I Ranked AI SDKs by Supply Chain Risk. LangChain Lost.
I Ranked AI SDKs by Supply Chain Risk. LangChain Lost.
Current Situation Analysis
Traditional dependency auditing tools operate at a superficial layer, stopping at direct dependencies (package.json). This creates a critical blind spot: the attack surface for modern AI applications extends deep into transitive dependency trees where hidden risk accumulates unnoticed.
The failure mode is structural. High-download packages with single maintainers, stalled release cadences, and concentrated npm publish access create a single point of failure that surface-level health metrics completely miss. Incidents like the March 2026 LiteLLM supply chain attack, the ua-parser-js compromise, and the axios incident all followed a predictable behavioral pattern before exploitation: massive download velocity, minimal organizational backing, and dormant maintenance. Relying on depth-1 scans or basic contributor counts fails to detect these signals, leaving production systems exposed to CI pipeline backdoors and compromised publisher accounts.
WOW Moment: Key Findings
Depth-2 recursive scanning reveals a stark divergence between surface-level health and actual transitive risk. While all major AI SDKs appear healthy at depth-1, deeper inspection exposes concentrated publisher bottlenecks and dormant high-velocity packages that drastically alter the risk profile.
| Approach | Depth-1 Score | Critical Transitive Paths | Key Risk Indicators | Overall Risk Profile |
|---|---|---|---|---|
openai |
91 | 0 | Minimal deps, org-backed | HEALTHY |
ai (Vercel AI) |
91 | 0 | 2 new high-download packages (<1yr) | MOSTLY CLEAN |
@anthropic-ai/sdk |
86 | 2 | Sole publisher, 16M/13M wk downloads, 12mo+ stall | HIGH RISK |
@langchain/core |
81 | 6 | 3 deps >100M wk downloads, single npm publishers | CRITICAL |
Key Finding: The sweet spot for supply chain resilience lies in combining behavioral signal analysis (publisher concentration, release cadence, download velocity) with depth-2 dependency graph traversal. Surface scores are misleading; transitive publisher access is the true attack vector.
Core Solution
The solution shifts from static dependency listing to behavioral supply chain scoring. proof-of-commitment recursively maps dependency trees, flags structural risk patterns, and correlates npm publisher access with download velocity. Implementation relies on two primary scanning modes: direct package surface scanning and depth-2 transitive graph analysis via API or lockfile parsing.
# Surface scan
npx proof-of-commitment openai @anthropic-ai/sdk @langchain/core ai
# Depth-2 scan
curl -X POST https://poc-backend.amdal-dev.workers.dev/api/graph/npm \
-H "Content-Type: application/json" \
-d '{"package": "@langchain/core", "depth": 2}'
SDK Score Maintainers Downloads/wk Risk
openai 91 17 20M/wk HEALTHY
ai (Vercel AI) 91 4 11M/wk HEALTHY
@anthropic-ai/sdk 86 14 18M/wk HEALTHY
@langchain/core 81 13 3M/wk HEALTHY
ai maint=4 11M/wk HEALTHY
@ai-sdk/gateway maint=3 10M/wk HIGH (new package, <1yr)
@vercel/oidc maint=3 11M/wk HIGH (new package, <1yr)
@anthropic-ai/sdk maint=14 18M/wk HEALTHY
json-schema-to-ts maint=1 16M/wk CRITICAL, WARN (no release in 12+ months)
ts-algebra maint=1 13M/wk CRITICAL, WARN (no release in 12+ months)
@langchain/core maint=13 3M/wk HEALTHY (direct)
ansi-styles maint=1 559M/wk CRITICAL
camelcase maint=1 143M/wk CRITICAL
decamelize maint=1 53M/wk CRITICAL
p-queue maint=1 22M/wk CRITICAL
p-timeout maint=1 32M/wk CRITICAL
zod maint=1 159M/wk CRITICAL
Rank SDK Critical transitive
1. openai 0
2. ai (Vercel AI) 0
3. @anthropic-ai/sdk 2
4. @langchain/core 6
# Scan your lock file (finds transitive deps automatically)
npx proof-of-commitment --file package-lock.json
# Scan a specific SDK at depth 2
curl -X POST https://poc-backend.amdal-dev.workers.dev/api/graph/npm \
-H "Content-Type: application/json" \
-d '{"package": "@langchain/core", "depth": 2}' | jq '.summary'
Pitfall Guide
- Depth-1 Blind Spot: Auditing only direct dependencies ignores the transitive attack surface where compromised publishers and dormant packages actually reside.
- Publisher Concentration Illusion: Assuming GitHub contributor count equals decentralized control. npm publish access is the true single point of failure; a package with 30+ contributors can still be compromised by one compromised publisher account.
- Stalled Popularity Trap: High download velocity combined with zero recent releases (12+ months) indicates a dormant but high-value target. Attackers prioritize these packages due to guaranteed impact and reduced maintainer vigilance.
- Organizational Backing Complacency: Assuming Vercel or OpenAI backing eliminates risk. New packages (<1yr) with massive download velocity still carry exposure and require monitoring despite organizational support.
- CI Pipeline Trust Fallacy: Assuming CI tools (e.g., Trivy GitHub Actions) are inherently safe. CI pipelines inherit their own supply chain risks; a backdoored action can compromise the entire build process regardless of SDK health.
- Lockfile Ignorance: Failing to scan
package-lock.jsonorpnpm-lock.yamlleaves transitive dependencies unmonitored in production environments, creating gaps between development and deployment security postures.
Deliverables
- Supply Chain Risk Assessment Blueprint: A structured framework for mapping behavioral signals (publisher concentration, release cadence, download velocity) against transitive dependency trees. Includes decision matrices for SDK selection and migration pathways.
- Transitive Dependency Security Checklist: A 12-point verification protocol covering depth-2 scanning, lockfile integrity validation, publisher access auditing, and CI pipeline supply chain verification.
- CI/CD Configuration Template: Ready-to-deploy GitHub Actions and GitLab CI snippets integrating
proof-of-commitmentdepth-2 scans, automated threshold alerts, and jq-formatted summary reporting for pipeline gates.