GitHub buries repository size information. You won’t find it in the web interface, even on your own repos. But the public API exposes it directly—and it’s CORS-enabled, so browsers can fetch it without hassle. Drop a repo like simonw/datasette into a simple tool, and it reports 8.1MB. This matters because unchecked repo sizes lead to wasted bandwidth, surprise storage bills, and overlooked security risks.
Developers clone repos blindly. A 100MB+ behemoth eats hours on slow connections and bloats your disk. GitHub enforces soft limits: free accounts get 1GB storage and 1GB bandwidth monthly. Exceed them, and you pay $0.07 per extra GB stored or transferred. Enterprises hit 50GB+ repos routinely, but individuals overlook this until invoices arrive. In 2023, GitHub reported over 100 million repos; average sizes skew small, but outliers like tensorflow/tensorflow top 1.5GB. Forking or starring without size intel commits you to real costs.
Access It Yourself
No tool needed. Hit the GitHub API endpoint: https://api.github.com/repos/OWNER/REPO. It returns JSON with a size field in kilobytes. Divide by 1024 for MB.
Test in your browser console:
fetch('https://api.github.com/repos/simonw/datasette')
.then(r => r.json())
.then(data => console.log((data.size / 1024 / 1024).toFixed(1) + ' MB'));
This logs 8.1 MB for datasette. Curl works too:
curl -s https://api.github.com/repos/simonw/datasette | jq '.size / 1024 / 1024 | round(1)'
Output: 8.1. Public repos work unauthenticated, but rate limits cap you at 60 requests/hour. Authenticate with a token for 5,000/hour. The size reflects the repo’s unpacked contents on the default branch—git history excluded, but LFS objects included if present.
Security and Ops Implications
Size signals risks. Large repos pack more attack surface: embedded binaries, outdated deps, or leaked secrets. In 2022, GitHub scanned 1.5 billion code changes; supply chain attacks like SolarWinds hid in bloat. Before cloning untrusted code—say, a crypto wallet fork—check size first. Anything over 50MB warrants a deeper scan with tools like Trivy or GitHub’s own codeql.
For ops teams, automate this. CI pipelines clone repos; a 500MB surprise multiplies across builds. Integrate API calls into deployment scripts to reject oversized deps. In crypto projects, where repos hold smart contract code, bloat hides rugs or backdoors. Audit trails show: many DeFi exploits stemmed from unchecked third-party libs in fat repos.
Privacy angle: Repo size hints at data hoarding. ML models balloon to GBs with weights; check before downloading. GitHub’s API size undercounts LFS (tracks separately), so cross-reference license or language fields for clues.
Caveats and Workarounds
Skeptical note: GitHub’s size is an estimate, updated periodically—not real-time. Private repos require owner auth. Forks inherit parent size loosely. LFS repos report base size; actual download balloons with pointers resolved.
Alternatives exist. git clone --depth 1 fetches shallow copies to test. Tools like GitHub CLI (gh repo view --json size) pull it cleanly. For bulk scans, paginate API lists with ?per_page=100.
Bottom line: This API gap forces reliance on third-party tools, but it’s trivial to bridge. Use it to dodge costs, flag risks, and inform decisions. In a world of 420 million pulls daily, size awareness cuts waste and exposure.
