Post 4 of "Scanning Open Source."
Today: Formbricks — open source experience management. The "open source Qualtrics alternative."
The scan
$ npx anatomia-cli scan .
formbricks web-app
TypeScript · Next.js · Prisma → PostgreSQL (43 models)
Stack
─────
Language TypeScript
Framework Next.js
Database Prisma → PostgreSQL (43 models)
Auth NextAuth
AI Vercel AI
Payments Stripe
Testing Vitest, Testing Library, Playwright
UI shadcn/ui (Tailwind)
Services AWS S3 · Nodemailer · Sentry · PostHog · i18next (+5 more)
Deploy Docker · GitHub Actions
Workspace Turborepo (pnpm)
⚠ ~76 of 97 API route files may lack input validation
4 seconds. One surface, 17 packages. The scan output shows ⚠ ~76 of 97 API route files may lack input validation — worth noting that Formbricks uses server actions and tRPC for most business logic, so many of those routes validate through middleware the scanner can't see at the file level.
Here's what I found underneath.
The embeddable SDK has bot detection
Survey responses are data. Data at scale attracts bots. If you're collecting NPS from millions of users or running market research, bot responses poison your results.
Buried in @formbricks/js-core — a 57-file JavaScript runtime that loads asynchronously into customer websites — there's Google reCAPTCHA. loadRecaptchaScript dynamically injects the reCAPTCHA script, and the SDK calls grecaptcha.execute with action tracking before submitting responses. Client-side bot detection, before the response even reaches the server.
Most survey tools handle this server-side or not at all. Formbricks handles it in the client SDK that renders inside other people's products.
The AI analyzes the data the bot detection protects
The scan flagged AI: Vercel AI. There's a dedicated @formbricks/ai package — 13 source files with pluggable adapters for AWS Bedrock, Azure, and Google Vertex, per-provider validation, a 50-entry language model cache, and typed error handling.
What connects the bot detection to the AI layer: Formbricks uses AI to analyze survey responses ("Smart Tools" and "Data Analysis" — two separate capabilities, each independently toggleable per organization). If the responses are poisoned by bots, the AI analysis is garbage. The bot detection isn't a nice-to-have. It protects the data that the AI layer depends on.
The AI goes through two permission layers before any model call — a license check (getIsAISmartToolsEnabled) and an instance configuration check (isInstanceAIConfigured). Enterprise-grade gating on an AI layer that most open source projects don't have at all.
19 languages for the survey UI itself
34 locale files covering 19 languages — Arabic, Chinese, Hindi, Japanese, Russian, and 14 more. These aren't admin panel translations. These are the strings your end users see when they fill out a survey. If you're deploying surveys globally, the survey renders in the respondent's language natively.
Infrastructure extracted into standalone packages
Formbricks split foundational concerns into packages with their own test suites: @formbricks/cache (Redis with Result-type error handling), @formbricks/storage (signed upload/download URLs), @formbricks/jobs (BullMQ with typed contracts), @formbricks/logger (Pino). 1,976 source files, 534 test files — individual package-level testing at a granularity that's uncommon in open source.
What this tells you
The thread through Formbricks is data integrity. Bot detection protects the collection layer. AI gating protects the analysis layer. The 19 languages ensure the collection reaches a global audience accurately. The infrastructure packages ensure the pipeline between collection and analysis is reliable. Every architectural decision connects back to one concern: the survey responses need to be real, and the analysis needs to be trustworthy.
Post 4 of "Scanning Open Source." Tomorrow: Documenso — the first clean scan in the series.
npx anatomia-cli scan . — GitHub
Top comments (0)