Updated May 23, 2026 with current data from live scans.
OpenAI and Vercel AI score clean. Anthropic hides two CRITICAL deps. LangChain has three.
The March 2026 LiteLLM supply chain attack followed a pattern that was visible beforehand: a single maintainer, millions of downloads, no organizational backing. The attack came via a backdoored Trivy GitHub Action in LiteLLM's CI pipeline. Behavioral signals were pointing at the risk before the incident happened.
I built getcommit.dev to surface exactly these signals. I ran it against the dependency trees of every major AI SDK to answer a simple question: which one is safest to depend on?
The method
Running npx proof-of-commitment @anthropic-ai/sdk gives you the surface-level score. That's the direct package.
The more interesting test is depth 2: scan what the SDK's own dependencies depend on. That's where hidden risk lives.
# Surface scan
npx proof-of-commitment openai @anthropic-ai/sdk @langchain/core ai
# Depth-2 scan (any package)
curl -X POST https://poc-backend.amdal-dev.workers.dev/api/graph/npm \
-H "Content-Type: application/json" \
-d '{"package": "@langchain/core", "depth": 2}'
Surface level: everything looks fine
At depth 1, all four SDKs score healthy:
| SDK | Score | Maintainers | Downloads/wk | Risk |
|---|---|---|---|---|
ai (Vercel AI) |
98 | 5 | 13.8M | HEALTHY |
openai |
93 | 17 | 22.2M | HEALTHY |
@anthropic-ai/sdk |
87 | 14 | 18.9M | HEALTHY |
@langchain/core |
86 | 13 | 4.6M | HEALTHY |
Large teams. Active maintenance. All pass. Surface-level tools stop here.
Depth 2: the picture changes
openai: clean tree
Zero dependencies. Zero critical transitive paths. OpenAI's SDK has no runtime deps at all. Safest of the four by a wide margin.
ai (Vercel AI SDK): mostly clean
| Package | Maintainers | Downloads/wk | Risk |
|---|---|---|---|
@ai-sdk/gateway |
3 | 12.2M | HIGH (new, <1yr) |
@vercel/oidc |
4 | 14.1M | HIGH (new, <1yr) |
Two HIGH flags, both Vercel-backed and less than a year old with 10M+ weekly downloads. The organizational backing reduces risk significantly. Not CRITICAL, but worth monitoring.
@anthropic-ai/sdk: two hidden CRITICAL deps
| Package | Maintainers | Downloads/wk | Risk |
|---|---|---|---|
json-schema-to-ts |
1 | 17.9M | CRITICAL + stale (632 days since last release) |
ts-algebra |
1 | 14.9M | CRITICAL + stale (749 days since last release) |
json-schema-to-ts is the Anthropic SDK's only runtime dependency. One maintainer. 17.9 million weekly downloads. No new release in almost two years.
That's the structural profile — sole publisher, massive scale, stalled activity — that preceded the ua-parser-js compromise in 2021 and the axios incident in 2026.
ts-algebra sits one level deeper. Same profile: one maintainer, 14.9 million downloads per week, dormant for over two years.
Neither shows up if you audit only your direct dependencies.
Plus three HIGH-risk deps: standardwebhooks (sole publisher, 8.1M/wk, stale), @stablelib/base64 (8.9M/wk, stale) and fast-sha256 (9.1M/wk, stale). The Anthropic SDK's dependency tree is small but concentrated.
@langchain/core: three CRITICAL transitive paths
| Package | Maintainers | Downloads/wk | Risk |
|---|---|---|---|
zod |
1 | 180M | CRITICAL |
p-timeout |
1 | 37.4M | CRITICAL |
p-queue |
1 | 26.9M | CRITICAL |
Three CRITICAL transitive dependencies. zod alone: 180 million weekly downloads, one npm publisher. GitHub shows 30+ contributors. But npm publish access — the actual attack surface — is held by a single account.
Plus two HIGH-risk deps: js-tiktoken (sole publisher, 5.5M/wk) and @cfworker/json-schema (sole publisher, 5.2M/wk, stale).
Combined: over 244 million weekly downloads behind single-person publish credentials in LangChain's transitive tree.
The ranking
| Rank | SDK | Critical transitive deps | Worst transitive score |
|---|---|---|---|
| 1 | openai |
0 | — |
| 2 |
ai (Vercel AI) |
0 | 71 |
| 3 | @anthropic-ai/sdk |
2 | 57 |
| 4 | @langchain/core |
3 | 59 |
OpenAI wins by having no dependencies at all. Vercel AI has the largest tree but keeps everything organizationally backed. Anthropic has a small tree with concentrated risk in two stale, single-maintainer packages. LangChain carries the most critical exposure through widely-used community packages.
What to do with this
Surface scans aren't enough. The attack surface for your AI application includes every transitive dependency, not just the ones in your package.json.
To check your own project:
# Scan your lock file (finds transitive deps automatically)
npx proof-of-commitment --file package-lock.json
# Scan a specific SDK at depth 2
curl -X POST https://poc-backend.amdal-dev.workers.dev/api/graph/npm \
-H "Content-Type: application/json" \
-d '{"package": "@langchain/core", "depth": 2}'
Or check any package's trust profile at getcommit.dev/npm/zod.
The data is public. The attack patterns are documented. What you do with it is up to you.
getcommit.dev — behavioral supply chain scoring for npm, PyPI, Cargo, and Go. GitHub.
Top comments (0)