I'm scanning one popular open source repo a day and digging into what's underneath. A CLI scanner reads the codebase in seconds, then I use the output to investigate what's actually going on architecturally.
First up: Dub — YC-backed link management. 20K+ stars.
The scan
$ npx anatomia-cli scan .
dub-monorepo web-app
TypeScript · Next.js · Prisma → MySQL (80 models) · 12 packages
Stack
─────
Language TypeScript
Framework Next.js
Database Prisma → MySQL (80 models)
Auth NextAuth
AI Vercel AI
Payments Stripe
Testing Vitest, Playwright
UI shadcn/ui (Tailwind)
Services Nodemailer · Resend · Vercel Edge Config · React Email
Upstash QStash (+2 more)
Deploy Vercel · GitHub Actions
Workspace Turborepo (pnpm)
Surfaces
────────
web Next.js · Vitest
cli TypeScript
6 seconds. Here's what I found when I started pulling threads.
Dub has a full fraud detection engine
The scan showed 80 Prisma models. That's a lot for a link shortener. So I looked at what those models actually are. The fraud.prisma schema has 14 @relation references — tied with program.prisma for the most connected models in the entire codebase.
There are 6 fraud rule types baked into the schema:
- Customer email matching
- Suspicious email domain detection
- Banned referral source tracking
- Paid traffic detection
- Cross-program partner bans
- Duplicate partner account detection
On the UI side, there are 18 dedicated fraud components — review sheets, severity indicators, fraud event tables per rule type, cross-program summaries. This isn't a checkbox feature. It's a system.
If you think of Dub as a link shortener, none of this makes sense. But Dub runs an affiliate/partner program (Dub Partners) where they pay commissions on referrals. The fraud layer exists to prevent partners from gaming the commission system. The most complex engineering in a "link shortener" is catching people who cheat.
Dub uses Anthropic to generate partner landing pages
The scan flagged AI: Vercel AI — which I didn't expect on a link management tool. I traced the imports. Three files use @ai-sdk/anthropic:
generate-csv-mapping.ts— Uses Claude Sonnet 4.6 to auto-map CSV columns when bulk-importing links. You upload a spreadsheet, Claude figures out which columns are URLs, titles, tags.generate-filters.ts— AI-powered analytics filtering. Instead of clicking through dropdowns, describe what you want to see.generate-lander.ts— This is the interesting one. It uses Anthropic + Firecrawl to scrape a partner's website, then generates a custom landing page for their affiliate program. Automated partner onboarding.
None of this is mentioned in Dub's README or feature list. The scan surfaced it from the dependency tree, and the imports confirmed the usage.
85 environment variables
The .env.example has 85 variables. That's the operational complexity of running Dub yourself. Stripe keys (7 different Stripe-related variables — production, connect, app, sandbox, webhooks). Upstash for Redis, rate limiting, QStash, vector search, AND workflows. Tinybird for analytics. Resend AND SMTP for email. Google and GitHub OAuth. Vercel API keys. Encryption keys. Signing secrets.
If you're evaluating Dub's open source repo for self-hosting, the env file tells you the operational surface area. Many of those variables are optional or for the same service (7 are Stripe alone), but configuring them is the work between cloning and running.
447 .tsx files in a shared UI package
The @dub/ui package has 447 .tsx files — components, hooks, utilities, the full internal design system. If you fork Dub, you're maintaining this alongside the product. That's not a complaint — it's a measure of how much custom UI a link platform at this scale requires.
What I took away
The Prisma schema tells the real story. The most connected models aren't about links. They're about programs, fraud, and money. Dub is an affiliate management platform with fraud detection, AI-generated partner landing pages, and a link shortener as the entry point.
Post 1 of "Scanning Open Source" — one repo per day. Tomorrow: Inbox Zero.
npx anatomia-cli scan . — GitHub
Top comments (1)
Same here. On the surface it looks like a shortener, but once you dig into the codebase you realize the redirect is just the delivery mechanism for something way more interesting. I did a deep dive recently and the architecture is surprisingly clever. If anyone wants to see what's actually happening under the hood, I put together a breakdown here.