The number an npm or PyPI API gives you is dominated by CI runners reinstalling the world on every push, with mirror traffic, bot scans, and the occasional human mixed in. It is not a count of users, or of installations, or of anything that maps cleanly to “how many people are affected if this breaks”.

and

CVE count is routinely used as a security signal and measures the opposite of what people assume.

and

Commit cadence and “last activity” penalise software that is finished.

and

a project that had eighty contributors in 2012 and has one exhausted person today shows a reassuring headcount, and there is no field anywhere in the API or the registry metadata for whether that one person is close to walking away.

Really, just read the whole thing.