I'm scanning one popular open source repo a day and digging into what's underneath. A CLI scanner reads the codebase in seconds, then I use the output to investigate what's actually going on architecturally.
First up: Dub β YC-backed link management. 20K+ stars.
$ npx anatomia-cli scan .
dub-monorepo web-app
TypeScript Β· Next.js Β· Prisma β MySQL (80 models) Β· 12 packages
Stack
βββββ
Language TypeScript
Framework Next.js
Database Prisma β MySQL (80 models)
Auth NextAuth
AI Vercel AI
Payments Stripe
Testing Vitest, Playwright
UI shadcn/ui (Tailwind)
Services Nodemailer Β· Resend Β· Vercel Edge Config Β· React Email
Upstash QStash (+2 more)
Deploy Vercel Β· GitHub Actions
Workspace Turborepo (pnpm)
Surfaces
ββββββββ
web Next.js Β· Vitest
cli TypeScript
6 seconds. Here's what I found when I started pulling threads.
The scan showed 80 Prisma models. That's a lot for a link shortener. So I looked at what those models actually are. The fraud.prisma
schema has 14 @relation
references β tied with program.prisma
for the most connected models in the entire codebase.
There are 6 fraud rule types baked into the schema:
On the UI side, there are 18 dedicated fraud components β review sheets, severity indicators, fraud event tables per rule type, cross-program summaries. This isn't a checkbox feature. It's a system.
If you think of Dub as a link shortener, none of this makes sense. But Dub runs an affiliate/partner program (Dub Partners) where they pay commissions on referrals. The fraud layer exists to prevent partners from gaming the commission system. The most complex engineering in a "link shortener" is catching people who cheat.
The scan flagged AI: Vercel AI
β which I didn't expect on a link management tool. I traced the imports. Three files use @ai-sdk/anthropic
:
** generate-csv-mapping.ts** β Uses Claude Sonnet 4.6 to auto-map CSV columns when bulk-importing links. You upload a spreadsheet, Claude figures out which columns are URLs, titles, tags.
** generate-filters.ts** β AI-powered analytics filtering. Instead of clicking through dropdowns, describe what you want to see.
** generate-lander.ts** β This is the interesting one. It uses Anthropic +
None of this is mentioned in Dub's README or feature list. The scan surfaced it from the dependency tree, and the imports confirmed the usage.
The .env.example
has 85 variables. That's the operational complexity of running Dub yourself. Stripe keys (7 different Stripe-related variables β production, connect, app, sandbox, webhooks). Upstash for Redis, rate limiting, QStash, vector search, AND workflows. Tinybird for analytics. Resend AND SMTP for email. Google and GitHub OAuth. Vercel API keys. Encryption keys. Signing secrets.
If you're evaluating Dub's open source repo for self-hosting, the env file is the real architecture document. 85 variables means 85 external dependencies you need to configure.
The @dub/ui
package has 447 .tsx
files. That's not a component library β it's a full design system built internally. For context, shadcn/ui ships around 50 primitives. Dub built roughly 9x that for their own product.
Dub from the outside: link shortener.
Dub from the scan: an affiliate management platform with fraud detection, AI-generated partner landing pages, commission tracking, bounty systems, and a link shortener as the entry point. The Prisma schema tells the story β the most connected models aren't about links. They're about programs, fraud, and money.
Post 1 of "Scanning Open Source" β one repo per day. Tomorrow: Inbox Zero.
npx anatomia-cli scan .
β GitHub