npm package trust score

prettier

npm · 118M/week · 9.5 years old

85/ 100

CRITICAL

npm publishers11

Weekly downloads118M

Package age9.5 years

Last published0d ago

GitHub contributors35

SLSA provenanceNo

Trusted PublishingNo

OpenSSF Scorecard6.8/10

GradeA

Risk flags

CRITICAL: sole active npm publisher + >10M/wkWARN: 11 dormant publishers with current scope access — jlongster (113mo inactive), vjeux (106mo inactive), azz (102mo inactive), suchipi (97mo inactive), ikatyang (89mo inactive), duailibe (85mo inactive), lydell (80mo inactive), thorn0 (62mo inactive), sosukesuzuki (51mo inactive), fisker (37mo inactive), prettier-bot (12mo inactive)

prettier has a single npm publisher with 118M weekly downloads. This is the exact attack profile that enabled the axios compromise (March 2026) and the LiteLLM supply chain attack. A stolen credential gives an attacker publish access to a package running on millions of machines. GitHub contributors (35) don't have npm publish rights — only the publisher does.

Score breakdown

Five behavioral dimensions. Each measured from public registry data, not self-reported.

Longevity

25/25

Download momentum

25/25

Release consistency

20/20

Publisher depth

0/15

GitHub backing

15/15

Trusted Publishing

0/2

What this score measures

The Commit trust score measures behavioral commitment — signals that are hard to fake. Unlike stars, READMEs, or download counts, these signals capture how a package is actually maintained.

Longevity — how long the package has been published and actively maintained
Publisher depth — number of people with npm publish access (distinct from GitHub contributors)
Release consistency — regular releases signal active oversight
Download trend — growing, stable, or declining adoption
GitHub backing — contributor depth and OpenSSF Scorecard process security
Trusted Publishing — whether the package uses npm OIDC provenance to publish from CI, eliminating stolen-credential attacks

Monitor this package

prettier has concentrated publish-access risk. Get alerted when its publisher count, release cadence, or risk score changes.

Get alerts for prettier → Compare plans →

Free: 200 audits/day · Paid from Developer ($15/mo): monitoring, batch API, email alerts

Use this data

Audit your full dependency tree Add to your CI pipeline

CLI

npx proof-of-commitment prettier

MCP (Claude, Cursor, Windsurf)

{ "mcpServers": { "commit": { "type": "streamable-http", "url": "https://poc-backend.amdal-dev.workers.dev/mcp" } } }

README badge

![Commit Trust](https://poc-backend.amdal-dev.workers.dev/badge/npm/prettier)

REST API

curl -X POST https://poc-backend.amdal-dev.workers.dev/api/audit -H "Content-Type: application/json" -d '{"packages":["prettier"]}'