npm package trust score

hasown

npm · 177M/week · 11.7 years old

70/ 100

MODERATE

npm publishers2

Weekly downloads177M

Package age11.7 years

Last published26d ago

GitHub contributors2

ProvenanceNo

OpenSSF Scorecard—

GradeB

Score breakdown

Five behavioral dimensions. Each measured from public registry data, not self-reported.

Longevity

25/25

Download momentum

22/25

Release consistency

11/20

Publisher depth

7/15

GitHub backing

5/15

What this score measures

The Commit trust score measures behavioral commitment — signals that are hard to fake. Unlike stars, READMEs, or download counts, these signals capture how a package is actually maintained.

Longevity — how long the package has been published and actively maintained
Publisher depth — number of people with npm publish access (distinct from GitHub contributors)
Release consistency — regular releases signal active oversight
Download trend — growing, stable, or declining adoption
GitHub backing — contributor depth and OpenSSF Scorecard process security

Use this data

Audit your full dependency tree Add to your CI pipeline

CLI

npx proof-of-commitment hasown

MCP (Claude, Cursor, Windsurf)

{ "mcpServers": { "commit": { "type": "streamable-http", "url": "https://poc-backend.amdal-dev.workers.dev/mcp" } } }

README badge

![Commit Trust](https://poc-backend.amdal-dev.workers.dev/badge/npm/hasown)

REST API

curl -X POST https://poc-backend.amdal-dev.workers.dev/api/audit -H "Content-Type: application/json" -d '{"packages":["hasown"]}'