Skip to main content
DevOps6 min read

Three scores, one decision: how Vibgrate measures drift and risk

DriftScore, RiskScore, and DriftRisk™ — what each measures, why they're deliberately separate, and how the libyear backbone and the KEV override make them trustworthy.

Three numbers, one decision

Most tools give you a wall of findings. Vibgrate gives you three numbers, because three is what it takes to answer the two questions engineering leaders actually ask — how far behind are we? and how exposed are we right now? — and then turn both into a single call on whether to act.

  • DriftScore measures maintainability: how far your runtimes, frameworks, and dependencies have drifted from current, supported baselines. 0 is fully current; 100 is maximally drifted.
  • RiskScore measures security and business exposure: known-exploited and likely-exploited vulnerabilities, end-of-life runtimes, weighted by how business-critical the code is. Higher is worse.
  • DriftRisk™ is the headline that blends the two into one pressure-to-act number — always shown next to the two scores it comes from.

They are deliberately separate. A stale package with no known vulnerability is drift, not an emergency. A current package with an actively-exploited CVE is an emergency, not drift. Collapsing those into one number hides exactly the distinction you need.

DriftScore: drift measured in time, not just versions

"Two major versions behind" means something very different for a package that ships yearly than for one that ships weekly. So DriftScore's dependency signal is built on the libyear — the calendar time between the version you run and the latest stable release (Cox et al., ICSE 2015). Time is comparable across ecosystems in a way that version counts are not.

Each dependency blends time distance and version distance, with floors that cannot be averaged away: an end-of-life major floors the dependency's drift, and the portfolio aggregate keeps a 95th-percentile term so one eight-year-old transitive dependency does not vanish behind hundreds of fresh ones. Every score is stamped Verified (release-date data available) or Estimated (version-only), and carries the commit and snapshot date it was computed from.

Run it yourself — no account, nothing uploaded:

Terminal
npx @vibgrate/cli scan

Post-install, a bare vg scans the current directory.

RiskScore: exploitation-aware, not severity-only

RiskScore follows the modern prioritisation consensus — CISA KEV, then EPSS, then business context. Severity comes from CVSS, likelihood from EPSS, and membership in CISA's Known Exploited Vulnerabilities catalog overrides likelihood to "actively exploited" and floors the score high. End-of-life runtimes and deprecated packages add exposure; a business-criticality weight makes the same CVE matter more in a payment service than in an internal demo. Independent findings combine so that many small issues never outweigh a single actively-exploited one.

DriftRisk™: one number for how hard to act

DriftRisk blends the two axes and adds one correction that matters more than the weights: an actively-exploited vulnerability is never washed out by a current stack. If RiskScore is critical, DriftRisk is high — full stop — even when your upgrade debt is low. That is the difference between a headline you can trust and one that lulls you.

The formulas, bands, and worked examples are published in full. DriftRisk™ is a trademark of Vibgrate, but the algorithm is open source — the name is protected, the method is not. DriftScore and RiskScore are not trademarked at all.

The point of three numbers is a faster decision: know how far behind you are, how exposed you are, and how hard to act — before you approve the next sprint.

Vibgrate CLI

See a real scan run

A replay of the actual CLI running against our test repositories — live progress, real findings, a genuine DriftScore. Nothing executes in your browser.

Replay
demo@vibgrate — bash
npx @vibgrate/cli scan
 
╭──────────────────────────────────────────╮
Vibgrate Drift Report
╰──────────────────────────────────────────╯
 
── node-turborepo (node) .
Runtime: >=18.0.0 (6 majors behind)
Frameworks:
Turbo: 1.13.4 → 2.10.4 (1 behind)
TypeScript: 5.9.3 → 7.0.2 (2 behind)
Dependencies:
1 current 1 1-behind 3 2+ behind 1 unknown
 
── @repo/admin (node) apps/admin
Frameworks:
TanStack Query: 5.101.2 → 5.101.2 (current)
React: 18.3.1 → 19.2.7 (1 behind)
React DOM: 18.3.1 → 19.2.7 (1 behind)
TypeScript: 5.9.3 → 7.0.2 (2 behind)
Vite: 5.4.21 → 8.1.4 (3 behind)
Dependencies:
4 current 8 1-behind 3 2+ behind 4 unknown
 
── @repo/api (node) apps/api
Frameworks:
Express: 4.22.2 → 5.2.1 (1 behind)
TypeScript: 5.9.3 → 7.0.2 (2 behind)
Vitest: 1.6.1 → 4.1.10 (3 behind)
Dependencies:
7 current 5 1-behind 3 2+ behind 4 unknown
 
── @repo/web (node) apps/web
Frameworks:
Next.js: 14.2.35 → 16.2.10 (2 behind)
React: 18.3.1 → 19.2.7 (1 behind)
React DOM: 18.3.1 → 19.2.7 (1 behind)
TypeScript: 5.9.3 → 7.0.2 (2 behind)
Dependencies:
2 current 6 1-behind 3 2+ behind 5 unknown
 
