What's a Bernie?
A Bernie is an open source package that's still being downloaded millions of times a week, still resolving in your lockfile, still passing CI β but nobody is home. The maintainer has moved on. Issues pile up. PRs go unreviewed. The package is, for all practical purposes, deadβ¦ it just hasn't stopped moving yet.
Like the 1989 movie, the ecosystem keeps propping these packages up and parading them around as if everything is fine. It isn't.
Analysis of the most-depended-upon open source packages found that roughly 1 in 8 critical repositories is dead β archived or non-responsive β yet collectively they sit underneath hundreds of millions of downstream repos.
Why this is a supply chain problem
Unmaintained code used to be low-risk simply because nobody bothered to look at it. That era is over. Automated and AI-assisted vulnerability discovery means real, exploitable bugs are now being found in code that has no one to fix it.
- CVEs with nowhere to go A valid vulnerability is reported, but there's no maintainer to receive it and no fixed version to upgrade to.
-
Frozen registry namespaces
One absent individual holds publish rights. Even if a patch exists, it never reaches
npm installorpip install. - Transitive version pins A dead package's strict version constraints block your other dependencies from taking security updates.
- Silent, unexamined code Millions of dependents, zero recent eyeballs. The bugs are there β they just haven't been filed yet.
Our mission
The Bernie Foundation exists to fund and perform the ongoing engineering work that keeps unmaintained dependencies from becoming supply chain incidents.
Most organizations treat their dependency tree the way bad owners treat a puppy: they loved bringing it home, but nobody wants to walk it. We are the people who show up to do the unglamorous work β triage, patching, coordination with registries, and responsible handoff β so that a dead package doesn't become your breach notification.
How we work: Fix, Fork, Forgo
For every Bernie we identify in the critical dependency graph, we apply one of three engineering strategies β and where none of those is enough, we help organize funding so a real maintainer can step back in.
- Fix Patch the vulnerability upstream, get it merged, and get a release cut β even if that means doing the release engineering ourselves.
- Fork When upstream is truly gone, publish a maintained, minimal-diff fork under foundation stewardship and coordinate registry handover.
- Forgo Help the ecosystem migrate off dependencies that no longer justify their risk, with codemods and clear deprecation paths.
- Fund Direct resources to maintainers and projects at capacity, so the next Bernie never has to put the sunglasses on.
Help us take the sunglasses off
If your organization depends on open source β and it does β you depend on Bernies. Sponsor the engineering work, nominate a package that needs help, or lend your own engineers to the effort.
Get involved