BreakPoint Drop

Public methodology example · published 2026-07-13

Cloudflare dependency audit

Cloudflare's public Workers ecosystem depends on 198 unique packages. 9% (18) are at bus factor 1. The risk concentration is in Lua/NGINX-adjacent packages — a smaller community with fewer potential adopters.

Methodology example, not a real audit. The numbers below are illustrative — based on real patterns in Cloudflare's public dependency tree and the same scoring model we use for the free audit. For real org-specific data, run this audit on your own GitHub org →
Run this audit on your GitHub org →

At a glance

Total dependencies

198

19 direct · 179 transitive

Bus factor 1

18

9% of total

Abandoned

6

3% of total

Top 2 high-risk dependencies

The 2 highest-risk packages in Cloudflare's dependency tree. These are the packages most likely to cause a supply chain incident in the next 12 months.

workerd-internal-bindings

Bus factor: 1

Cloudflare-internal but used in 2 open source SDKs. Single internal maintainer.

Last commit: 2024-03-22

lua-resty-cache-purge

Bus factor: 1

Used in Workers caching layer. Last release 18 months ago.

Last commit: 2023-07-10

Methodology

Pulled from cloudflare/workerd, cloudflare/wrangler2, cloudflare/miniflare on 2026-07-07. Analyzed bus factor, last commit, and open security advisories. Cross-referenced with GHSA database.

Citation: BreakPoint (Cloudflare open source dependency audit — 2026). https://breakpoint.network/audit/r/cloudflare

Get the same audit for your org

Free. We analyze your public dependency tree, identify the high-risk packages, and send the full report within 24 hours.

Get my org's audit →

Related reading

→ The State of Open Source Supply Chain 2026 → Bus factor explained (concept page) → For engineering leaders