── @repo/config (node) packages/config
Frameworks:
TypeScript: 5.9.3 → 7.0.2 (2 behind)
Dependencies:
2 current 2 1-behind 5 2+ behind 0 unknown
 
── @repo/types (node) packages/types
Frameworks:
TypeScript: 5.9.3 → 7.0.2 (2 behind)
Dependencies:
0 current 0 1-behind 1 2+ behind 1 unknown
 
── @repo/database (node) packages/database
Frameworks:
Prisma: 5.22.0 → 7.8.0 (2 behind)
TypeScript: 5.9.3 → 7.0.2 (2 behind)
Dependencies:
1 current 0 1-behind 3 2+ behind 1 unknown
 
── @repo/ui (node) packages/ui
Frameworks:
React: 18.3.1 → 19.2.7 (1 behind)
TypeScript: 5.9.3 → 7.0.2 (2 behind)
React: 18.3.1 → 19.2.7 (1 behind)
Dependencies:
1 current 4 1-behind 1 2+ behind 1 unknown
 
── @repo/utils (node) packages/utils
Frameworks:
TypeScript: 5.9.3 → 7.0.2 (2 behind)
Vitest: 1.6.1 → 4.1.10 (3 behind)
Dependencies:
0 current 1 1-behind 2 2+ behind 1 unknown
 
Tech Stack
Frontend: React, React DOM
Meta-frameworks: Next.js
Bundlers: tsx, Turbo, Vite
CSS / UI: Autoprefixer, PostCSS, Tailwind CSS
Backend: Express
ORM / Database: Prisma, Prisma Client
Testing: Vitest
Lint & Format: ESLint, ESLint Prettier, ESLint React, Prettier, typescript-eslint
 
Services & Integrations
Auth: JWT 9.0.3
Databases: Prisma 5.22.0
 
TypeScript
v5.3.3 · strict ✔ · MIXED · target: ES2022
 
Build & Deploy
Package Managers: pnpm
Monorepo: npm-workspaces, pnpm-workspaces, turbo
 
Product Purpose Signals
Frameworks: react, nextjs
Evidence: 177
Top Signals:
- [heading] Dashboard (apps/admin/src/pages/Dashboard.tsx)
- [title] Revenue Overview (apps/admin/src/pages/Dashboard.tsx)
- [copy] workspace:* (packages/ui/package.json)
- [copy] ./dist (packages/ui/tsconfig.json)
- [copy] ./src/index.ts (packages/ui/package.json)
- [copy] @repo/config/tsconfig-base.json (packages/ui/tsconfig.json)
- [copy] @repo/ui (packages/ui/package.json)
- [copy] #3b82f6 (apps/admin/src/pages/Dashboard.tsx)
Unknowns:
- No pricing or billing evidence found.
- No integrations/connectors evidence found.
- No route structure evidence found.
 
Security Posture
Lockfile ✖ · .env ✔ · node_modules ✔
 
Platform
Native modules: turbo
 
Code Quality
Files: 36 · Functions: 183 · Avg complexity: 2.62 · Avg length: 21.13 lines
Max nesting: 2 · Circular deps: 0 · Dead code: 0%
God files: apps/admin/src/pages/Products (448 lines)
 
Findings (16 errors, 11 warnings)
Node.js runtime ">=18.0.0" reached end-of-life on 2025-04-30 (latest: 24.0.0).
vibgrate/runtime-eol in .
TypeScript is 2 major versions behind (current: 5.9.3, latest: 7.0.2).
vibgrate/framework-major-lag in .
60% of dependencies are 2+ major versions behind in node-turborepo.
vibgrate/dependency-rot in .
@types/node is 6 major versions behind (spec: ^20.11.0, latest: 26.1.1).
vibgrate/dependency-major-lag in .
TypeScript is 2 major versions behind (current: 5.9.3, latest: 7.0.2).
vibgrate/framework-major-lag in apps/admin
Vite is 3 major versions behind (current: 5.4.21, latest: 8.1.4).
vibgrate/framework-major-lag in apps/admin
vite is 3 major versions behind (spec: ^5.0.12, latest: 8.1.4).
vibgrate/dependency-major-lag in apps/admin
TypeScript is 2 major versions behind (current: 5.9.3, latest: 7.0.2).
vibgrate/framework-major-lag in apps/api
Vitest is 3 major versions behind (current: 1.6.1, latest: 4.1.10).
vibgrate/framework-major-lag in apps/api
@types/node is 6 major versions behind (spec: ^20.11.0, latest: 26.1.1).
vibgrate/dependency-major-lag in apps/api
vitest is 3 major versions behind (spec: ^1.2.1, latest: 4.1.10).
vibgrate/dependency-major-lag in apps/api
Next.js is 2 major versions behind (current: 14.2.35, latest: 16.2.10).
vibgrate/framework-major-lag in apps/web
TypeScript is 2 major versions behind (current: 5.9.3, latest: 7.0.2).
vibgrate/framework-major-lag in apps/web
@types/node is 6 major versions behind (spec: ^20.11.0, latest: 26.1.1).
vibgrate/dependency-major-lag in apps/web
TypeScript is 2 major versions behind (current: 5.9.3, latest: 7.0.2).
vibgrate/framework-major-lag in packages/config
56% of dependencies are 2+ major versions behind in @repo/config.
vibgrate/dependency-rot in packages/config
eslint-plugin-react-hooks is 3 major versions behind (spec: ^4.6.0, latest: 7.1.1).
vibgrate/dependency-major-lag in packages/config
TypeScript is 2 major versions behind (current: 5.9.3, latest: 7.0.2).
vibgrate/framework-major-lag in packages/types
100% of dependencies are 2+ major versions behind in @repo/types.
vibgrate/dependency-rot in packages/types
Prisma is 2 major versions behind (current: 5.22.0, latest: 7.8.0).
vibgrate/framework-major-lag in packages/database
TypeScript is 2 major versions behind (current: 5.9.3, latest: 7.0.2).
vibgrate/framework-major-lag in packages/database
75% of dependencies are 2+ major versions behind in @repo/database.
vibgrate/dependency-rot in packages/database
TypeScript is 2 major versions behind (current: 5.9.3, latest: 7.0.2).
vibgrate/framework-major-lag in packages/ui
TypeScript is 2 major versions behind (current: 5.9.3, latest: 7.0.2).
vibgrate/framework-major-lag in packages/utils
Vitest is 3 major versions behind (current: 1.6.1, latest: 4.1.10).
vibgrate/framework-major-lag in packages/utils
67% of dependencies are 2+ major versions behind in @repo/utils.
vibgrate/dependency-rot in packages/utils
vitest is 3 major versions behind (spec: ^1.2.1, latest: 4.1.10).
vibgrate/dependency-major-lag in packages/utils
 
