Repository metadata fields present

Why it matters

The npm package page is often the first place a consumer lands after npm install. Without a repository field, the page has no link to the source code — consumers cannot report bugs, read the source to understand behavior, or check if the project is actively maintained. ISO 25010 analysability requires that the package's provenance be traceable. A missing bugs URL means issues go unreported or are sent to the wrong place. These fields take 60 seconds to add and have zero downside.

Remediation

Add repository, homepage, and bugs fields to package.json. All three are displayed on the npm package page.

{
  "repository": {
    "type": "git",
    "url": "https://github.com/yourorg/your-package.git"
  },
  "homepage": "https://github.com/yourorg/your-package#readme",
  "bugs": {
    "url": "https://github.com/yourorg/your-package/issues"
  }
}

All three fields must be present for a full pass. The repository field alone satisfies the minimum requirement — homepage and bugs are additional signals. For private packages ("private": true), this check is skipped.

Detection

ID: sdk-package-quality.docs-maintenance.repo-fields
Severity: low
What to look for: Count all repository-related fields in package.json. check package.json for metadata fields that help consumers find the source and report issues:
1. repository — points to the source code repository (GitHub, GitLab, etc.)
2. homepage — project homepage or documentation site
3. bugs — issue tracker URL These fields are displayed on the npm package page and help consumers navigate between the package registry and the source.
Pass criteria: At least repository is present with a valid URL or { "type": "git", "url": "..." } object. homepage and bugs are nice-to-have but not required for pass — at least 3 fields required: repository, bugs, and homepage in package.json. Report: "X repository metadata fields configured."
Fail criteria: No repository field in package.json. The npm page will show no link to source code.
Skip (N/A) when: The package is private/internal (has "private": true). Also skip for Python (uses pyproject.toml [project.urls]), Rust (Cargo.toml repository), and Go (the module path IS the repository).
Detail on fail: "No repository field in package.json. The npm package page will not link to the source code. Consumers cannot find the repo to report issues, read source, or contribute."

Remediation: These fields take 30 seconds to add and improve the npm page significantly:

{
  "repository": {
    "type": "git",
    "url": "https://github.com/yourorg/your-package.git"
  },
  "homepage": "https://github.com/yourorg/your-package#readme",
  "bugs": {
    "url": "https://github.com/yourorg/your-package/issues"
  }
}

Why it matters

Remediation

Add repository, homepage, and bugs fields to package.json. All three are displayed on the npm package page.

{
  "repository": {
    "type": "git",
    "url": "https://github.com/yourorg/your-package.git"
  },
  "homepage": "https://github.com/yourorg/your-package#readme",
  "bugs": {
    "url": "https://github.com/yourorg/your-package/issues"
  }
}

Detection

ID: sdk-package-quality.docs-maintenance.repo-fields
Severity: low
What to look for: Count all repository-related fields in package.json. check package.json for metadata fields that help consumers find the source and report issues:
1. repository — points to the source code repository (GitHub, GitLab, etc.)
2. homepage — project homepage or documentation site
3. bugs — issue tracker URL These fields are displayed on the npm package page and help consumers navigate between the package registry and the source.
Pass criteria: At least repository is present with a valid URL or { "type": "git", "url": "..." } object. homepage and bugs are nice-to-have but not required for pass — at least 3 fields required: repository, bugs, and homepage in package.json. Report: "X repository metadata fields configured."
Fail criteria: No repository field in package.json. The npm page will show no link to source code.
Skip (N/A) when: The package is private/internal (has "private": true). Also skip for Python (uses pyproject.toml [project.urls]), Rust (Cargo.toml repository), and Go (the module path IS the repository).
Detail on fail: "No repository field in package.json. The npm package page will not link to the source code. Consumers cannot find the repo to report issues, read source, or contribute."

Remediation: These fields take 30 seconds to add and improve the npm page significantly:

{
  "repository": {
    "type": "git",
    "url": "https://github.com/yourorg/your-package.git"
  },
  "homepage": "https://github.com/yourorg/your-package#readme",
  "bugs": {
    "url": "https://github.com/yourorg/your-package/issues"
  }
}

Repository metadata fields present

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Repository metadata fields present

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History