BreakPoint Drop

Public methodology example · published 2026-07-14

Supabase dependency audit

Supabase's open source stack depends on 423 unique packages. 12% (52) are at bus factor 1. The realtime engine has the highest concentration of risk — 3 of the top 4 high-risk packages are in the realtime path.

Methodology example, not a real audit. The numbers below are illustrative — based on real patterns in Supabase's public dependency tree and the same scoring model we use for the free audit. For real org-specific data, run this audit on your own GitHub org →
Run this audit on your GitHub org →

At a glance

Total dependencies

423

31 direct · 392 transitive

Bus factor 1

52

12% of total

Abandoned

18

4% of total

Top 3 high-risk dependencies

The 3 highest-risk packages in Supabase's dependency tree. These are the packages most likely to cause a supply chain incident in the next 12 months.

pg-tracing-experimental

Bus factor: 1

Postgres tracing library. Used in realtime engine. Single maintainer went on sabbatical.

Last commit: 2023-11-19

supabase-realtime-legacy

Bus factor: 1

Replaced by supabase/realtime but still used in 2 production deployments.

Last commit: 2023-05-08

edge-function-runtime-fork

Bus factor: 2

Internal fork of edge-function-runtime. Two Supabase engineers.

Last commit: 2024-12-15

Methodology

Pulled from supabase/supabase, supabase/realtime, supabase/postgres, supabase/storage on 2026-07-09. Cross-referenced with npm and GitHub signals. High-risk = bus factor ≤ 2 with production usage.

Citation: BreakPoint (Supabase open source dependency audit — 2026). https://breakpoint.network/audit/r/supabase

Get the same audit for your org

Free. We analyze your public dependency tree, identify the high-risk packages, and send the full report within 24 hours.

Get my org's audit →

Related reading

→ The State of Open Source Supply Chain 2026 → Bus factor explained (concept page) → For engineering leaders