Skip to main content

Dependency Drift

Dependency drift is the growing gap between the dependency versions a project declares and the current, supported releases of those packages.

Dependency drift is the version distance between the packages a project actually installs — recorded in its lockfile — and the current, supported releases of those packages. It is the most measurable form of code drift.

How It Accumulates

Dependencies are pinned to ship a release, and each skipped update widens the gap by a predictable amount — a distance you can measure in versions or in libyears. Old versions keep working, so nothing forces the upgrade until a vulnerability lands in a version you still run, or a runtime reaches end of life.

Measuring and Capping It

Because dependency drift is mechanical, it can be scored: Vibgrate reads manifests and lockfiles across ~19 ecosystems and produces a deterministic 0–100 DriftScore, with per-dependency findings and the CVEs hiding in stale versions. In CI, a drift budget (for example --drift-budget 40) fails the build when the score crosses the ceiling, so drift cannot quietly grow back after a cleanup.

Related Terms

Dependency drift is one axis of code drift; it is measured against the lockfile, quantified by DriftScore and libyear, and becomes urgent as packages approach end of life.