The question nobody asks
Your CI/CD pipeline runs npm audit on every push. It checks for known CVEs. It found zero issues with axios in March 2026 — days before the maintainer's npm account was compromised.
I wanted to know: what does the structural risk picture look like for the most-downloaded packages in the npm ecosystem?
So I audited every npm package with more than 10 million weekly downloads — 41 packages — using proof-of-commitment. Here's what I found.
The data (sorted by weekly downloads)
| Package | Downloads/wk | Maintainers | Score | Status |
|---|---|---|---|---|
| semver | 633M | 5 | 72 | ✅ OK |
| minimatch | 560M | 1 | 60 | ⚠️ CRITICAL |
| debug | 554M | 2 | 57 | HIGH |
| chalk | 413M | 1 | 53 | ⚠️ CRITICAL |
| commander | 365M | 2 | 61 | HIGH |
| picomatch | 340M | 4 | 66 | ✅ OK |
| glob | 332M | 1 | 57 | ⚠️ CRITICAL |
| uuid | 239M | 2 | 57 | HIGH |
| postcss | 206M | 1 | 63 | ⚠️ CRITICAL |
| esbuild | 190M | 1 | 63 | ⚠️ CRITICAL |
| typescript | 178M | 6 | 73 | ✅ OK |
| cross-spawn | 174M | 1 | 50 | ⚠️ CRITICAL |
| yargs | 173M | 2 | 59 | HIGH |
| zod | 158M | 1 | 58 | ⚠️ CRITICAL |
| chokidar | 156M | 1 | 56 | ⚠️ CRITICAL |
| nanoid | 151M | 1 | 63 | ⚠️ CRITICAL |
| lodash | 145M | 1 | 62 | ⚠️ CRITICAL |
| braces | 143M | 2 | 52 | HIGH |
| fill-range | 142M | 4 | 56 | ✅ OK |
| micromatch | 141M | 3 | 59 | MED |
| to-regex-range | 134M | 2 | 48 | HIGH |
| eslint | 125M | 2 | 66 | HIGH |
| react | 122M | 2 | 66 | HIGH |
| dotenv | 120M | 3 | 68 | MED |
| minimist | 117M | 3 | 79 | ✅ OK |
| vite | 105M | 4 | 66 | ✅ OK |
| axios | 101M | 1 | 64 | ⚠️ CRITICAL (attacked Apr 1) |
| express | 93M | 5 | 72 | ✅ OK |
| prettier | 87M | 11 | 75 | ✅ OK |
| date-fns | 78M | 1 | 56 | ⚠️ CRITICAL |
| sharp | 51M | 1 | 59 | ⚠️ CRITICAL |
| dayjs | 46M | 1 | 59 | ⚠️ CRITICAL |
| webpack | 45M | 8 | 75 | ✅ OK |
| jest | 44M | 5 | 70 | ✅ OK |
| next | 36M | 2 | 66 | HIGH |
| hono | 34M | 1 | 57 | ⚠️ CRITICAL |
| pino | 28M | 4 | 68 | ✅ OK |
| pg | 23M | 1 | 56 | ⚠️ CRITICAL |
| winston | 22M | 8 | 67 | ✅ OK |
| ioredis | 17M | 2 | 65 | HIGH |
| vue | 11M | 2 | 91 | HIGH |
Scores are 0–100, higher = safer. CRITICAL = single maintainer + >10M weekly downloads. Data: npm registry, April 17 2026.
The finding
16 of 41 packages (39%) have a single maintainer.
Those 16 packages together account for 2.82 billion npm downloads per week.
Some of these are so fundamental they appear in virtually every Node.js project as transitive dependencies — packages you never directly installed, never explicitly chose, and probably never thought about:
- minimatch (560M/wk): pattern matching used by eslint, jest, webpack, mocha, and almost everything else
- chalk (413M/wk): terminal colors used by virtually every CLI tool
- glob (332M/wk): file globbing embedded in build tooling everywhere
-
cross-spawn (174M/wk): platform-safe
child_process.spawnused in almost every build tool
You didn't choose these packages. They came with the ecosystem. Each has a single maintainer.
What happened with axios
On April 1, 2026, the axios maintainer's npm account was compromised. The attacker published a malicious version. npm audit had shown zero issues.
axios fits the exact profile behavioral scoring flags: 1 maintainer, 101M weekly downloads, 11.6 years old. High-value target. Single point of failure.
The question isn't whether the axios maintainer was irresponsible — they built infrastructure that billions of downloads per week depend on, as a single person. The question is whether the ecosystem has any structural way to flag this exposure before it becomes a CVE.
What npm audit doesn't catch
npm audit looks for packages with known CVEs — vulnerabilities that have been discovered, reported, assigned a number, and added to a database. That process takes weeks to months.
The structural risk — a package with one maintainer that a billion developers depend on — never appears in the advisory database at all.
Behavioral commitment scoring answers a different question: before anything bad happens, which packages are structurally exposed?
The packages that did well
High-download packages with strong maintainer depth show it's possible:
- prettier: 87M downloads, 11 maintainers, score 75
- webpack: 45M downloads, 8 maintainers, score 75
- winston: 22M downloads, 8 maintainers, score 67
- typescript: 178M downloads, 6 maintainers, score 73
- semver: 633M downloads, 5 maintainers, score 72
semver is the highest-download package in this list (633M/week) and has 5 maintainers. Not coincidentally, semver is maintained by the npm organization.
Try it yourself
Zero install:
npx proof-of-commitment axios zod chalk minimatch
# or scan your own project:
npx proof-of-commitment --file package.json
Web (no install): getcommit.dev/audit — paste packages, drop your package.json, or paste a GitHub URL directly.
Watchlist: getcommit.dev/watchlist — live tracking of top npm packages.
GitHub Action (posts risk table on your PR):
- uses: piiiico/proof-of-commitment@main
with:
fail-on-critical: false
comment-on-pr: true
MCP server (Claude Desktop, Cursor, Windsurf):
{
"mcpServers": {
"proof-of-commitment": {
"type": "streamable-http",
"url": "https://poc-backend.amdal-dev.workers.dev/mcp"
}
}
}
Data source: npm weekly downloads from the npm registry API. Maintainer counts from the npm registry. Scores from proof-of-commitment. All data as of April 17, 2026.
Top comments (0)