Expose maintainer information from package registries.
The FetchMaintainers method is already implemented on the Registry interface for multiple ecosystems and the data belongs alongside existing commands like list, outdated, and licenses. Putting it in an extension would mean duplicating registry client logic or adding an awkward round-trip through JSON output.
A git pkgs maintainers command (or a --maintainers flag on list) would answer "which of my dependencies have only one person with publish access?" -- a direct supply chain risk signal. Single-maintainer packages aren't inherently bad, but knowing which ones they are helps prioritize review effort.
Output would show package name, maintainer count, and maintainer names/logins. JSON output for scripting. Could also flag packages where the maintainer count dropped (someone left) since the version you're using.
Expose maintainer information from package registries.
The
FetchMaintainersmethod is already implemented on the Registry interface for multiple ecosystems and the data belongs alongside existing commands likelist,outdated, andlicenses. Putting it in an extension would mean duplicating registry client logic or adding an awkward round-trip through JSON output.A
git pkgs maintainerscommand (or a--maintainersflag onlist) would answer "which of my dependencies have only one person with publish access?" -- a direct supply chain risk signal. Single-maintainer packages aren't inherently bad, but knowing which ones they are helps prioritize review effort.Output would show package name, maintainer count, and maintainer names/logins. JSON output for scripting. Could also flag packages where the maintainer count dropped (someone left) since the version you're using.