Overview
The DriftScore is a deterministic 0–100 metric that measures how much your codebase has drifted from the latest stable versions across all ecosystems.
Lower score = healthier upgrade posture. 0 means no drift (fully current); 100 means maximum drift. Higher is worse.
Risk Levels
| Score | Risk Level | Visual | Interpretation |
|---|---|---|---|
| 🟢 0–30 | Low | ▓▓░░░░░░░░ | Well maintained, minimal action needed |
| 🟡 31–60 | Moderate | ▓▓▓▓▓░░░░░ | Some attention needed, plan upgrades |
| 🔴 61–100 | High | ▓▓▓▓▓▓▓░░░ | Significant debt, prioritize remediation |
Score Components
The overall score is a weighted combination of four key components:
1. Runtime Score (Weight: 30%)
| Factor | Measurement |
|---|---|
| Version lag | Major versions behind current LTS |
| EOL proximity | Days until end-of-life |
| Support status | Active, maintenance, or EOL |
Example:
- Node.js 20.x → Score: 15/100 (1 major behind 22.x — low drift)
- .NET 6.0 → Score: 30/100 (2 majors behind 8.0, EOL in 6 months — more drift)
2. Framework Score (Weight: 25%)
| Factor | Measurement |
|---|---|
| Version lag | Major versions behind latest stable |
| Breaking changes | Pending deprecations |
| Security patches | Available security updates |
Example:
- React 18.x → Score: 20/100 (1 major behind 19.x — low drift)
- Next.js 13.x → Score: 40/100 (2 majors behind 15.x — more drift)
3. Dependency Score (Weight: 30%)
| Distribution | Score Impact (higher score = more drift) |
|---|---|
| % at current | Lowers score (good) |
| % 1 major behind | Slightly raises score |
| % 2+ majors behind | Raises score |
| % with vulnerabilities | Strongly raises score |
Example Distribution:
Current: 45% ████████░░░░░░░░░
1 behind: 35% ██████░░░░░░░░░░░
2+ behind: 20% ███░░░░░░░░░░░░░░
4. EOL Risk Score (Weight: 15%)
| EOL Timeframe | Score Impact (higher score = more drift) |
|---|---|
| > 12 months | No increase |
| 6–12 months | Minor increase |
| < 6 months | Major increase |
| Already EOL | Critical increase |
Score Calculation Example
╭────────────────────────────────────────────────╮
│ DRIFT SCORE BREAKDOWN │
├────────────────────────────────────────────────┤
│ Overall: 35/100 (Moderate Risk) │
╰────────────────────────────────────────────────╯
┌─ Runtime Score: 15/100 ██░░░░░░░░
│ └─ Node.js 20.x (current: 22.x)
│ Major lag: 2 | EOL: 2027-04-30 (>2 years)
│
├─ Framework Score: 30/100 ███░░░░░░░
│ ├─ React 18.x (current: 19.x) → +10
│ ├─ Next.js 14.x (current: 15.x) → +10
│ └─ TypeScript 5.2 (current: 5.4) → +10
│
├─ Dependency Score: 45/100 █████░░░░░
│ ├─ 120 dependencies analyzed
│ ├─ 54 current (45%)
│ ├─ 42 one major behind (35%)
│ └─ 24 two+ majors behind (20%)
│
└─ EOL Risk Score: 10/100 █░░░░░░░░░
└─ No components within 180 days of EOL
Score Versioning
The scoring algorithm is versioned to ensure reproducibility:
| Version | Algorithm | Changes |
|---|---|---|
v2 | Current | Added dependency velocity |
v1 | Legacy | Original 4-component model |
Note: Score version is recorded in scan artifacts for audit purposes.
Using the Score
In CI Pipelines
# Fail if drift score rises above 40 (drift budget = ceiling)
vg scan --drift-budget 40 --fail-on error
# Fail if score worsens by more than 5%
vg scan --baseline .vibgrate/baseline.json --drift-worsening 5
For Planning
| Score Range | Recommended Action |
|---|---|
| 0–20 | Maintain current practices |
| 21–40 | Schedule upgrade sprint |
| 41–60 | Prioritize in next quarter |
| 61–100 | Immediate remediation |
For Governance
- Establish baseline to track improvement
- Set drift budgets to prevent regression
- Target 30 or below for healthy projects
- Target 20 or below for security-critical systems
Related
- How It Works — Scanning architecture
- Baselines — Tracking drift over time
- CI Integration — Automated enforcement