PyPI Download Counts Are a Lie. Here’s the Truth About Python’s Most Trusted Metric

We’ve all done it. You need a new Python library, you search PyPI, and you breathe a sigh of relief when you see the download numbers in the millions. It feels safe. It feels validated. You assume that millions of downloads mean millions of developers relying on this code. But what if I told you those millions are mostly ghosts?

A download count doesn’t measure human intent; it measures how aggressively a package has been baked into an automated pipeline.

You’re trying to build something stable. You don’t want to invest in a dead project, so you look at the download count. It’s the only visible pulse a package has. But the metric is fundamentally broken. Every time a CI/CD pipeline spins up a fresh container, it downloads the package. Every time a mirror syncs, it downloads the package. Every time a bot crawls the registry for security analysis, it downloads the package.

I’ve seen it firsthand. A critical, beautifully maintained niche library sits at 5,000 downloads a month because it’s used directly by humans who install it once. Meanwhile, a bloated, barely maintained utility library sits at 50 million downloads because it got baked into a popular Docker base image five years ago. The ecosystem rewards the latter and starves the former.

We are optimizing our open-source ecosystem for the convenience of robots, not the needs of developers.

It’s time to take a hard stance: stop using PyPI download counts as a proxy for quality, adoption, or health. It is a vanity metric actively harming technical decision-making. When you sort by downloads, you aren’t finding the best tool for the job—you’re finding the tool that is best at being a dependency of automated systems.

If you want to know if a package is alive, look at the GitHub issues. Look at the maintainer’s response times. Look at the commit history. Read the actual code. Stop trusting the number that lies to you.

The most dangerous metric in software isn’t the one that’s hard to measure; it’s the one that’s easy to measure and completely wrong.

FAQ

Q: But doesn't a high download count still mean some people are using it?

A: Yes, but you can't separate the 10 actual human users from the 100,000 automated Docker rebuilds. When the noise-to-signal ratio is that high, the number is worse than useless—it's actively misleading.

Q: So what metric should I use to pick a Python package?

A: Look at GitHub activity, issue resolution times, and whether the maintainer is still merging pull requests. Evaluate the documentation quality and the actual code architecture. Human activity beats automated noise every time.

Q: Should PyPI just hide download counts entirely?

A: Honestly, yes. They do more harm than good in their current state. They penalize niche, high-quality libraries and reward bloated, deeply-entrenched dependencies. Removing them would force developers to actually evaluate the code they're importing.

📎 Source: View Source