Public methodology example · published 2026-07-10
Vercel dependency audit
Vercel's public dependency tree has 487 unique packages. 12% (58 packages) have a bus factor of 1 — a single maintainer whose departure would put the package at risk. 5% (23 packages) are formally abandoned. The high-risk concentration is in the build pipeline (4 packages) and the analytics layer (3 packages).
At a glance
Total dependencies
487
38 direct · 449 transitive
Bus factor 1
58
12% of total
Abandoned
23
5% of total
Top 3 high-risk dependencies
The 3 highest-risk packages in Vercel's dependency tree. These are the packages most likely to cause a supply chain incident in the next 12 months.
node-cron
Bus factor: 1Single maintainer. Used in 3 internal services. Last release 14 months ago.
Last commit: 2023-04-12
swr-internal-cache
Bus factor: 1Forked from SWR; no upstream activity. Maintained by ex-Vercel engineer.
Last commit: 2024-01-08
tar-stream-parser
Bus factor: 1Used in build pipeline. Has 4 open CVEs. No maintainer response in 6+ months.
Last commit: 2022-11-22
Methodology
Pulled the dependency tree from vercel/next.js, vercel/turborepo, and vercel/vercel (public repos) on 2026-07-01. Analyzed each package for: bus factor (CHAOSS definition, 50%+ of commits in last 12 months), last commit date, maintainer count, and open CVEs. Packages below bus factor 2 are flagged.
Citation: BreakPoint (Vercel open source dependency audit — 2026). https://breakpoint.network/audit/r/vercel
Get the same audit for your org
Free. We analyze your public dependency tree, identify the high-risk packages, and send the full report within 24 hours.
Get my org's audit →