OpenAI and Vercel AI score clean. Anthropic hides two CRITICAL deps. LangChain has three.
The March 2026 LiteLLM supply chain attack followed a pattern that was visible beforehand: a single maintainer, millions of downloads, no organizational backing. The attack came via a backdoored Trivy GitHub Action in LiteLLM's CI pipeline. Behavioral signals were pointing at the risk before the incident happened.
I built getcommit.dev to surface exactly these signals. This week I ran it against the dependency trees of every major AI SDK to answer a simple question: which one is safest to depend on?
The answer surprised me.
The method
Running npx proof-of-commitment @anthropic-ai/sdk gives you the surface-level score. That's the direct package.
The more interesting test is depth 2: scan what the SDK's own dependencies depend on. That's where hidden risk lives.
# Surface scan
npx proof-of-commitment openai @anthropic-ai/sdk @langchain/core ai
# Depth-2 scan (any package)
curl -X POST https://poc-backend.amdal-dev.workers.dev/api/graph/npm \
-H "Content-Type: application/json" \
-d '{"package": "@langchain/core", "depth": 2}'
Surface level: everything looks fine
At depth 1, all four SDKs score healthy:
| SDK | Score | Maintainers | Downloads/wk | Risk |
|---|---|---|---|---|
openai |
94 | 17 | 19.5M | HEALTHY |
ai (Vercel AI) |
94 | 4 | 13M | HEALTHY |
@anthropic-ai/sdk |
86 | 14 | 17.6M | HEALTHY |
@langchain/core |
84 | 13 | 4.4M | HEALTHY |
Large teams. Active maintenance. All pass. Surface-level tools stop here.
Depth 2: the picture changes
openai: clean tree
Zero dependencies. Zero critical transitive paths. OpenAI's SDK has no runtime deps at all. Safest of the four by a wide margin.
ai (Vercel AI SDK): mostly clean
| Package | Maintainers | Downloads/wk | Risk |
|---|---|---|---|
@ai-sdk/gateway |
3 | 10.5M | HIGH (new, <1yr) |
@vercel/oidc |
3 | 11.8M | HIGH (new, <1yr) |
Two HIGH flags, both Vercel-backed and less than a year old with 10M+ weekly downloads. The organizational backing reduces risk significantly. Not CRITICAL, but worth monitoring — young packages with high adoption are the ones where a compromised CI pipeline hurts the most.
@anthropic-ai/sdk: two hidden CRITICAL deps
| Package | Maintainers | Downloads/wk | Risk |
|---|---|---|---|
json-schema-to-ts |
1 | 17.3M | CRITICAL + stale |
ts-algebra |
1 | 14.2M | CRITICAL + stale |
json-schema-to-ts is the Anthropic SDK's runtime dependency. One maintainer. 17.3 million weekly downloads. No new release in over 12 months.
That's the structural profile — sole publisher, massive scale, stalled activity — that preceded the ua-parser-js compromise in 2021 and the axios incident in 2026.
ts-algebra sits one level deeper. Same profile: one maintainer, 14.2 million downloads per week, dormant for over a year.
Neither shows up if you audit only your direct dependencies.
Plus three HIGH-risk deps: standardwebhooks (sole publisher, 6.3M/wk, stale), @stablelib/base64 and fast-sha256 (both sole publisher, ~7M/wk, stale). The Anthropic SDK's dependency tree is small but concentrated.
@langchain/core: three CRITICAL transitive paths
| Package | Maintainers | Downloads/wk | Risk |
|---|---|---|---|
zod |
1 | 171M | CRITICAL |
p-queue |
1 | 23M | CRITICAL |
p-timeout |
1 | 35M | CRITICAL |
Three CRITICAL transitive dependencies. zod alone: 171 million weekly downloads per week, one npm publisher. GitHub shows 30+ contributors. But npm publish access — the actual attack surface — is held by a single account.
Plus two HIGH-risk deps: @cfworker/json-schema (sole publisher, 4.8M/wk, stale) and js-tiktoken (sole publisher, 5.4M/wk).
Any one of these is a high-value target. Combined: over 229 million weekly downloads behind single-person publish credentials in LangChain's transitive tree.
The ranking
| Rank | SDK | Critical transitive deps | Worst transitive score |
|---|---|---|---|
| 1 | openai |
0 | — |
| 2 |
ai (Vercel AI) |
0 | 69 |
| 3 | @anthropic-ai/sdk |
2 | 52 |
| 4 | @langchain/core |
3 | 56 |
OpenAI wins by having no dependencies at all. Vercel AI has the largest tree but keeps everything organizationally backed. Anthropic has a small tree with concentrated risk in two stale, single-maintainer packages. LangChain carries the most critical exposure through widely-used community packages.
What to do with this
Surface scans aren't enough. The attack surface for your AI application includes every transitive dependency, not just the ones in your package.json.
To check your own project:
# Scan your lock file (finds transitive deps automatically)
npx proof-of-commitment --file package-lock.json
# Scan a specific SDK at depth 2
curl -X POST https://poc-backend.amdal-dev.workers.dev/api/graph/npm \
-H "Content-Type: application/json" \
-d '{"package": "@langchain/core", "depth": 2}'
Or check any package's trust profile at getcommit.dev/npm/zod — every npm package now has a permanent page with live behavioral scoring.
The data is public. The attack patterns are documented. What you do with it is up to you.
getcommit.dev — behavioral supply chain scoring for npm, PyPI, Cargo, and Go. GitHub.
Top comments (0)