npm package trust score

@esbuild-kit/esm-loader

npm · 6M/week · 4.1 years old

61/ 100

HIGH

npm publishers1

Weekly downloads6M

Package age4.1 years

Last published986d ago

GitHub contributors8

SLSA provenanceNo

Trusted PublishingNo

OpenSSF Scorecard—

GradeC

Risk flags

HIGH: sole npm publisher + >1M/wkWARN: no release in 12+ months

Score breakdown

Five behavioral dimensions. Each measured from public registry data, not self-reported.

Longevity

20/25

Download momentum

21/25

Release consistency

12/20

Publisher depth

4/15

GitHub backing

4/15

Trusted Publishing

0/2

What this score measures

The Commit trust score measures behavioral commitment — signals that are hard to fake. Unlike stars, READMEs, or download counts, these signals capture how a package is actually maintained.

Longevity — how long the package has been published and actively maintained
Publisher depth — number of people with npm publish access (distinct from GitHub contributors)
Release consistency — regular releases signal active oversight
Download trend — growing, stable, or declining adoption
GitHub backing — contributor depth and OpenSSF Scorecard process security
Trusted Publishing — whether the package uses npm OIDC provenance to publish from CI, eliminating stolen-credential attacks

Depth-2 transitive risk

3 critical transitive dependencies of @esbuild-kit/esm-loader at depth 2 — across 6 total nodes in the graph.

How this is calculated: depth-2 transitive risk methodology.

Track this package

Monitor @esbuild-kit/esm-loader in CI. Catch risk changes before they reach production.

Track @esbuild-kit/esm-loader → Compare plans →

Free: 200 audits/day · Paid from Developer ($15/mo): monitoring, batch API, email alerts

Use this data

Audit your full dependency tree Add to your CI pipeline

CLI

npx proof-of-commitment @esbuild-kit/esm-loader

MCP (Claude, Cursor, Windsurf)

{ "mcpServers": { "commit": { "type": "streamable-http", "url": "https://poc-backend.amdal-dev.workers.dev/mcp" } } }

README badge

![Commit Trust](https://poc-backend.amdal-dev.workers.dev/badge/npm/%40esbuild-kit%2Fesm-loader)

REST API

curl -X POST https://poc-backend.amdal-dev.workers.dev/api/audit -H "Content-Type: application/json" -d '{"packages":["@esbuild-kit/esm-loader"]}'