A Code Aging & Decay Tracker - measures software entropy per module using git analysis, dependency drift, churn ratios, and knowledge decay signals.
Project description
Entropy - Code Aging & Decay Tracker
boto/compat.py scores 69. 490 modules depend on it. Every author who wrote it is gone. Its dependencies are years out of date. Nobody flagged this. Until now.
Software does not just accumulate bugs. It ages. The library it depends on evolved. The engineers who wrote it have left. Entropy makes that risk visible — as a number, per module, before production goes down.
Install
pip install entropy-tracker
Requirements: Python 3.10+, Git in your system PATH. No API keys. No telemetry. Runs securely in your environment. Source code never leaves your machine. Dependency versions are checked via read-only queries to the public PyPI API.
Quick Start
entropy init ./my-repo # register repo + first scan
entropy report --top 10 # worst modules by decay score
entropy diff --fail-above 75 # exit 1 if PR touches highly decayed files
entropy simulate --author-leaves alice # risk forecast if an engineer leaves
entropy scan ./js-repo --lang js # scan JavaScript/TypeScript dependencies
First results in under 60 seconds on most repositories.
Sample Output
What It Measures
Four signals combine into one composite score (0–100):
| Signal | What it detects | Weight |
|---|---|---|
| Knowledge Decay | % of this file's authors who are still active in the repo | 35% |
| Dependency Decay | How far behind this module's direct dependencies are | 30% |
| Churn-to-Touch Ratio | Chaotic edits vs intentional refactors | 20% |
| Age Without Refactor | Months since the last deliberate restructure | 15% |
How signals are computed: Knowledge decay checks author activity within a 36-month window. Churn is classified by total lines touched (>200 = churn) vs net line change (<10 with multi-file changes = refactor) - not by commit messages, which are unreliable. Dependency checks query PyPI for current release history and pip-audit for CVE counts.
Weights reflect recovery cost. Knowledge decay has the highest weight because lost institutional knowledge is irreversible on any sprint timescale. You can update a dependency in an afternoon. You cannot rebuild three years of context in a sprint.
Scores above 85 are Critical. Above 70 are High. All weights are configurable via entropy.toml.
Does It Actually Work?
We ran Entropy across Django, boto, and requests. Files scoring above 70 showed significantly more bug-fix and hotfix commits in their history than files below 50. The correlation is not causal - high-entropy files attract bugs and are touched repeatedly to fix them, which compounds the score over time. This is the pattern Entropy is designed to surface before it becomes an incident.
The tool processed Django's 2,903 modules across 2,782 commits in 34 seconds.
CI Integration
entropy diff --base main
# Shows entropy delta for every file changed in the current branch
# .github/workflows/entropy.yml
- uses: actions/checkout@v4
with:
fetch-depth: 0 # full history required — do not use fetch-depth: 1
- run: pip install entropy-tracker && entropy diff --base main
Performance
| Repository | Modules | Scan Time |
|---|---|---|
| click | 62 | ~11s |
| Django | 2,903 | ~34s |
| boto (full history) | 938 | ~45s |
Subsequent scans are faster — PyPI responses are cached locally for 24 hours.
Why Not SonarQube / Dependabot / CodeScene?
| Tool | Prevents bugs | Surfaces knowledge loss risk |
|---|---|---|
| SonarQube | ✅ | ❌ |
| Dependabot | ✅ | ❌ |
| CodeScene | Partially | Partially (no dep drift, no CI diff, enterprise pricing) |
| Entropy | — | ✅ |
Entropy's focus is not code quality. It is the risk that comes from a module nobody fully understands anymore — which no other tool in this list measures.
Roadmap
- Native support for Go and Rust codebases
- Trend sparklines in CLI
- Webhook alerts for Slack/Discord
- Validation dataset: entropy score vs production incident correlation
Built by Hari om Singh · PyPI · MIT License
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file entropy_tracker-1.0.5.tar.gz.
File metadata
- Download URL: entropy_tracker-1.0.5.tar.gz
- Upload date:
- Size: 54.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9a1329e2768b61adac6e1e8b32064696df945df10dc9967926ba088202c61429
|
|
| MD5 |
eaa6c18ed906ad7234c4ecc5fa7936ee
|
|
| BLAKE2b-256 |
397faeda94e7e3de125dc11be8a74e4d5ab19e2136a7b5734a724349773187b9
|
File details
Details for the file entropy_tracker-1.0.5-py3-none-any.whl.
File metadata
- Download URL: entropy_tracker-1.0.5-py3-none-any.whl
- Upload date:
- Size: 59.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c37307832bccf8328856198b97af2f129ad6c6f4dca14a042bc42bdac100a590
|
|
| MD5 |
2d2284982b6b682b27f88c5b6ad02f09
|
|
| BLAKE2b-256 |
67255831ea80f615f4ca65917d2e47e067edb5524b637ff850a67e801c9107cc
|
