Dependency Drift
Dependency drift is the growing gap between the dependency versions a project declares and the current, supported releases of those packages.
Dependency drift is the version distance between the packages a project actually installs — recorded in its lockfile — and the current, supported releases of those packages. It is the most measurable form of code drift.
How It Accumulates
Dependencies are pinned to ship a release, and each skipped update widens the gap by a predictable amount — a distance you can measure in versions or in libyears. Old versions keep working, so nothing forces the upgrade until a vulnerability lands in a version you still run, or a runtime reaches end of life.
Measuring and Capping It
Because dependency drift is mechanical, it can be scored: Vibgrate reads manifests and lockfiles across ~19 ecosystems and produces a deterministic 0–100 DriftScore, with per-dependency findings and the CVEs hiding in stale versions. In CI, a drift budget (for example --drift-budget 40) fails the build when the score crosses the ceiling, so drift cannot quietly grow back after a cleanup.
Related Terms
Dependency drift is one axis of code drift; it is measured against the lockfile, quantified by DriftScore and libyear, and becomes urgent as packages approach end of life.