I Ranked AI SDKs by Supply Chain Risk. LangChain Lost.
OpenAI and Vercel AI score clean. Anthropic hides two CRITICAL deps. LangChain has six.
The March 2026 LiteLLM supply chain attack followed a pattern that was visible beforehand: a single maintainer, millions of downloads, no organizational backing. The attack came via a backdoored Trivy GitHub Action in LiteLLM's CI pipeline. Behavioral signals were pointing at the risk before the incident happened.
I built getcommit.dev to surface exactly these signals. This week I ran it against the dependency trees of every major AI SDK to answer a simple question: which one is safest to depend on?
The answer surprised me.
The method
Running npx proof-of-commitment @anthropic-ai/sdk gives you the surface-level score. That's the direct package.
The more interesting test is depth 2: scan what the SDK's own dependencies depend on. That's where hidden risk lives.
# Surface scan
npx proof-of-commitment openai @anthropic-ai/sdk @langchain/core ai
# Depth-2 scan
curl -X POST https://poc-backend.amdal-dev.workers.dev/api/graph/npm \
-H "Content-Type: application/json" \
-d '{"package": "@langchain/core", "depth": 2}'
Surface level: everything looks fine
At depth 1, all four SDKs score healthy:
SDK Score Maintainers Downloads/wk Risk
openai 91 17 20M/wk HEALTHY
ai (Vercel AI) 91 4 11M/wk HEALTHY
@anthropic-ai/sdk 86 14 18M/wk HEALTHY
@langchain/core 81 13 3M/wk HEALTHY
Large teams. Active maintenance. All pass. Surface-level tools stop here.
Depth 2: the picture changes
openai: clean tree
Zero critical transitive paths. OpenAI's SDK has minimal dependencies and keeps them organizationally backed. Safest of the four.
ai (Vercel AI SDK): mostly clean
ai maint=4 11M/wk HEALTHY
@ai-sdk/gateway maint=3 10M/wk HIGH (new package, <1yr)
@vercel/oidc maint=3 11M/wk HIGH (new package, <1yr)
Two HIGH flags, both Vercel-backed and less than a year old with 10M+ weekly downloads. The organizational backing reduces risk significantly. Not CRITICAL, but worth monitoring.
@anthropic-ai/sdk: two hidden CRITICAL deps
@anthropic-ai/sdk maint=14 18M/wk HEALTHY
json-schema-to-ts maint=1 16M/wk CRITICAL, WARN (no release in 12+ months)
ts-algebra maint=1 13M/wk CRITICAL, WARN (no release in 12+ months)
json-schema-to-ts is the Anthropic SDK's only runtime dependency. One maintainer. 16 million weekly downloads. No new release in over 12 months.
That's the structural profile (sole publisher, massive scale, stalled activity) that preceded the ua-parser-js compromise in 2021 and the axios incident in 2026.
ts-algebra is one level deeper. Same profile: one maintainer, 13 million downloads per week, no release in over a year.
Neither shows up if you audit only your direct dependencies.
@langchain/core: six CRITICAL transitive paths
@langchain/core maint=13 3M/wk HEALTHY (direct)
ansi-styles maint=1 559M/wk CRITICAL
camelcase maint=1 143M/wk CRITICAL
decamelize maint=1 53M/wk CRITICAL
p-queue maint=1 22M/wk CRITICAL
p-timeout maint=1 32M/wk CRITICAL
zod maint=1 159M/wk CRITICAL
Six CRITICAL transitive dependencies. Three of them (zod at 159M/wk, ansi-styles at 559M/wk, camelcase at 143M/wk) are downloaded more often than LangChain itself by orders of magnitude.
zod alone: 159 million downloads per week, one npm publisher. GitHub shows 30+ contributors. But npm publish access is more concentrated than that. The publisher account is the single point of failure.
Any one of these is a high-value target.
The ranking
Rank SDK Critical transitive
1. openai 0
2. ai (Vercel AI) 0
3. @anthropic-ai/sdk 2
4. @langchain/core 6
What to do with this
Surface scans aren't enough. The attack surface for your AI application includes every transitive dependency, not just the ones in your package.json.
To check your own project:
# Scan your lock file (finds transitive deps automatically)
npx proof-of-commitment --file package-lock.json
# Scan a specific SDK at depth 2
curl -X POST https://poc-backend.amdal-dev.workers.dev/api/graph/npm \
-H "Content-Type: application/json" \
-d '{"package": "@langchain/core", "depth": 2}' | jq '.summary'
The data is public. The attack patterns are documented. What you do with it is up to you.
getcommit.dev - behavioral supply chain scoring for npm and PyPI. Open source: github.com/piiiico/proof-of-commitment
Update: 2026-05-08 — LangChain responded in 3 days
I filed GitHub issue #10826 against @langchain/core on 2026-05-05 with the six CRITICAL paths above.
@hntrl from the LangChain team replied three days later and opened PR #10847 — a supply-chain hardening pass that removes three of the six flagged dependencies:
- ✅
ansi-styles(559M/wk) — removed, replaced with local implementation - ✅
camelcase(143M/wk) — removed, replaced with local implementation inmap_keys - ✅
decamelize(53M/wk) — removed, replaced with local implementation
The PR also adds npm provenance attestation and increases Dependabot update frequency for core libraries.
What remains:
p-queue maint=1 22M/wk CRITICAL (still present)
p-timeout maint=1 32M/wk CRITICAL (still present)
zod maint=1 159M/wk CRITICAL (still present)
The team called these justified: zod and p-queue/p-timeout have no realistic drop-in alternatives for LangChain's use case. That's a defensible tradeoff — the risk is real but the dependency is load-bearing. Single-maintainer risk profile without a swap path is the hardest category.
Score update: 3 of 6 CRITICAL transitive paths resolved. LangChain still ranks last, but the response pattern matters. A structural report triggered a structural fix in 72 hours. That's how this is supposed to work.
The comparison at depth 2 will update automatically as the fix lands in a published release.
Top comments (0)