╭──────────────────────────────────────────╮
Top Priority Actions
╰──────────────────────────────────────────╯
 
1. Upgrade EOL runtime in node-turborepo
End-of-life runtimes no longer receive security patches and block ecosystem upgrades.
./.
>=18.0.0 → 24.0.0 (6 majors behind)
Impact: −10 drift points (runtime & EOL)
 
2. Fix security posture: no lockfile found
Without a lockfile, installs are non-deterministic. Run the install command to generate one and commit it.
./
Missing: package-lock.json, pnpm-lock.yaml, or yarn.lock
 
3. Upgrade Vite 5.4.21 → 8.1.4 in @repo/admin (+2 more)
3 major versions behind. Major framework drift increases breaking change risk and blocks access to security fixes and performance improvements.
./apps/admin
Vite: 5.4.21 → 8.1.4 (3 majors behind)
./apps/api
Vitest: 1.6.1 → 4.1.10 (3 majors behind)
./packages/utils
Vitest: 1.6.1 → 4.1.10 (3 majors behind)
Impact: −5–15 drift points
 
4. Reduce dependency rot in @repo/types (100% severely outdated)
1 of 1 dependencies are 2+ majors behind. Run `npm outdated` and prioritise packages with known CVEs or breaking API changes.
./packages/types
typescript: 5.9.3 → 7.0.2 (2 majors behind)
Impact: −5–10 drift points
 
5. Reduce dependency rot in @repo/database (75% severely outdated)
3 of 4 dependencies are 2+ majors behind. Run `npm outdated` and prioritise packages with known CVEs or breaking API changes.
./packages/database
@prisma/client: 5.22.0 → 7.8.0 (2 majors behind)
prisma: 5.22.0 → 7.8.0 (2 majors behind)
typescript: 5.9.3 → 7.0.2 (2 majors behind)
Impact: −5–10 drift points
 
╭──────────────────────────────────────────╮
Architecture Layers
╰──────────────────────────────────────────╯
 
Archetype: monorepo (80% confidence)
Files classified: 29 (6 unclassified)
 
presentation 9 files drift ████████████████████ 100 risk high
routing 4 files drift ████████████████████ 100 risk high
middleware 2 files drift ███████▍░░░░░░░░░░░░ 37 risk moderate
domain 4 files drift ████████████████████ 100 risk high
data-access 2 files drift ████████████████████ 100 risk high
infrastructure 0 files drift ░░░░░░░░░░░░░░░░░░░░ 0 risk none
config 3 files drift ░░░░░░░░░░░░░░░░░░░░ 0 risk none
shared 5 files drift ████████████████████ 100 risk high
testing 0 files drift ████████████████████ 100 risk high
 
╭──────────────────────────────────────────╮
DriftScore Summary
╰──────────────────────────────────────────╯
 
DriftScore: 76/100
Risk Level: HIGH
Projects: 9
Classified: 8 nano · 1 micro · 0 small · 0 standard
Billable: 0.42 · 9 detected → 0.42 billable projects (micro-project pricing)
0.1 micro · 0.32 nano
These fractions add up across repositories, then round down to whole billable projects.
 
Score Breakdown
Runtime: ████████████████████ 100
Frameworks: █████████▏░░░░░░░░░░ 46
Dependencies: ██████████████████▍ 92
EOL Risk: ████████████████████ 100
 
Scanned at 2026-07-11T21:07:49.557Z · 27.1s · 285 files scanned · 56 workspace files · 27 dirs
Press Run to start.