State of npm Supply Chain Trust — Q2 2026
We audited the top 100 npm packages by weekly downloads. 7 of the top 10 have a single maintainer. 47% of all weekly npm traffic — 7.2 billion downloads — flows through packages with one person at the helm.
7 of the top 10 most-downloaded npm packages have a single maintainer. Combined, they handle 3.2 billion installs per week.
These aren't obscure packages. They're at the base of the JavaScript dependency graph — the ones pulled into virtually every Node.js application ever built. You almost certainly run them every time you execute npm install. Most developers couldn't name them.
We scored the top 100 npm packages by weekly download count using Commit's behavioral trust scoring, which measures longevity, release consistency, maintainer depth, and organizational backing — signals that are hard to fake. Here's what the data shows.
The Numbers
| Packages audited | 100 |
| Total weekly downloads | 15.15 billion |
| CRITICAL-flagged packages | 14 (2.63B downloads/wk) |
| Single-maintainer packages | 40 packages — 7.23B downloads/wk (47%) |
| Average trust score | 68.7 / 100 |
47% of all weekly npm traffic flows through packages controlled by a single person. Not 14 packages — 40.
The Top 10 Most Downloaded npm Packages
| # | Package | Score | Risk | Maint. | Downloads/wk |
|---|---|---|---|---|---|
| 1 | ansi-styles | 52 | ✅ | 1 | 567M |
| 2 | semver | 90 | ✅ | 4 | 536M |
| 3 | brace-expansion | 60 | ✅ | 2 | 483M |
| 4 | minimatch | 85 | 🔴 CRITICAL | 1 | 473M |
| 5 | debug | 79 | ✅ | 2 | 462M |
| 6 | strip-ansi | 50 | ✅ | 1 | 452M |
| 7 | supports-color | 53 | ✅ | 1 | 409M |
| 8 | string-width | 51 | ✅ | 1 | 407M |
| 9 | wrap-ansi | 51 | ✅ | 1 | 359M |
| 10 | ansi-regex | 70 | 🔴 CRITICAL | 1 | 348M |
The top package by weekly download count in the entire npm ecosystem isn't react. It isn't typescript. It's ansi-styles — a package that provides ANSI escape code strings for terminal colors. Its primary consumer is chalk. Chalk is used by nearly every build tool, CLI, and test runner in existence.
One maintainer. 567 million installs per week.
Numbers 1, 6, 7, 8, 9, and 10 in the rankings form a cluster: ansi-styles, strip-ansi, supports-color, string-width, wrap-ansi, and ansi-regex. All part of the ANSI terminal color ecosystem. All with a single maintainer. Combined: over 2.1 billion weekly downloads.
The CRITICAL 14
CRITICAL = >10M weekly downloads + single maintainer with npm publish access. One token. One compromise window.
| Package | Score | Downloads/wk | Embedded in… |
|---|---|---|---|
| minimatch | 85 | 473M | ESLint, Jest, webpack, Vite, npm CLI |
| ansi-regex | 70 | 348M | chalk, strip-ansi, every CLI with color |
| chalk | 75 | 339M | Everything with colored terminal output |
| glob | 81 | 276M | ESLint, webpack, Jest, Node.js |
| @types/node | 88 | 261M | Every TypeScript backend project |
| esbuild | 88 | 171M | Vite, Next.js, most modern bundlers |
| chokidar | 81 | 134M | webpack, Vite, Jest, all file watchers |
| zod | 83 | 134M | tRPC, Next.js, most validation layers |
| caniuse-lite | 84 | 132M | Babel, Browserslist, PostCSS |
| fast-deep-equal | 68 | 122M | React reconciler, Redux, Vue, ajv |
| lodash | 87 | 122M | Millions of direct dependencies |
| axios | 86 | 82M | Millions of direct dependencies |
| husky | 77 | 21M | Git hook management in most repos |
| cross-env | 73 | 14M | Cross-platform npm scripts |
axios carries an identical structural profile to ua-parser-js — which was CRITICAL-flagged before its October 2021 compromise. npm audit showed zero warnings before that attack. The structural signal was visible. The CVE database had nothing until four hours after the malicious publish.
Score Distribution
| Tier | Score | Count |
|---|---|---|
| Elite — multi-org backing, decade-long record | 90–100 | 12 |
| Healthy — established, active, watch depth | 70–89 | 33 |
| Moderate — maintenance gaps, shallow contributor base | 50–69 | 43 |
| At Risk — stalled releases, single point of failure | <50 | 12 |
43 packages score 50–69: technically not flagged, but with billions of weekly downloads between them and no organizational backup. This is the quiet risk — not alarming enough for a red flag, deep enough in the graph that nobody audits it.
