Public methodology example · published 2026-07-14
Supabase dependency audit
Supabase's open source stack depends on 423 unique packages. 12% (52) are at bus factor 1. The realtime engine has the highest concentration of risk — 3 of the top 4 high-risk packages are in the realtime path.
At a glance
Total dependencies
423
31 direct · 392 transitive
Bus factor 1
52
12% of total
Abandoned
18
4% of total
Top 3 high-risk dependencies
The 3 highest-risk packages in Supabase's dependency tree. These are the packages most likely to cause a supply chain incident in the next 12 months.
pg-tracing-experimental
Bus factor: 1Postgres tracing library. Used in realtime engine. Single maintainer went on sabbatical.
Last commit: 2023-11-19
supabase-realtime-legacy
Bus factor: 1Replaced by supabase/realtime but still used in 2 production deployments.
Last commit: 2023-05-08
edge-function-runtime-fork
Bus factor: 2Internal fork of edge-function-runtime. Two Supabase engineers.
Last commit: 2024-12-15
Methodology
Pulled from supabase/supabase, supabase/realtime, supabase/postgres, supabase/storage on 2026-07-09. Cross-referenced with npm and GitHub signals. High-risk = bus factor ≤ 2 with production usage.
Citation: BreakPoint (Supabase open source dependency audit — 2026). https://breakpoint.network/audit/r/supabase
Get the same audit for your org
Free. We analyze your public dependency tree, identify the high-risk packages, and send the full report within 24 hours.
Get my org's audit →