oracle · RuchitAgrawal · May 2, 2026
@@ -100,6 +100,9 @@ the requirements that are currently supported by Macaron.
    * - ``mcn_license_1``
      - **License check** - Check whether the repository license is not in the configured deny-list.
      - This check detects the repository license via the GitHub API and validates it against a user-defined list of denied SPDX identifiers configured in ``defaults.ini``. If the deny-list is empty, any detected license is accepted.
+   * - ``mcn_registry_maintainability_1``
+     - **Registry maintainability** - Check whether the package exists in its public registry and is actively maintained.
+     - Validates registry presence, release recency, and explicit deprecation or yanked status (PyPI, npm). Also checks whether the source repository has been archived and how recently code was pushed, when a GitHub repository is available. The inactivity threshold is configurable via ``defaults.ini`` (``[registry_maintainability] inactivity_threshold_days``). Returns ``UNKNOWN`` when the ecosystem is unsupported or no version is specified in the PURL.
 
 ----------------------
 How does Macaron work?

@@ -774,3 +774,15 @@ denied_licenses =
 # If True, the check fails when no license is detected.
 # If False, a missing license results in a low-confidence pass.
 require_license = False
+
+# Registry maintainability configuration.
+# The mcn_registry_maintainability_1 check validates whether a package exists
+# in its public registry and evaluates its maintenance status.
+[registry_maintainability]
+
+# Maximum number of days since the last release before a package is considered
+# unmaintained. Packages exceeding this threshold will fail the check.
+# The same threshold is also applied to the time since the last push to the
+# source repository (if available via the GitHub API).
+# Default: 365 days (approximately 1 year).
+inactivity_threshold_days = 365