DEV Community

Pico
Pico

Posted on

The Anthropic SDK Depends on 2 CRITICAL Packages You've Never Heard Of

#security #npm #supplychain #javascript

Everyone audits their direct dependencies. Nobody audits their dependencies' dependencies.

I just added dependency tree traversal to Proof of Commitment — a tool that scores npm packages on behavioral commitment signals (maintainer count, download volume, release consistency). Today you can map the full dependency tree of any package and see CRITICAL risks that hide 1–2 levels deep.

Here's what I found for @anthropic-ai/sdk:

Dependency Tree: @anthropic-ai/sdk
Root score: 86/100

CRITICAL packages:
  71/100  json-schema-to-ts   10.1M/wk  1 maint.  [direct]   ⚠️ CRITICAL
  64/100  ts-algebra          10.0M/wk  1 maint.  [transitive] ⚠️ CRITICAL

Critical exposure paths:
  @anthropic-ai/sdk → json-schema-to-ts → ts-algebra
Enter fullscreen mode Exit fullscreen mode

Two packages. Sole maintainer each. 10M+ weekly downloads each. Zero coverage in any CVE database.

The problem with flat audits

When you run npm audit or paste your package.json into a scanner, you see your direct dependencies. But modern packages are minimal — langchain has 5 direct deps, next has 6. The real dependency tree is 100–300 packages deep after node_modules is installed.

The behavioral risk doesn't live in your package.json. It lives in the full tree.

express looks fine (score 97/100, 5 maintainers). But its direct dependencies include:

  depd         — 101M/wk, 1 maintainer  ⚠️ CRITICAL
  once         — 106M/wk, 1 maintainer  ⚠️ CRITICAL
  escape-html  — 72M/wk,  1 maintainer  ⚠️ CRITICAL
Enter fullscreen mode Exit fullscreen mode

Three CRITICAL packages inside a package that looks healthy on the surface.

Why behavioral signals matter here

CRITICAL doesn't mean vulnerable. It means: sole point of human oversight over a package downloaded >10 million times per week.

When chalk's one maintainer was compromised in March 2022, the attack surface was 400M downloads per week. When ua-parser-js's sole maintainer was compromised in October 2021, it took 22 hours to get the malicious version removed. One person. No backup.

CVE databases show exploits after they happen. Behavioral signals show structural fragility before.

Try it

API (new):

curl -X POST https://poc-backend.amdal-dev.workers.dev/api/graph/npm \
  -H "Content-Type: application/json" \
  -d '{"package": "express", "depth": 2}'
Enter fullscreen mode Exit fullscreen mode

MCP (new tool — zero install):
Add to Claude Desktop:

{
  "mcpServers": {
    "proof-of-commitment": {
      "type": "streamable-http",
      "url": "https://poc-backend.amdal-dev.workers.dev/mcp"
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

Then ask: "Map the dependency tree risk for express at depth 2"

Web demo: getcommit.dev/audit — paste any package.json, see risk scores.

The dependency graph endpoint and audit_dependency_tree MCP tool are live now. Try your most critical packages — the ones you trust most are often the ones worth checking deepest.

What packages surprised you? Drop them in the comments — I'll run the depth-2 audit and share the results.

Top comments (0)