In software engineering folklore, the "bus factor" is the number of people who would have to be hit by a bus before a project grinds to a halt. It is a grim joke that stopped being funny sometime around 2016, when the left-pad unpublishing briefly broke half the JavaScript ecosystem. It stopped being a joke entirely on March 29, 2024, when Andres Freund disclosed the XZ Utils backdoor and the world learned that a single exhausted maintainer in Finland had been the only thing standing between a nation-state adversary and SSH on every Linux server on the planet.
The bus factor is not an abstraction. It is a concrete, measurable property of every package you depend on, and for an uncomfortable percentage of them, the number is one.
How We Got Here
The original sin of modern software distribution is that ease of consumption scales much faster than ease of maintenance. A developer can npm install express in under a second. The person maintaining that package spends years learning the codebase, its quirks, its users, its reporting norms, and its security boundaries. There is a fundamental asymmetry between the cost of using something and the cost of keeping it alive.
The Tidelift State of the Open Source Maintainer Report, published annually since 2021, has consistently found that roughly 60% of maintainers describe themselves as unpaid hobbyists, and that a majority of widely-used projects are maintained by a single person or a small group where effectively one person does most of the substantive work. The 2023 edition showed that 58% of maintainers had quit or considered quitting at least once, citing stress, entitled users, and the unpaid workload.
Libraries.io research from 2017, still widely cited, estimated that a significant portion of the packages underpinning modern applications had a bus factor of one. Seven years later, little has changed structurally. The CHAOSS project, hosted at the Linux Foundation, has tried to formalize maintainer sustainability metrics, but the underlying math has not moved.
The Incidents That Proved It
The pattern repeats with depressing regularity. In November 2021, Marak Squires, the sole maintainer of colors.js and faker.js, deliberately sabotaged both packages in protest of unpaid labor benefiting Fortune 500 companies. The colors.js sabotage broke the AWS CDK and countless CI pipelines. GitHub suspended his account. The packages, with over 25 million weekly downloads combined, were orphaned.
In March 2022, the maintainer of node-ipc embedded protestware that wiped filesystems on machines it detected as being in Russia or Belarus. This was not a compromise. It was the owner exercising unilateral control, because the governance model of node-ipc was, effectively, that one person had commit access.
Denis Pushkarev, maintainer of core-js, a dependency of virtually every major JavaScript project, wrote a public plea in February 2023 describing his financial situation after a motorcycle incident and prison sentence. He had been doing tens of hours per week of maintenance on a package with over 30 million weekly downloads, for roughly the cost of a few coffees per month in sponsorship. The ecosystem shrugged.
And then XZ Utils. Lasse Collin had told the world he was struggling. Sock puppet accounts pressured him. Jia Tan arrived and patiently acquired commit rights over two years. The backdoor was caught by accident, by Andres Freund noticing half-second SSH delays during unrelated benchmarking. Without that accident, the compromise would have shipped in stable distributions.
What "Bus Factor" Actually Measures
The standard definition, "how many people need to disappear for the project to fail," is incomplete. In practice, bus factor should be measured across several dimensions:
Release authority. Who can push a tagged version to the registry? For many packages this is one account with one API token.
Merge authority. Who can merge to the default branch? On single-maintainer projects this is the same person.
Knowledge concentration. Even when there are multiple contributors, substantive architectural knowledge often lives in one head. A drive-by typo fix does not make someone a successor.
Emergency response. When a CVE drops at 2 a.m. on a Saturday, who actually responds? The person who shows up in the issue tracker within six hours is frequently one individual.
Key custody. Who holds the signing keys? For many projects, one person, on one laptop.
A project can have fifty contributors and a bus factor of one if all five of these dimensions concentrate in the same person. Conversely, a project with three active maintainers, distributed release authority, and documented runbooks can survive the loss of any single individual.
The Security Implications
Single maintainers are easier to coerce. Jia Tan did not need to compromise a committee. He needed to earn trust from one exhausted person. Nation-state actors understand this. Financially motivated attackers understand this, too. A 2023 Checkmarx report documented cases of attackers offering to "help maintain" dormant packages, then using the access to publish malicious releases.
Single maintainers are harder to audit. Peer review is a security property. When every commit goes through one person, there is no second set of eyes. Self-reviewed merges are normal in single-maintainer projects, and they are a class of weakness that no static analysis tool catches.
Single maintainers create availability risk. The event-stream incident of 2018, where a maintainer handed ownership to a stranger who injected cryptocurrency theft code, followed a familiar script. The original maintainer was tired. Someone offered to take over. The handoff happened via GitHub DM. No governance, no vetting.
What Structural Fixes Look Like
The Open Source Security Foundation's Alpha-Omega Project, launched in February 2022, targets a relatively small number of the most critical upstream projects for direct investment. It funds maintainers, security audits, and capacity building at projects like Node.js, Python, and the Rust Foundation's security initiatives. It is not a full solution, but it is an acknowledgment that the market is not going to fund this on its own.
The Sovereign Tech Fund, launched by the German government in 2022, takes a similar approach from the public-investment side. The European Cyber Resilience Act, which entered into force in December 2024, pushes obligations down the supply chain toward commercial consumers, creating economic pressure to fund the maintainers those consumers depend on.
Inside enterprises, the answer is less glamorous but more immediate. Inventory your dependencies. Identify the ones with bus factor of one. Decide which of those matter. Sponsor the maintainers directly, or fork and vendor the code, or replace the dependency. Do this as a deliberate engineering activity, not a procurement exercise.
How Safeguard Helps
Safeguard surfaces maintainer and contributor concentration metrics for every dependency in your SBOM, flagging packages where release authority, merge activity, or commit history points to a single individual. Our supply chain risk view combines bus-factor indicators with download volume and transitive reach, so teams can prioritize the handful of single-maintainer packages that actually matter to their stack. When a project's maintainer activity drops or ownership transfers unexpectedly, Safeguard alerts your security team before a compromised release reaches production. The platform also highlights upgrade paths to better-governed alternatives, so bus-factor findings translate directly into action.