The proof-of-commitment API reveals a crucial insight about npm security through axios's profile:
{
"name": "axios",
"score": 86,
"riskFlags": ["CRITICAL"],
"maintainers": 1,
"weeklyDownloads": 81672752
}
A score of 86/100 indicates excellent package health. Yet it simultaneously triggers a CRITICAL flag. These aren't contradictory. They're the most important thing the score reveals: quality and structural risk are orthogonal.
The Core Problem
The CRITICAL detection logic is elegantly simple:
if (maintainerCount === 1 && weeklyDownloads > 10_000_000)
riskFlags.push("CRITICAL");
No machine learning. No behavioral analysis. Just one conditional identifying single points of failure at scale.
Why Quality Doesn't Equal Safety
The ua-parser-js incident (October 2021) established the template. Faisal Salman was the sole maintainer whose credentials were compromised. A malicious version deployed to ~7 million weekly downloads. npm audit showed zero warnings beforehand.
Today, axios operates at 82 million weekly downloads with one maintainer — a 10x larger blast radius.
Why npm audit Can't See This
npm audit is a CVE database lookup. It cannot detect threats before exploitation.
| State | npm audit | proof-of-commitment |
|---|---|---|
| Years before attack | 0 vulnerabilities |
⚠️ WARN (structural) |
| Oct 2021: malicious publish | 0 vulnerabilities |
⚠️ WARN (structural) |
| CVE filed (hours later) | 1 critical vulnerability |
⚠️ WARN (structural) |
The Score Breakdown
{
"name": "axios",
"score": 86,
"riskFlags": ["CRITICAL"],
"scoreBreakdown": {
"longevity": 25,
"downloadMomentum": 22,
"releaseConsistency": 20,
"maintainerDepth": 4,
"githubBacking": 15
}
}
- Longevity (25/25): 11.6 years old
- Download momentum (22/25): Stable at 82M/week
- Release consistency (20/20): Regular cadence
- Maintainer depth (4/15): Single maintainer breaks this dimension
- GitHub backing (15/15): Strong community engagement
Ecosystem Analysis
15 of the top 50 most-downloaded npm packages — 30% — trigger CRITICAL. Together, those 15 packages account for 2.5 billion weekly downloads.
Critical Packages (1 Maintainer, High Downloads)
| Package | Maintainers | Weekly Downloads | Risk |
|---|---|---|---|
| minimatch | 1 | 562M | 🔴 CRITICAL |
| chalk | 1 | 413M | 🔴 CRITICAL |
| glob | 1 | 332M | 🔴 CRITICAL |
| @types/node | 1 | 310M | 🔴 CRITICAL |
| esbuild | 1 | 190M | 🔴 CRITICAL |
| zod | 1 | 158M | 🔴 CRITICAL |
| chokidar | 1 | 158M | 🔴 CRITICAL |
| lodash | 1 | 145M | 🔴 CRITICAL |
| axios | 1 | 101M | 🔴 CRITICAL |
Safe Packages (Multiple Maintainers)
| Package | Maintainers | Weekly Downloads | Risk |
|---|---|---|---|
| semver | 5 | 633M | ✅ Safe |
| debug | 2 | 553M | ✅ Safe |
| typescript | 6 | 178M | ✅ Safe |
| react | 2 | 122M | ✅ Safe |
| express | 5 | 93M | ✅ Safe |
The difference isn't download count, project age, or release cadence. It's the number of people between an attacker and the npm publish button.
Addressing False Positive Concerns
The objection: "Only two of these 15 packages got attacked. That's a 13-out-of-15 false positive rate."
Proof-of-commitment does not predict which package will be attacked next, or when. It identifies the structural conditions that attackers select for.
Structural engineers don't predict earthquakes — they identify which buildings will collapse when one occurs.
Historical precedent:
- ua-parser-js (2021): Compromised sole maintainer
- event-stream (2018): Compromised sole maintainer
- colors.js (2022): Compromised sole maintainer
The question isn't whether the flag is predictive. It's whether you'd rather know about the structural risk before the CVE or after.
Conclusion
The analysis is straightforward. The data is public. The answer for axios, minimatch, chalk, glob, zod, esbuild, and nine other top-100 packages is CRITICAL — right now.
Audit your dependencies: getcommit.dev/audit · GitHub
Top comments (0)