A Metric Nobody Tracks
The web framework ecosystem is evaluated by stars, commits, and CVE counts. WebPulse tracks all of these. But one derived metric reveals more about a framework's organizational health than any of them individually: commits per contributor per year. This ratio measures how much each active contributor is shipping — a proxy for whether a framework's engineering base is overextended, balanced, or carrying surplus capacity.
Across 22 frameworks, commits per contributor ranges from 0.9 (Vue) to 26.1 (Magento). That 29x spread is not a curiosity. It is the difference between a framework that can absorb a critical vulnerability disclosure without breaking stride and one that will struggle to ship a patch while maintaining its release schedule.
The Overextended: Shipping Under Pressure
Two frameworks stand out for high commits-per-contributor ratios, indicating small teams carrying disproportionate workloads. Magento leads at 26.1 — its 259 contributors produce 6,767 commits, a pace that suggests a compact Adobe engineering team driving the bulk of development. WordPress follows a different pattern: 18.6 commits per contributor, but with only 90 contributors total, making it the most concentrated among popular frameworks.
The Balanced Middle: Sustainable Engineering
The healthiest frameworks cluster between 3 and 14 commits per contributor per year. Next.js delivers 13.5 (5,751 commits from 427 contributors). Angular delivers 10.5 (3,950 commits from 376 contributors). Rails delivers 8.5 (3,161 commits from 370 contributors). Spring sits at 6.1 (2,219 commits from 361 contributors) — a ratio that, paired with its low CVE count (47) and enterprise backing from VMware/Broadcom, signals a framework with sustainable engineering depth. These ratios suggest frameworks where the engineering load is distributed across a sufficiently large contributor base, no single contributor is a bottleneck, and the project could sustain the loss of any individual without halting.
Astro sits at 8.8 commits per contributor (2,933 commits from 335 contributors) — a ratio that, combined with its 50 annual releases and 64 CVEs, describes a framework in the sweet spot of engineering efficiency. Enough contributors to distribute work. Enough output per contributor to maintain velocity. Enough releases to signal active maintenance.
The Low-Output Zone: Capacity or Decline?
At the bottom of the ranking, three frameworks produce fewer than 1.5 commits per contributor per year. Vue: 0.9 (391 commits from 441 contributors). HTMX: 0.3 (122 commits from 445 contributors). Flask: 0.1 (56 commits from 400 contributors). Each tells a different story.
Vue's 0.9 ratio reflects a framework that is mature and stable — its 441 contributors represent a deep bench that could ramp up if needed, and its 43 annual releases show the project is far from dormant. HTMX's 0.3 reflects its architectural philosophy — less code means less churn, and its zero CVE count validates the approach. Flask's 0.1 is the notable case: 400 all-time contributors producing 56 commits suggests a project in deep maintenance mode. Flask core is stable, but the low activity raises bus-factor questions — and the real vulnerability surface lives in the community extensions every production Flask app depends on.
Reading the Ratio
Commits per contributor is not a score — high is not inherently good, and low is not inherently bad. The metric is a diagnostic tool. Ratios above 20 suggest overwork and concentration risk. Ratios between 5 and 15 suggest healthy distribution. Ratios below 1 demand a second look: is the framework stable and mature (Vue), architecturally minimal (HTMX), or quietly abandoned (Flask)? For CISOs and CTOs evaluating framework risk, this metric adds a dimension that star counts and CVE counts alone cannot provide. It answers the question: when the next zero-day drops, does this framework have the engineering capacity to respond?
