³) bug, a sampling tail exclusion bug, and a philosophical question about approximation accuracy — all in …
AI Agents Can Pass Tests. They Still Can't Maintain Systems.
Stephen Collins · Mar 11, 2026
AI coding tools have made writing software dramatically easier. A new benchmark shows maintaining it is still the hard part — and the failure modes are predictable.
AI Made Code Cheap. The Bottleneck Is Now Understanding Systems.
Stephen Collins · Mar 8, 2026
AI removed code production as the engineering bottleneck. The new constraint is comprehension - and most developer tooling wasn't built for that problem.
The 20% Rule for Codebases: A Practical Refactoring Playbook
Stephen Collins · Feb 22, 2026
Use this practical worksheet to intersect change and complexity, pick three high‑leverage targets, and add simple guardrails to prevent backslide.
Stop Missing Regressions in PRs: Complexity Policy Checks in CI
Stephen Collins · Feb 22, 2026
Code review misses slow creep. Use Hotspots policies in CI to stop risky complexity changes before they merge — start warn‑only, then flip to blocking.
Introducing Hotspots: Find Risky Functions and Stop Regressions
Stephen Collins · Feb 21, 2026
Meet Hotspots — a lightweight analyzer with explainable risk, shareable reports, and CI policies so you fix what matters and keep it from slipping back.
Repository Analyses
Nightly hotspot reports for popular open-source repos. Browse all →
mattermost/mattermost portainer/portainer NervJS/taro outline/outline supabase/supabase RSSNext/Folo Kong/insomnia elysiajs/elysia remotion-dev/remotion novuhq/novu appsmithorg/appsmith trpc/trpc koajs/koa sudheerj/reactjs-interview-questions twentyhq/twenty calcom/cal.com chakra-ui/chakra-ui typescript-cheatsheets/react go-gorm/gorm rustfs/rustfs google/langextract sudheerj/javascript-interview-questions abhigyanpatwari/GitNexus ajeetdsouza/zoxide labstack/echo juanfont/headscale safishamsi/graphify bmad-code-org/BMAD-METHOD CherryHQ/cherry-studio ChromeDevTools/chrome-devtools-mcp alibaba/canal vercel-labs/agent-browser MHSanaei/3x-ui jingyaogong/minimind zhayujie/CowAgent santifer/career-ops earendil-works/pi janhq/jan binarywang/WxJava AlistGo/alist labstack/echo sunface/rust-course HKUDS/nanobot remoteintech/remote-jobs D4Vinci/Scrapling immerjs/immer slidevjs/slidev vuetifyjs/vuetify badlogic/pi-mono xuxueli/xxl-job facebook/react kubernetes/kubernetes sharkdp/fd evanw/esbuild microsoft/qlib HeyPuter/puter oobabooga/textgen pixijs/pixijs docsifyjs/docsify apache/rocketmq expo/expo google/comprehensive-rust spf13/cobra 2noise/ChatTTS Fission-AI/OpenSpec redisson/redisson iced-rs/iced XTLS/Xray-core hesreallyhim/awesome-claude-code iamkun/dayjs vercel/hyper google/gson lapce/lapce schollz/croc NanmiCoder/MediaCrawler sahat/hackathon-starter chenglou/pretext skylot/jadx vadimdemedes/ink conductor-oss/conductor FuelLabs/fuels-rs filebrowser/filebrowser exo-explore/exo preactjs/preact paperclipai/paperclip CodePhiliaX/Chat2DB casey/just charmbracelet/bubbletea virattt/ai-hedge-fund drawdb-io/drawdb garrytan/gstack shareAI-lab/learn-claude-code gsd-build/get-shit-done lyswhut/lx-music-desktop usebruno/bruno xyflow/xyflow google/zx upstash/context7 markedjs/marked react-hook-form/react-hook-form typeorm/typeorm styled-components/styled-components chalk/chalk mifi/lossless-cut colinhacks/zod fastapi/full-stack-fastapi-template lerna/lerna code-yeongyu/oh-my-openagent umami-software/umami hexojs/hexo ant-design/ant-design-pro AykutSarac/jsoncrack.com type-challenges/type-challenges chatboxai/chatbox tldraw/tldraw OpenCut-app/OpenCut TanStack/query FlowiseAI/Flowise eslint/eslint
mattermost/mattermost's API and notification layer carries the highest activity risk — 5 functions to address first
typescript complex_branchingdeeply_nested
Jun 5 portainer's Kubernetes and API layer — 5 high-activity-risk functions to address first
typescript exit_heavygod_function
Jun 4 NervJS/taro's transformer layer carries the highest structural debt — 5 functions to fix
typescript complex_branchingdeeply_nested
Jun 3 outline/outline's editor and WebSocket queue carry the highest activity risk — 5 hotspots
typescript complex_branchingdeeply_nested
Jun 2 supabase's type parser and storage explorer are the highest risks — all 5 touched today
typescript exit_heavycomplex_branching
Jun 2 Folo's UI and integration layer has the highest activity risk — 5 functions to address
typescript exit_heavycomplex_branching
Jun 1 Kong/insomnia's rendering and sync layer carries the highest activity risk — 5 functions to address first
typescript complex_branchingdeeply_nested
May 31 elysiajs/elysia's core index carries the highest activity risk — 5 functions to address first
typescript long_functioncomplex_branching
May 30 Remotion's compositor and media-parser carry the highest activity risk — two to fix first
typescript complex_branchingexit_heavy
