risk.assessr helps in the initial determining of a
package’s reliability and security in terms of maintenance,
documentation, and dependencies. This package is designed to carry out a
risk assessment of R packages at the beginning of the validation process
(either internal or open source). It calculates risk metrics such
as:
Core metrics - includes R command check, unit test coverage and composite coverage of dependencies
Documentation metrics - availability of vignettes, news tracking, example(s), check if functions have family documentation, return object description for exported functions, and type of license
Dependency Metrics - package dependencies and reverse dependencies
Traceability matrix - matching the function / test descriptions to tests and match to test pass/fail
This package executes the following tasks:
Download the source package(tar.gz file)
Unpack the tar.gz file
Install the package locally
Run code coverage
Run a traceability matrix
Run R CMD check
Run risk assessment metrics using default or user defined weighting
Install from GitHub:
remotes::install_github("Sanofi-Public/risk.assessr")Or from CRAN, when published:
install.packages("risk.assessr")To assess your package, do the following steps:
Build your package as a tar.gz file
Set repository options
Run the following code sample by loading or add path parameter to
your tar.gz package source code
options(repos = c(
RSPM = "https://cloud.r-project.org",
INTERNAL = "https://cloud.r-project.org",
INTERNAL_RSPM = "https://cloud.r-project.org"
))
library(risk.assessr)
# using build package
# Local package source tarball (path or interactive file chooser)
results <- risk_assess_pkg("path/to/your/package.tar.gz")
results <- risk_assess_pkg() # opens file chooser
# Package by name from CRAN/Bioconductor/internal
results <- risk_assess_pkg(package = "dplyr")
results <- risk_assess_pkg(package = "dplyr", version = "1.0.0")
# Lock file (renv.lock or pak.lock)
results <- risk_assess_pkg_lock_files("path/to/your/lockfile")Note: This process can be very time-consuming and is recommended to be performed as a batch job or within a GitHub Action.
| Key Metrics | Reason | where to find them in Metrics and Risk assessment |
|---|---|---|
| RCMD check | series of 45 package checks of tests, package structure, documentation | check element in results list,
check_list |
| test coverage | unit test coverage | covr element in results list,
covr_list |
| risk analysis | rules and thresholds to identify risks | risk_analysis |
| traceability matrix | maps exported functions to test coverage, documentation by risk and function type | tm_list |
Gillian E, Bottois H, Charliquart P, Couturier A (2025). risk.assessr: Assessing Package Risk Metrics. R package version 2.0.0, https://sanofi-public.github.io/risk.assessr/.
@Manual{,
title = {risk.assessr: Assessing Package Risk Metrics},
author = {Edward Gillian and Hugo Bottois and Paulin Charliquart and Andre Couturier},
year = {2025},
note = {R package version 2.0.0},
url = {https://sanofi-public.github.io/risk.assessr/},
}The project is inspired by the riskmetric
package and the mpn.scorecard
package and draws on some of their ideas and functions.