Public methodology example · published 2026-07-13
Cloudflare dependency audit
Cloudflare's public Workers ecosystem depends on 198 unique packages. 9% (18) are at bus factor 1. The risk concentration is in Lua/NGINX-adjacent packages — a smaller community with fewer potential adopters.
At a glance
Total dependencies
198
19 direct · 179 transitive
Bus factor 1
18
9% of total
Abandoned
6
3% of total
Top 2 high-risk dependencies
The 2 highest-risk packages in Cloudflare's dependency tree. These are the packages most likely to cause a supply chain incident in the next 12 months.
workerd-internal-bindings
Bus factor: 1Cloudflare-internal but used in 2 open source SDKs. Single internal maintainer.
Last commit: 2024-03-22
lua-resty-cache-purge
Bus factor: 1Used in Workers caching layer. Last release 18 months ago.
Last commit: 2023-07-10
Methodology
Pulled from cloudflare/workerd, cloudflare/wrangler2, cloudflare/miniflare on 2026-07-07. Analyzed bus factor, last commit, and open security advisories. Cross-referenced with GHSA database.
Citation: BreakPoint (Cloudflare open source dependency audit — 2026). https://breakpoint.network/audit/r/cloudflare
Get the same audit for your org
Free. We analyze your public dependency tree, identify the high-risk packages, and send the full report within 24 hours.
Get my org's audit →