May 30 novuhq/novu's framework layer carries the highest activity risk — 2 functions to address first
typescript complex_branchingdeeply_nested
May 29 appsmith's bundled ECharts tops activity risk — 5 functions to address first
typescript complex_branchingcyclic_hub
May 28 trpc/trpc's HTTP core carries the highest structural debt — 5 functions to address first
typescript god_functionlong_function
May 27 koajs/koa's response layer carries the highest structural risk — 5 functions to address first
javascript complex_branchingexit_heavy
May 26 reactjs-interview-questions' coding-exercise carries the highest risk — 2 functions first
javascript exit_heavy
May 25 twentyhq/twenty sandbox and rendering hotspots — 5 functions to address first
typescript complex_branchinggod_function
May 25 cal.com's booking layer carries the highest activity risk — 5 functions to address first
typescript complex_branchingexit_heavy
May 24 chakra-ui's codemod layer carries the highest activity risk — 2 functions to address first
typescript complex_branchingdeeply_nested
May 24 typescript-cheatsheets/react's tooling layer carries the highest activity risk — 2 functions to address first
typescript long_function
May 24 go-gorm/gorm's schema debt leads the risk list — 5 functions to address first
go complex_branchingdeeply_nested
May 23 rustfs storage and protocol hotspots — 5 functions to address first
rust complex_branchingdeeply_nested
May 23 langextract's batch provider and extraction carry the highest activity risk — 5 hotspots
python exit_heavygod_function
May 22 javascript-interview-questions' deepMerge carries the highest risk — 1 function to address first
javascript
May 21 GitNexus's ingestion core carries the highest activity risk — 2 functions to address first
typescript complex_branchingdeeply_nested
May 20 zoxide's import layer carries the highest activity risk — 3 functions to address first
rust exit_heavycomplex_branching
May 19 echo's binding layer carries the highest activity-weighted risk — 5 functions to address
go exit_heavygod_function
May 19 headscale's policy/v2 layer carries the highest activity risk — 2 functions to address first
go exit_heavygod_function
May 18 graphify's extract layer carries the highest activity risk — 2 functions to address first
python complex_branchingdeeply_nested
May 17 BMAD-METHOD's installer module carries the highest activity risk — 5 functions to address first
javascript exit_heavycomplex_branching
May 16 cherry-studio's AI core and MCP layer carry the highest activity risk — 5 functions to address first
typescript god_functionlong_function
May 15 chrome-devtools-mcp's response layer carries the highest risk — 2 functions to fix first
typescript complex_branchinggod_function
May 15 alibaba/canal's adapters carry the highest activity risk — 5 functions to address first
java exit_heavygod_function
May 14 agent-browser's React bridge has top activity risk — 5 functions to address first
rust complex_branchingdeeply_nested
May 13 3x-ui's bot and inbound paths carry the highest risk — 5 functions to address first
go complex_branchingexit_heavy
May 12 minimind's RL trainers carry the highest activity risk — 3 functions to address first
python complex_branchinggod_function
May 11 CowAgent's LLM protocol layer carries the highest activity risk — 2 functions to address first
python complex_branchingdeeply_nested
May 10 career-ops' analysis layer carries the highest activity risk — 5 functions to address first
javascript god_functionlong_function
May 9 pi's AI provider and tooling layers carry the highest activity risk — 5 functions to address first
typescript complex_branchingdeeply_nested
May 8 jan's proxy and provider UI carry the highest first-party risk — 2 functions to address first
typescript complex_branchingdeeply_nested
May 8 WxJava's member card and serialization layers carry the highest structural risk — 5 functions to address first
java exit_heavygod_function
May 7 alist's WebDAV XML layer carries the highest activity risk — 3 functions to address first
go exit_heavygod_function
May 6 labstack/echo's binding and middleware layers carry the highest activity risk — 5 functions to address first
go exit_heavygod_function
May 6 rust-course's rustlings-zh entry points carry the highest structural debt — 2 functions to address first
rust exit_heavycomplex_branching
May 6 nanobot's message and CLI layers carry the highest activity risk — 2 functions to address first
python complex_branchingdeeply_nested
May 5 remote-jobs' link checker carries the highest risk — 5 functions to review first
javascript exit_heavyneighbor_risk
May 4 Scrapling's engine layer — 5 functions with the highest activity-weighted risk
python exit_heavycomplex_branching
May 3 immer's perf scripts and plugins carry the highest risk — 5 functions to review first
javascript long_functionexit_heavy
May 3 slidevjs/slidev code health: no function data returned for commit 36f8a89
