The Contributor Count as a Risk Metric
WebPulse's GitHub data collection tracks active contributors across 22 web frameworks. Active contributors are individuals who have committed code in the trailing twelve months — not lifetime contributors, not issue commenters, not documentation editors. By this measure, WordPress has 89 active contributors. Next.js has 427. SvelteKit has 452. Astro has 335. Nuxt has 420.
WordPress's 89 contributors place it below every modern framework in the dataset and below several legacy platforms. The number is particularly notable given WordPress's market position. WebPulse scans detect WordPress on roughly a third of analyzed sites. A platform with that level of deployment running on 89 active contributors represents a concentration of maintenance responsibility that enterprise risk frameworks are designed to flag.
Deployment-to-Contributor Ratio
The relevant metric is not the raw contributor count but the ratio between deployment scale and contributor base. Next.js powers a growing share of the modern web with 427 contributors producing 5,706 commits per year — roughly 13 commits per contributor annually. SvelteKit's 452 contributors produce 906 commits — two per contributor, reflecting a distributed model where many developers make small, focused contributions.
WordPress's 89 contributors produce 1,660 commits per year — approximately 19 commits per contributor. Each WordPress contributor carries a disproportionate share of the codebase's evolution. When the platform also carries 18,321 CVEs in its lifetime NVD record, the concentration becomes a compounding factor. Fewer eyes reviewing code that serves more deployments with more known vulnerability patterns creates a maintenance surface that scales poorly.
Nuxt provides a useful benchmark. With 60,500 stars, 420 contributors, 1,312 commits, and 40 releases per year, Nuxt earns a WebPulse score of 91. WordPress, with 21,000 stars, 89 contributors, 1,660 commits, and zero GitHub releases, earns a score of 25. The contributor base is not the sole differentiator — release transparency and security history weigh heavily — but contributor diversity is a meaningful signal of community health.
Why Contributor Diversity Matters
Open-source project health research consistently identifies contributor diversity as a leading indicator of sustainability. Projects with narrow contributor bases face three compounding risks: key-person dependency, review bottlenecks, and knowledge concentration. When a small number of individuals understand critical subsystems, their departure — whether through burnout, career change, or organizational shift — creates gaps that cannot be backfilled quickly.
WordPress's development model partially explains the low GitHub contributor count. Significant WordPress development occurs through channels that GitHub's API does not capture — Trac tickets, SVN commits, plugin ecosystem contributions, and theme development. The 89-contributor figure measures GitHub activity specifically. But GitHub is where the framework landscape has converged. The developer pool that evaluates, contributes to, and selects frameworks increasingly operates on GitHub. A framework's GitHub contributor count is both a measure of participation and a signal of where developer attention flows.
Astro illustrates the alternative model. With 60,000 stars and 335 contributors producing 2,909 commits and 50 releases per year, Astro distributes its maintenance load across a community roughly four times the size of WordPress's GitHub contributor base while producing nearly twice the commit volume. The framework scores 90 on WebPulse's composite assessment.
The Enterprise Procurement Signal
Enterprise software procurement increasingly incorporates open-source health metrics into vendor and platform evaluations. The Linux Foundation's CHAOSS project defines contributor count, contributor diversity, and bus factor as standard metrics for open-source project health assessment. SLSA and SSDF frameworks reference contributor diversity as a supply chain security indicator.
An enterprise running WordPress across 200 properties is making a bet that 89 contributors will continue to maintain, secure, and evolve the platform indefinitely. An enterprise running Next.js across the same number of properties is making the same bet on 427 contributors backed by Vercel's commercial investment. The risk profiles differ. Neither bet is guaranteed, but the contributor-to-deployment ratio favors the broader contributor base.
The contributor gap also affects incident response. When a critical vulnerability is discovered, the pool of developers who understand the affected code and can review, test, and ship a patch determines response time. WordPress's 18,321 lifetime CVEs represent a recurring demand on its 89 contributors' capacity. Next.js's 92 lifetime CVEs represent a materially different demand on its 427 contributors' capacity.
What the Data Indicates
The contributor disparity between WordPress and modern frameworks is not a new development, but the gap has widened as frameworks like SvelteKit, Nuxt, and Astro have grown their contributor communities. WordPress's contributor count has remained relatively stable while competing frameworks have scaled their participation. The result is a growing asymmetry between WordPress's deployment footprint and its development resources.
For technology leaders evaluating platform risk, the contributor data adds a dimension that market share alone does not capture. WordPress's market presence is substantial. Its contributor base, measured by GitHub activity, is narrow. The ratio between the two is the metric that warrants attention — not because it predicts failure, but because it quantifies the concentration risk embedded in a platform decision that many organizations treat as default.
