Skip to main content
Reference

DriftScore

Understand how the DriftScore is calculated and what the risk levels mean.

Overview

The DriftScore is a deterministic 0–100 metric that measures how much your codebase has drifted from the latest stable versions across all ecosystems.

Lower score = healthier upgrade posture. 0 means no drift (fully current); 100 means maximum drift. Higher is worse.


Risk Levels

ScoreRisk LevelVisualInterpretation
🟢 0–30Low▓▓░░░░░░░░Well maintained, minimal action needed
🟡 31–60Moderate▓▓▓▓▓░░░░░Some attention needed, plan upgrades
🔴 61–100High▓▓▓▓▓▓▓░░░Significant debt, prioritize remediation

Score Components

The overall score is a weighted combination of four key components:

1. Runtime Score (Weight: 30%)

FactorMeasurement
Version lagMajor versions behind current LTS
EOL proximityDays until end-of-life
Support statusActive, maintenance, or EOL

Example:

  • Node.js 20.x → Score: 15/100 (1 major behind 22.x — low drift)
  • .NET 6.0 → Score: 30/100 (2 majors behind 8.0, EOL in 6 months — more drift)

2. Framework Score (Weight: 25%)

FactorMeasurement
Version lagMajor versions behind latest stable
Breaking changesPending deprecations
Security patchesAvailable security updates

Example:

  • React 18.x → Score: 20/100 (1 major behind 19.x — low drift)
  • Next.js 13.x → Score: 40/100 (2 majors behind 15.x — more drift)

3. Dependency Score (Weight: 30%)

DistributionScore Impact (higher score = more drift)
% at currentLowers score (good)
% 1 major behindSlightly raises score
% 2+ majors behindRaises score
% with vulnerabilitiesStrongly raises score

Example Distribution:

Current:      45% ████████░░░░░░░░░
1 behind:     35% ██████░░░░░░░░░░░
2+ behind:    20% ███░░░░░░░░░░░░░░

4. EOL Risk Score (Weight: 15%)

EOL TimeframeScore Impact (higher score = more drift)
> 12 monthsNo increase
6–12 monthsMinor increase
< 6 monthsMajor increase
Already EOLCritical increase

Score Calculation Example

╭────────────────────────────────────────────────╮
│  DRIFT SCORE BREAKDOWN                         │
├────────────────────────────────────────────────┤
│  Overall: 35/100 (Moderate Risk)               │
╰────────────────────────────────────────────────╯

┌─ Runtime Score:      15/100  ██░░░░░░░░
│  └─ Node.js 20.x (current: 22.x)
│     Major lag: 2 | EOL: 2027-04-30 (>2 years)
│
├─ Framework Score:    30/100  ███░░░░░░░
│  ├─ React 18.x (current: 19.x) → +10
│  ├─ Next.js 14.x (current: 15.x) → +10
│  └─ TypeScript 5.2 (current: 5.4) → +10
│
├─ Dependency Score:   45/100  █████░░░░░
│  ├─ 120 dependencies analyzed
│  ├─ 54 current (45%)
│  ├─ 42 one major behind (35%)
│  └─ 24 two+ majors behind (20%)
│
└─ EOL Risk Score:     10/100  █░░░░░░░░░
   └─ No components within 180 days of EOL

Score Versioning

The scoring algorithm is versioned to ensure reproducibility:

VersionAlgorithmChanges
v2CurrentAdded dependency velocity
v1LegacyOriginal 4-component model

Note: Score version is recorded in scan artifacts for audit purposes.


Using the Score

In CI Pipelines

# Fail if drift score rises above 40 (drift budget = ceiling)
vg scan --drift-budget 40 --fail-on error

# Fail if score worsens by more than 5%
vg scan --baseline .vibgrate/baseline.json --drift-worsening 5

For Planning

Score RangeRecommended Action
0–20Maintain current practices
21–40Schedule upgrade sprint
41–60Prioritize in next quarter
61–100Immediate remediation

For Governance

  • Establish baseline to track improvement
  • Set drift budgets to prevent regression
  • Target 30 or below for healthy projects
  • Target 20 or below for security-critical systems

Related

Related Documentation