typescript
May 3 Vuetify's color utilities carry the highest activity risk — 5 functions to address first
typescript exit_heavygod_function
May 3 pi-mono's AI provider layer carries the highest activity risk — 3 functions to address first
typescript complex_branchingdeeply_nested
May 1 xxl-job's cron scheduler carries the highest activity risk — 2 functions to address first
java complex_branchingdeeply_nested
Apr 30 React's compiler and hooks plugin carry the highest activity risk — 5 functions
javascript complex_branchingdeeply_nested
Apr 29 Kubernetes's kubelet and apiserver carry the highest activity risk — 5 functions
go complex_branchingdeeply_nested
Apr 29 fd's walk and exec subsystems carry the highest structural risk — 5 functions
rust exit_heavycomplex_branching
Apr 29 esbuild's JS parser carries the highest activity risk — 3 functions to address first
go complex_branchingdeeply_nested
Apr 28 qlib's init and model layer carry the highest structural risk — 5 to refactor first
python god_functioncomplex_branching
Apr 27 Puter's GUI layer carries the highest activity risk — 3 functions to address first
javascript god_functionlong_function
Apr 26 textgen's chat layer carries the highest activity risk — 3 functions to address first
python complex_branchingdeeply_nested
Apr 26 PixiJS's rendering layer carries the highest activity risk — 3 functions to address first
typescript complex_branchingdeeply_nested
Apr 26 docsify's YAML front-matter parser carries the highest activity risk — 3 functions to address first
javascript god_functioncomplex_branching
Apr 25 RocketMQ's broker and client layers carry the highest activity risk — 5 functions to address first
java complex_branchingdeeply_nested
Apr 24 expo-router carries expo/expo's highest activity risk — 3 functions to address first
typescript complex_branchingdeeply_nested
Apr 24 comprehensive-rust's theme layer carries the highest activity risk — 4 functions to address first
rust exit_heavylong_function
Apr 23 cobra's completion subsystem carries the highest activity risk — 5 functions to address first
go exit_heavygod_function
Apr 22 ChatTTS's scheduler carries the highest activity risk — 5 functions to address first
python god_functionlong_function
Apr 21 OpenSpec's core and schema layers carry the highest activity risk — 5 functions to address first
typescript complex_branchingexit_heavy
Apr 19 Redisson's cron layer carries the highest activity risk — 5 functions to address first
java complex_branchingdeeply_nested
Apr 18 iced's winit and widget layers carry the highest structural risk — 5 functions to address first
rust long_functiongod_function
Apr 17 Xray-core's proxy layer carries the highest activity risk — 5 functions to address first
go complex_branchingexit_heavy
Apr 16 awesome-claude-code's scripts carry the highest activity risk — 5 to address first
python complex_branchinggod_function
Apr 15 dayjs's core formatter carries the highest structural debt — 5 functions to address first
javascript exit_heavygod_function
Apr 14 vercel/hyper's UI reducer and config migrator carry the highest real activity risk
typescript complex_branchingexit_heavy
Apr 13 gson's type resolution and parsing carry the highest structural risk — 5 functions to address first
java exit_heavydeeply_nested
Apr 12 lapce's command dispatch carries the highest activity risk — 3 functions to address first
rust long_functiongod_function
Apr 11 croc's core transfer layer carries the highest activity risk — 5 functions to address first
go god_functionlong_function
Apr 10 MediaCrawler's JS bundle dominates the top 5 hotspots — exclude to surface Python risk
python exit_heavycomplex_branching
Apr 9 hackathon-starter's auth and API layer carries the highest activity risk — 5 functions to address first
javascript exit_heavycomplex_branching
Apr 8 pretext's analysis core carries the highest activity risk — 5 functions to address first
typescript god_functionlong_function
Apr 7 jadx's decompiler core carries the highest activity risk — 5 functions to address first
java complex_branchingdeeply_nested
Apr 6 ink's output and keypress layers carry the highest risk — 4 functions to address first
typescript long_functionexit_heavy
Apr 5 conductor-oss/conductor's UI layer carries the highest activity risk — 5 functions to address first
java complex_branchingdeeply_nested
Apr 4 fuels-rs's docs theme carries the highest activity risk — 5 vendored functions to address first
rust exit_heavygod_function
Apr 3 filebrowser's frontend and HTTP layer carry the highest activity risk — 5 functions to address first
go god_functionexit_heavy
Apr 2 exo's benchmarking layer carries the highest activity risk — 5 functions to address first
python complex_branchingexit_heavy
Apr 1 Preact's diff engine carries the highest activity risk — 3 functions to address first
javascript complex_branchinglong_function
