npm package trust score

core-js

npm · 41M/week · 12.9 years old

80/ 100
CRITICAL
npm publishers1
Weekly downloads41M
Package age12.9 years
Last published86d ago
GitHub contributors35
SLSA provenanceNo
Trusted PublishingNo
OpenSSF Scorecard5.0/10
GradeA

Risk flags

CRITICAL: sole npm publisher + >10M/wk

core-js has a single npm publisher with 41M weekly downloads. This is the exact attack profile that enabled the axios compromise (March 2026) and the LiteLLM supply chain attack. A stolen credential gives an attacker publish access to a package running on millions of machines. GitHub contributors (35) don't have npm publish rights — only the publisher does.

Score breakdown

Five behavioral dimensions. Each measured from public registry data, not self-reported.

Longevity
25/25
Download momentum
22/25
Release consistency
18/20
Publisher depth
4/15
GitHub backing
11/15
Trusted Publishing
0/2

What this score measures

The Commit trust score measures behavioral commitment — signals that are hard to fake. Unlike stars, READMEs, or download counts, these signals capture how a package is actually maintained.

Related reading

Monitor this package

core-js has concentrated publish-access risk. Get alerted when its publisher count, release cadence, or risk score changes.

Get alerts for core-js → Compare plans →

Free: 200 audits/day · Paid from Developer ($15/mo): monitoring, batch API, email alerts

Use this data

Audit your full dependency tree Add to your CI pipeline

CLI

npx proof-of-commitment core-js

MCP (Claude, Cursor, Windsurf)

{ "mcpServers": { "commit": { "type": "streamable-http", "url": "https://poc-backend.amdal-dev.workers.dev/mcp" } } }

README badge

![Commit Trust](https://poc-backend.amdal-dev.workers.dev/badge/npm/core-js)

core-js commit trust badge

REST API

curl -X POST https://poc-backend.amdal-dev.workers.dev/api/audit -H "Content-Type: application/json" -d '{"packages":["core-js"]}'