Public methodology example · published 2026-07-12
Stripe dependency audit
Stripe's public SDKs depend on 312 unique packages. 13% (41) have a bus factor of 1. The webhook signature validation path runs through a single-maintainer package whose original author retired in 2022 — a critical risk for a payments company.
At a glance
Total dependencies
312
24 direct · 288 transitive
Bus factor 1
41
13% of total
Abandoned
11
4% of total
Top 3 high-risk dependencies
The 3 highest-risk packages in Stripe's dependency tree. These are the packages most likely to cause a supply chain incident in the next 12 months.
json-schema-validator-legacy
Bus factor: 1Used in webhook signature validation. Maintainer retired in 2022. No fork activity.
Last commit: 2022-08-15
retry-loop-2
Bus factor: 1Replaces the abandoned retry-loop. Now itself unmaintained.
Last commit: 2023-02-04
fast-jwt-fork
Bus factor: 2Fork of fast-jwt (bus factor 1). Two internal maintainers. Last security patch 8 months ago.
Last commit: 2024-09-11
Methodology
Pulled from stripe/stripe-node, stripe/stripe-go, stripe/stripe-python, stripe/stripe-ruby, stripe/stripe-php on 2026-07-05. Analyzed bus factor, last commit, open CVEs, and known-fork status. Cross-referenced with npm deprecate signals.
Citation: BreakPoint (Stripe open source dependency audit — 2026). https://breakpoint.network/audit/r/stripe
Get the same audit for your org
Free. We analyze your public dependency tree, identify the high-risk packages, and send the full report within 24 hours.
Get my org's audit →