These are the packages that would block your engineering org if they disappeared tomorrow. Start with what's in your production lock files.
Per dep, score 1 (low) / 2 (medium) / 3 (high risk) on each dimension. Sum the scores. Anything ≥10 is critical.
| Dimension | 1 (low) | 2 (med) | 3 (high) |
|---|---|---|---|
| Bus factor | 3+ | 2 | 1 |
| Dormancy (last commit) | < 30d | 30-180d | > 180d |
| Sponsorship status | Funded | Solo, active | Solo, no income |
| Explicit signals | None flagged | Maintenance mode | Deprecated / archived |
| Institutional backing | Foundation | Company | Pure solo |
$100/month changes the calculus. Tidelift's 2024 data: paid maintainers don't quit at the same rate as unpaid ones. Even one $100/mo sponsorship is a signal.
One PR a quarter per critical dependency builds bus factor 2+ on the projects you depend on. Start small — typo fixes count.
Most engineering orgs track vendor risk. Open source is the same kind of dependency. Treat it the same way.
After completing the 5 steps, fill this in:
Want a free audit of your actual org?
Paste your GitHub org, get a real report with your top 20 deps scored.
Run free audit →BreakPoint · Where abandoned projects get a second life · breakpoint.network