Mar 31 paperclip's server layer carries the highest activity risk — 5 functions to address first
typescript complex_branchingdeeply_nested
Mar 30 Chat2DB's SQL processing layer carries the highest activity risk — 3 functions to address first
java cyclic_hubhub_function
Mar 29 casey/just's parser and lexer carry the highest activity risk — 5 functions to address first
rust complex_branchingdeeply_nested
Mar 28 bubbletea's core runtime carries the highest activity risk — 3 functions to address first
go exit_heavygod_function
Mar 27 ai-hedge-fund's frontend layer carries the highest activity risk — 3 files to address first
python exit_heavygod_function
Mar 26 drawdb's editor and SQL layer carry the highest activity risk — 5 functions to address first
javascript exit_heavylong_function
Mar 25 gstack's browse layer carries the highest activity risk — 5 functions to address first
typescript complex_branchingexit_heavy
Mar 24 learn-claude-code's agent layer carries highest activity risk — 5 functions to address
typescript exit_heavycomplex_branching
Mar 23 get-shit-done's CLI core carries the highest activity risk — 5 functions to address first
javascript complex_branchingdeeply_nested
Mar 22 lx-music-desktop's renderer layer carries the highest structural risk — 5 functions to address first
typescript complex_branchingexit_heavy
Mar 22 bruno's OpenAPI sync and CLI runner carry the highest activity risk — 3 functions to address first
javascript complex_branchingdeeply_nested
Mar 21 xyflow's system layer carries the highest activity risk — 5 functions to address first
typescript long_functiongod_function
Mar 21 google/zx's markdown layer is the live regression risk — 4 structural debt functions follow
javascript god_functionexit_heavy
Mar 20 context7's CLI commands carry the highest activity risk — 5 functions to address first
typescript complex_branchingdeeply_nested
Mar 19 marked's Tokenizer and Instance layers carry the highest activity risk — 3 functions to address first
typescript exit_heavycomplex_branching
Mar 18 react-hook-form's control layer carries the highest activity risk — 3 functions first
typescript god_functionlong_function
Mar 17 typeorm's query-builder and driver layer carries the highest activity risk — 5 functions to address first
typescript complex_branchingdeeply_nested
Mar 16 styled-components' CSS parsing layer carries the highest activity risk — 4 functions to address first
typescript exit_heavycomplex_branching
Mar 15 chalk/chalk's vendor layer carries the highest activity risk — 3 functions to address first
javascript exit_heavylong_function
Mar 14 lossless-cut's renderer layer leads activity risk — 5 functions to address first
typescript exit_heavygod_function
Mar 14 Zod's JSON schema layer carries the highest activity risk — 5 functions to address first
typescript complex_branchingdeeply_nested
Mar 13 full-stack-fastapi-template's HTTP client layer carries the highest activity risk — 2 functions to address first
typescript god_functionlong_function
Mar 12 lerna's oidc and command initializers carry the highest activity risk — 3 to prioritize
typescript complex_branchingdeeply_nested
Mar 11 oh-my-openagent's event and hooks layer carries the highest activity risk — 5 functions to address first
typescript complex_branchingdeeply_nested
Mar 10 umami's API and tracker layer carry the highest activity risk — 5 functions to address first
typescript long_functionexit_heavy
Mar 10 hexojs/hexo's post-rendering layer carries the highest activity risk — 5 functions to address first
typescript complex_branchingdeeply_nested
Mar 9 ant-design-pro's request and mock layers carry the highest activity risk — 4 functions to address first
typescript exit_heavygod_function
Mar 8 jsoncrack.com's json2go and parser layers carry the highest activity risk — 5 functions to address first
typescript god_functionlong_function
Mar 7 type-challenges' automation scripts carry the highest activity risk — 3 functions to address first
typescript stale_complexgod_function
Mar 6 chatbox's UI and knowledge-base layers carry the highest activity risk — 5 functions to address first
typescript complex_branchingdeeply_nested
Mar 5 tldraw's Editor.ts carries the highest activity risk — 3 functions to address first
typescript complex_branchingexit_heavy
Mar 4 OpenCut's timeline and audio layer carries the highest activity risk — 5 functions to address first
typescript exit_heavylong_function
Mar 3 TanStack/query's persistence and devtools layers carry the highest activity risk — 3 functions to address first
typescript exit_heavycomplex_branching
Mar 2 FlowiseAI/Flowise's agent execution layer carries the highest activity risk — 5 functions to address first
typescript complex_branchingdeeply_nested
Mar 1 eslint's rule engine carries the highest activity risk — 2 functions to address first
javascript exit_heavygod_function
Mar 1