Bernie, propped up and wearing sunglasses

The Bernie Foundation

Some of your dependencies are wearing sunglasses. πŸ•ΆοΈ
We do the engineering work to take them off.

What's a Bernie?

A Bernie is an open source package that's still being downloaded millions of times a week, still resolving in your lockfile, still passing CI β€” but nobody is home. The maintainer has moved on. Issues pile up. PRs go unreviewed. The package is, for all practical purposes, dead… it just hasn't stopped moving yet.

Like the 1989 movie, the ecosystem keeps propping these packages up and parading them around as if everything is fine. It isn't.

Analysis of the most-depended-upon open source packages found that roughly 1 in 8 critical repositories is dead β€” archived or non-responsive β€” yet collectively they sit underneath hundreds of millions of downstream repos.

Why this is a supply chain problem

Unmaintained code used to be low-risk simply because nobody bothered to look at it. That era is over. Automated and AI-assisted vulnerability discovery means real, exploitable bugs are now being found in code that has no one to fix it.

Our mission

The Bernie Foundation exists to fund and perform the ongoing engineering work that keeps unmaintained dependencies from becoming supply chain incidents.

Most organizations treat their dependency tree the way bad owners treat a puppy: they loved bringing it home, but nobody wants to walk it. We are the people who show up to do the unglamorous work β€” triage, patching, coordination with registries, and responsible handoff β€” so that a dead package doesn't become your breach notification.

How we work: Fix, Fork, Forgo

For every Bernie we identify in the critical dependency graph, we apply one of three engineering strategies.

Funding: the 4th F

Funding is rarely straightforward. Donating money to maintainers is obviously helpful, but it does not automatically produce the secure outcomes we need.

“You can't pay for more nights and weekends.”
β€” Michael Winser, co-founder of Alpha-Omega

The reality is that many open source projects are maintained by people who have day jobs and real-life responsibilities. Their maintenance work takes up what other people would think of as free time. Asking them to do more β€” even paying them to do more β€” can actually make things worse.

Organizations like Alpha-Omega direct funding in leveraged and strategic ways to catalyze improvements in open source security and sustainability. The Bernie Foundation works alongside efforts like these, putting engineering hands on the keyboard where money alone can't.

Help us take the sunglasses off

If your organization depends on open source β€” and it does β€” you depend on Bernies. Sponsor the engineering work, nominate a package that needs help, or lend your own engineers to the effort.

Get involved