EFI: Regular publishing of new version

[sheplu]

Motivation

Publishing a new version of a package can be see as a way to display that the community around the project is live and that security issue (or performance optimization) are taken into account. In the Node.js ecosystem, targeting a patch update for security / performance can make sense - without overwhelming users relying on the library.

Expectation

Define a max duration for which not having an update raise an alert
Automatically watch all repositories for latest release and trigger a message (slack / email / other)

Implementation

Discuss about the max time (and if we want to do that)
Implement an action per repo (or one action checking all repo regularly - no need to PR that in all repository)

Status

Part: Technical

Draft

We should define a threshold (6 months or a year) to raise warning if a packaged was not updated in this amount of time
Keeping a large amount of libraries up to date and publishing new versions is hard but is also one way to display a live and healthy ecosystem. By enforcing that all packages need to be updated and published at least once in a defined amount of time we can lower the global risk while displaying the need to update to our user base.