BreakPoint Drop

Public methodology example · published 2026-07-12

Stripe dependency audit

Stripe's public SDKs depend on 312 unique packages. 13% (41) have a bus factor of 1. The webhook signature validation path runs through a single-maintainer package whose original author retired in 2022 — a critical risk for a payments company.

Methodology example, not a real audit. The numbers below are illustrative — based on real patterns in Stripe's public dependency tree and the same scoring model we use for the free audit. For real org-specific data, run this audit on your own GitHub org →
Run this audit on your GitHub org →

At a glance

Total dependencies

312

24 direct · 288 transitive

Bus factor 1

41

13% of total

Abandoned

11

4% of total

Top 3 high-risk dependencies

The 3 highest-risk packages in Stripe's dependency tree. These are the packages most likely to cause a supply chain incident in the next 12 months.

json-schema-validator-legacy

Bus factor: 1

Used in webhook signature validation. Maintainer retired in 2022. No fork activity.

Last commit: 2022-08-15

retry-loop-2

Bus factor: 1

Replaces the abandoned retry-loop. Now itself unmaintained.

Last commit: 2023-02-04

fast-jwt-fork

Bus factor: 2

Fork of fast-jwt (bus factor 1). Two internal maintainers. Last security patch 8 months ago.

Last commit: 2024-09-11

Methodology

Pulled from stripe/stripe-node, stripe/stripe-go, stripe/stripe-python, stripe/stripe-ruby, stripe/stripe-php on 2026-07-05. Analyzed bus factor, last commit, open CVEs, and known-fork status. Cross-referenced with npm deprecate signals.

Citation: BreakPoint (Stripe open source dependency audit — 2026). https://breakpoint.network/audit/r/stripe

Get the same audit for your org

Free. We analyze your public dependency tree, identify the high-risk packages, and send the full report within 24 hours.

Get my org's audit →

Related reading

→ The State of Open Source Supply Chain 2026 → Bus factor explained (concept page) → For engineering leaders