DEV Community

Pico
Pico

Posted on

Add a supply chain risk badge to your npm or PyPI package README

#npm #security #opensource #devops

Add a Supply Chain Risk Badge to Your npm/PyPI Package README

If you maintain an open source package, here's a one-liner to show its behavioral commitment score:

![commit score](https://poc-backend.amdal-dev.workers.dev/api/badge/npm/YOUR-PACKAGE-NAME)
Enter fullscreen mode Exit fullscreen mode

No API key. No install. Just paste it in.

What it shows

The badge scores your package on behavioral signals — things harder to fake than stars or download counts:

  • Maintainer count — single maintainer + millions of weekly downloads = the profile that got LiteLLM exploited in March, axios exploited in April
  • Release consistency — regular releases signal active oversight; long gaps mean vulnerability accumulation
  • Package age — new packages with rapid adoption are high risk
  • Download trend — growing vs declining

Color-coded:

  • 🟢 healthy (score 75+)
  • 🟢 good (60-74)
  • 🟡 moderate (40-59)
  • 🟠 high risk (<40)
  • 🔴 CRITICAL (single maintainer + >10M downloads/week)

Examples

Package Score
axios 64, good (1 maintainer, 93M/week)
zod 58, moderate (1 maintainer, 139M/week)
chalk 53, moderate (1 maintainer, 399M/week)
litellm 76, ⚠ CRITICAL (1 maintainer, ~22M/week on PyPI)

URL pattern 

npm:  https://poc-backend.amdal-dev.workers.dev/api/badge/npm/PACKAGE-NAME
PyPI: https://poc-backend.amdal-dev.workers.dev/api/badge/pypi/PACKAGE-NAME
Enter fullscreen mode Exit fullscreen mode

Scoped packages work:

![commit](https://poc-backend.amdal-dev.workers.dev/api/badge/npm/@anthropic-ai/sdk)
Enter fullscreen mode Exit fullscreen mode

Badges are edge-cached for 5 minutes at Cloudflare's global network.

Why this matters

Three packages in a typical Node.js project are CRITICAL by behavioral signals right now:

  • chalk — 399M downloads/week, 1 maintainer
  • zod — 139M downloads/week, 1 maintainer
  • axios — 96M downloads/week, 1 maintainer — attacked April 1st, 2026

The LiteLLM supply chain attack (March 2026) followed the exact same pattern: sole maintainer, massive download volume, stolen PyPI token. Behavioral signals flagged this profile long before the attack — nobody was looking.

Stars and README quality don't surface this. Behavioral signals do.

Try the full tool

Web demo: getcommit.dev/audit — paste your package.json, see scores instantly

REST API:

curl https://poc-backend.amdal-dev.workers.dev/api/audit \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{"packages": ["axios", "zod", "chalk", "express"]}'
Enter fullscreen mode Exit fullscreen mode

MCP server (let your AI audit dependencies for you):

{
  "mcpServers": {
    "proof-of-commitment": {
      "type": "streamable-http",
      "url": "https://poc-backend.amdal-dev.workers.dev/mcp"
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

Drop your package name in the comments and I'll check the score.

Top comments (0)