What SAFE Looks Like
The 12 packages scoring 90+:
| Package | Score | Maint. | Downloads/wk |
|---|---|---|---|
| rollup | 99 | 5 | 90M |
| typescript | 98 | 6 | 154M |
| express | 97 | 5 | 77M |
| vite | 96 | 4 | 92M |
| undici | 96 | 3 | 75M |
| dotenv | 94 | 3 | 100M |
| @babel/core | 93 | 4 | 108M |
| eslint | 91 | 2 | 108M |
| react | 91 | 2 | 109M |
| react-dom | 91 | 2 | 103M |
| ws | 90 | 4 | 162M |
| semver | 90 | 4 | 536M |
semver (#2 by downloads, 536M/week) scores 90 and is team-maintained by npm Inc. That's what supply chain resilience looks like. The problem is that it's surrounded on both sides by packages with single maintainers.
Full Dataset — Top 100 npm Packages
Ranked by weekly downloads. Data: April 16–22, 2026. Red = CRITICAL (single maintainer + >10M/wk). Yellow = WARN.
| # | Package | Score | Risk | Maint. | Downloads/wk |
|---|---|---|---|---|---|
| 1 | ansi-styles | 52 | ✅ | 1 | 567M |
| 2 | semver | 90 | ✅ | 4 | 536M |
| 3 | brace-expansion | 60 | ✅ | 2 | 483M |
| 4 | minimatch | 85 | 🔴 | 1 | 473M |
| 5 | debug | 79 | ✅ | 2 | 462M |
| 6 | strip-ansi | 50 | ✅ | 1 | 452M |
| 7 | supports-color | 53 | ✅ | 1 | 409M |
| 8 | string-width | 51 | ✅ | 1 | 407M |
| 9 | wrap-ansi | 51 | ✅ | 1 | 359M |
| 10 | ansi-regex | 70 | 🔴 | 1 | 348M |
| 11 | ms | 85 | ✅ | 6 | 346M |
| 12 | chalk | 75 | 🔴 | 1 | 339M |
| 13 | commander | 86 | ✅ | 2 | 309M |
| 14 | tslib | 86 | ✅ | 6 | 297M |
| 15 | picomatch | 86 | ✅ | 4 | 293M |
| 16 | color-name | 54 | ✅ | 3 | 286M |
| 17 | color-convert | 52 | ✅ | 1 | 284M |
| 18 | glob | 81 | 🔴 | 1 | 276M |
| 19 | has-flag | 39 | 🟡 | 1 | 268M |
| 20 | balanced-match | 51 | ✅ | 1 | 263M |
| 21 | @types/node | 88 | 🔴 | 1 | 261M |
| 22 | which | 61 | ✅ | 4 | 245M |
| 23 | json-schema-traverse | 39 | 🟡 | 1 | 235M |
| 24 | safe-buffer | 45 | 🟡 | 2 | 232M |
| 25 | signal-exit | 49 | 🟡 | 2 | 226M |
| 26 | readable-stream | 84 | 🟡 | 3 | 225M |
| 27 | ajv | 89 | ✅ | 2 | 224M |
| 28 | postcss | 63 | ✅ | 1 | 214M |
| 29 | uuid | 85 | ✅ | 2 | 201M |
| 30 | isexe | 47 | ✅ | 1 | 200M |
| 31 | mime-types | 64 | ✅ | 5 | 187M |
| 32 | cross-spawn | 50 | 🟡 | 1 | 182M |
| 33 | esbuild | 88 | 🔴 | 1 | 171M |
| 34 | cliui | 51 | 🟡 | 2 | 167M |
| 35 | ws | 90 | ✅ | 4 | 162M |
| 36 | path-to-regexp | 70 | ✅ | 6 | 157M |
| 37 | typescript | 98 | ✅ | 6 | 154M |
| 38 | inherits | 42 | 🟡 | 1 | 152M |
| 39 | qs | 61 | ✅ | 2 | 149M |
| 40 | braces | 52 | 🟡 | 2 | 147M |
| 41 | fill-range | 56 | 🟡 | 4 | 146M |
| 42 | yargs | 81 | ✅ | 2 | 145M |
| 43 | cookie | 60 | ✅ | 3 | 141M |
| 44 | to-regex-range | 48 | 🟡 | 2 | 139M |
| 45 | chokidar | 81 | 🔴 | 1 | 134M |
| 46 | zod | 83 | 🔴 | 1 | 134M |
| 47 | caniuse-lite | 84 | 🔴 | 1 | 132M |
| 48 | concat-map | 39 | 🟡 | 1 | 123M |
| 49 | fast-deep-equal | 68 | 🔴 | 1 | 122M |
| 50 | lodash | 87 | 🔴 | 1 | 122M |
| 51 | micromatch | 84 | 🟡 | 3 | 120M |
| 52 | once | 46 | ✅ | 1 | 111M |
| 53 | react | 91 | ✅ | 2 | 109M |
| 54 | eslint | 91 | ✅ | 2 | 108M |
| 55 | @babel/core | 93 | ✅ | 4 | 108M |
| 56 | wrappy | 39 | 🟡 | 1 | 107M |
