{"slug": "i-scanned-dub-s-codebase-it-s-not-a-link-shortener", "title": "I scanned Dub's codebase. It's not a link shortener.", "summary": "A developer scanned Dub's open-source codebase using a CLI tool and discovered it is not a simple link shortener but an affiliate management platform with fraud detection, AI-generated landing pages, and commission tracking. The scan revealed 80 Prisma models, 18 fraud-related UI components, and 85 environment variables, indicating far greater complexity than its public description suggests. The codebase also includes AI integrations from Vercel AI and Anthropic for CSV mapping, analytics filtering, and landing page generation.", "body_md": "I'm scanning one popular open source repo a day and digging into what's underneath. A CLI scanner reads the codebase in seconds, then I use the output to investigate what's actually going on architecturally.\n\nFirst up: [Dub](https://dub.co) — YC-backed link management. 20K+ stars.\n\n``` bash\n$ npx anatomia-cli scan .\n\ndub-monorepo                                              web-app\nTypeScript · Next.js · Prisma → MySQL (80 models) · 12 packages\n\nStack\n─────\nLanguage     TypeScript\nFramework    Next.js\nDatabase     Prisma → MySQL (80 models)\nAuth         NextAuth\nAI           Vercel AI\nPayments     Stripe\nTesting      Vitest, Playwright\nUI           shadcn/ui (Tailwind)\nServices     Nodemailer · Resend · Vercel Edge Config · React Email\n             Upstash QStash (+2 more)\nDeploy       Vercel · GitHub Actions\nWorkspace    Turborepo (pnpm)\n\nSurfaces\n────────\nweb   Next.js · Vitest\ncli   TypeScript\n```\n\n6 seconds. Here's what I found when I started pulling threads.\n\nThe scan showed 80 Prisma models. That's a lot for a link shortener. So I looked at what those models actually are. The `fraud.prisma`\n\nschema has 14 `@relation`\n\nreferences — tied with `program.prisma`\n\nfor the most connected models in the entire codebase.\n\nThere are 6 fraud rule types baked into the schema:\n\nOn the UI side, there are 18 dedicated fraud components — review sheets, severity indicators, fraud event tables per rule type, cross-program summaries. This isn't a checkbox feature. It's a system.\n\nIf you think of Dub as a link shortener, none of this makes sense. But Dub runs an affiliate/partner program (Dub Partners) where they pay commissions on referrals. The fraud layer exists to prevent partners from gaming the commission system. The most complex engineering in a \"link shortener\" is catching people who cheat.\n\nThe scan flagged `AI: Vercel AI`\n\n— which I didn't expect on a link management tool. I traced the imports. Three files use `@ai-sdk/anthropic`\n\n:\n\n** generate-csv-mapping.ts** — Uses Claude Sonnet 4.6 to auto-map CSV columns when bulk-importing links. You upload a spreadsheet, Claude figures out which columns are URLs, titles, tags.\n\n** generate-filters.ts** — AI-powered analytics filtering. Instead of clicking through dropdowns, describe what you want to see.\n\n** generate-lander.ts** — This is the interesting one. It uses Anthropic +\n\nNone of this is mentioned in Dub's README or feature list. The scan surfaced it from the dependency tree, and the imports confirmed the usage.\n\nThe `.env.example`\n\nhas 85 variables. That's the operational complexity of running Dub yourself. Stripe keys (7 different Stripe-related variables — production, connect, app, sandbox, webhooks). Upstash for Redis, rate limiting, QStash, vector search, AND workflows. Tinybird for analytics. Resend AND SMTP for email. Google and GitHub OAuth. Vercel API keys. Encryption keys. Signing secrets.\n\nIf you're evaluating Dub's open source repo for self-hosting, the env file is the real architecture document. 85 variables means 85 external dependencies you need to configure.\n\nThe `@dub/ui`\n\npackage has 447 `.tsx`\n\nfiles. That's not a component library — it's a full design system built internally. For context, shadcn/ui ships around 50 primitives. Dub built roughly 9x that for their own product.\n\nDub from the outside: link shortener.\n\nDub from the scan: an affiliate management platform with fraud detection, AI-generated partner landing pages, commission tracking, bounty systems, and a link shortener as the entry point. The Prisma schema tells the story — the most connected models aren't about links. They're about programs, fraud, and money.\n\n*Post 1 of \"Scanning Open Source\" — one repo per day. Tomorrow: Inbox Zero.*\n\n`npx anatomia-cli scan .`\n\n— [GitHub](https://github.com/anatomia-dev/anatomia)", "url": "https://wpnews.pro/news/i-scanned-dub-s-codebase-it-s-not-a-link-shortener", "canonical_source": "https://dev.to/ryan_patrick_smith/i-scanned-dubs-codebase-its-not-a-link-shortener-4mla", "published_at": "2026-05-27 03:51:32+00:00", "updated_at": "2026-05-27 04:23:01.325083+00:00", "lang": "en", "topics": ["ai-startups", "ai-products", "ai-tools"], "entities": ["Dub", "YC", "Next.js", "Prisma", "MySQL", "NextAuth", "Stripe", "Vercel"], "alternates": {"html": "https://wpnews.pro/news/i-scanned-dub-s-codebase-it-s-not-a-link-shortener", "markdown": "https://wpnews.pro/news/i-scanned-dub-s-codebase-it-s-not-a-link-shortener.md", "text": "https://wpnews.pro/news/i-scanned-dub-s-codebase-it-s-not-a-link-shortener.txt", "jsonld": "https://wpnews.pro/news/i-scanned-dub-s-codebase-it-s-not-a-link-shortener.jsonld"}}