Every dependency in your tree is a link in your supply chain that can be compromised. Adjust the sliders to see how dependency count, breach probability, and time horizon affect your cumulative risk.
Pull the actual dependency count for an npm package and load it into the model below.
About the default
The default ~1.4e-6/day corresponds to roughly 0.05% annual probability per package — a conservative estimate based on published supply-chain incident rates across npm.
Each package has a small daily probability p of being breached. With n total packages in your dependency tree, the probability that none are breached on a given day is (1 − p)^n.
Over d days, the probability of remaining breach-free is (1 − p)^(n × d). The cumulative breach probability is therefore:
P(breach) = 1 − (1 − p)n × d
This model treats each package-day as an independent Bernoulli trial. In reality, breaches are correlated (e.g., a single maintainer compromise can affect many packages), so this model is a lower bound on actual risk.