State of Dependency Governance 2026

Most organizations do not just have a vulnerability problem. They have a dependency governance problem. This report benchmarks dependency depth, transitive complexity, concentration hotspots, and review readiness across 100 real projects.

100

Repositories analyzed

83%

Crossed the deep-graph threshold

41%

Showed a concentration hotspot

94%

Produced nontrivial review work

Unlock the report

Tell me who you are, then get the benchmark immediately.

I’m using this research to understand which teams care most about dependency governance. Enter your email and profession, and you’ll land on the download page right away.

See the thank-you flow See findings first

Enter your email and role to unlock the report.

Preview findings

Why dependency governance deserves its own lens

Vulnerability lists do not explain how reviewable, traceable, or governable a dependency graph really is. This report focuses on the structural signals that shape real review work.

Finding 1

The median repository contained 1570.5 dependency nodes.

Finding 2

Transitive complexity dominated the median repository, with a median transitive ratio of 0.7071.

Finding 3

A small set of high-influence packages repeatedly shaped graph exposure across unrelated projects.

Finding 4

Dependency governance is often a workflow problem, not just a vulnerability-list problem.

Who it’s for

Built for teams responsible for dependency oversight

Compliance / GRC

Use the report to understand what dependency governance evidence and repeatability should look like in practice.

Security / AppSec

Use the report to understand where transitive complexity and graph concentration create review friction.

Engineering leadership

Use the report to understand dependency debt, structural complexity, and why governance cannot be reduced to direct dependencies alone.