npm package trust score

json-schema-traverse

npm · 255M/week · 8.9 years old

61/ 100

CRITICAL

npm publishers1

Weekly downloads255M

Package age8.9 years

Last published1978d ago

GitHub contributors5

ProvenanceNo

OpenSSF Scorecard3.0/10

GradeC

Risk flags

CRITICAL: sole npm publisher + >10M/wkWARN: no release in 12+ months

json-schema-traverse has a single npm publisher with 255M weekly downloads. This is the exact attack profile that enabled the axios compromise (March 2026) and the LiteLLM supply chain attack. A stolen credential gives an attacker publish access to a package running on millions of machines. GitHub contributors (5) don't have npm publish rights — only the publisher does.

Score breakdown

Five behavioral dimensions. Each measured from public registry data, not self-reported.

Longevity

25/25

Download momentum

22/25

Release consistency

6/20

Publisher depth

4/15

GitHub backing

4/15

What this score measures

The Commit trust score measures behavioral commitment — signals that are hard to fake. Unlike stars, READMEs, or download counts, these signals capture how a package is actually maintained.

Longevity — how long the package has been published and actively maintained
Publisher depth — number of people with npm publish access (distinct from GitHub contributors)
Release consistency — regular releases signal active oversight
Download trend — growing, stable, or declining adoption
GitHub backing — contributor depth and OpenSSF Scorecard process security

Use this data

Audit your full dependency tree Add to your CI pipeline

CLI

npx proof-of-commitment json-schema-traverse

MCP (Claude, Cursor, Windsurf)

{ "mcpServers": { "commit": { "type": "streamable-http", "url": "https://poc-backend.amdal-dev.workers.dev/mcp" } } }

README badge

![Commit Trust](https://poc-backend.amdal-dev.workers.dev/badge/npm/json-schema-traverse)

REST API

curl -X POST https://poc-backend.amdal-dev.workers.dev/api/audit -H "Content-Type: application/json" -d '{"packages":["json-schema-traverse"]}'