| 57 | react-dom | 91 | ✅ | 2 | 103M |
| 58 | dotenv | 94 | ✅ | 3 | 100M |
| 59 | tailwindcss | 70 | ✅ | 3 | 98M |
| 60 | body-parser | 60 | ✅ | 3 | 96M |
| 61 | vite | 96 | ✅ | 4 | 92M |
| 62 | prettier | 75 | ✅ | 11 | 91M |
| 63 | rollup | 99 | ✅ | 5 | 90M |
| 64 | axios | 86 | 🔴 | 1 | 82M |
| 65 | express | 97 | ✅ | 5 | 77M |
| 66 | undici | 96 | ✅ | 3 | 75M |
| 67 | pnpm | 66 | ✅ | 2 | 73M |
| 68 | sharp | 59 | ✅ | 1 | 59M |
| 69 | vitest | 68 | ✅ | 5 | 51M |
| 70 | cors | 60 | ✅ | 3 | 50M |
| 71 | webpack | 75 | ✅ | 8 | 45M |
| 72 | tsx | 55 | ✅ | 1 | 44M |
| 73 | @swc/core | 64 | ✅ | 1 | 43M |
| 74 | jest | 70 | ✅ | 5 | 43M |
| 75 | @babel/preset-env | 68 | ✅ | 4 | 38M |
| 76 | @types/jest | 59 | ✅ | 1 | 37M |
| 77 | @testing-library/react | 68 | ✅ | 17 | 37M |
| 78 | next | 70 | ✅ | 3 | 36M |
| 79 | ts-node | 81 | ✅ | 2 | 35M |
| 80 | hono | 57 | ✅ | 1 | 35M |
| 81 | jsonwebtoken | 87 | ✅ | 3 | 33M |
| 82 | pino | 68 | ✅ | 4 | 28M |
| 83 | pg | 57 | ✅ | 1 | 24M |
| 84 | winston | 67 | ✅ | 8 | 22M |
| 85 | lint-staged | 64 | ✅ | 2 | 21M |
| 86 | husky | 77 | 🔴 | 1 | 21M |
| 87 | ioredis | 63 | ✅ | 2 | 17M |
| 88 | msw | 63 | ✅ | 1 | 15M |
| 89 | cross-env | 73 | 🔴 | 1 | 14M |
| 90 | turbo | 64 | ✅ | 2 | 13M |
| 91 | nodemon | 61 | ✅ | 1 | 12M |
| 92 | socket.io | 87 | ✅ | 2 | 10M |
| 93 | prisma | 66 | ✅ | 2 | 10M |
| 94 | redis | 74 | ✅ | 5 | 9M |
| 95 | drizzle-orm | 62 | ✅ | 4 | 8M |
| 96 | fastify | 60 | ✅ | 5 | 7M |
| 97 | kysely | 61 | ✅ | 2 | 4M |
| 98 | elysia | 46 | ✅ | 1 | 474K |
| 99 | @hono/zod-validator | 43 | ✅ | 1 | — |
| 100 | bun-types | 64 | ✅ | 3 | — |
Methodology
Trust scoring uses Commit's behavioral scoring engine:
| Signal | Max | What it measures |
|---|---|---|
| Longevity | 25 | Years maintained, consistency of presence |
| Download Momentum | 25 | Recent growth or stability trends |
| Release Consistency | 20 | Cadence regularity, not just volume |
| Maintainer Depth | 15 | Number of active publishers with commit history |
| GitHub Backing | 15 | Stars, contributor count, organizational indicators |
CRITICAL = >10M weekly downloads + 1 active maintainer with npm publish access. This is the exact structural profile that the ua-parser-js compromise (2021), the colors.js sabotage (2022), and the event-stream incident (2018) all shared.
WARN = declining trends, stalled releases, or shallow contributor base below CRITICAL threshold.
Download data from npm registry (April 16–22, 2026).
This analysis does not replace npm audit — it answers a different question. npm audit scans known CVEs. Commit scores structural resilience: would this package survive a maintainer compromise, a token theft, or a gradual abandonment?
Audit your own project: getcommit.dev/audit
· Run locally: npx proof-of-commitment audit
· GitHub
· Previous: April 2026 (50 packages)
We're building Commit — trust infrastructure for the autonomous economy. Behavioral commitment data, not declarations.
See also: hono Scores CRITICAL · The axios Signal · Three npm Disasters That Were Predictable