stripe

Risk flags

stripe has a single npm publisher with 12M weekly downloads. This is the exact attack profile that enabled the axios compromise (March 2026) and the LiteLLM supply chain attack. A stolen credential gives an attacker publish access to a package running on millions of machines. GitHub contributors (35) don't have npm publish rights — only the publisher does.

Score breakdown

Five behavioral dimensions. Each measured from public registry data, not self-reported.

What this score measures

The Commit trust score measures behavioral commitment — signals that are hard to fake. Unlike stars, READMEs, or download counts, these signals capture how a package is actually maintained.

• Longevity — how long the package has been published and actively maintained
• Publisher depth — number of people with npm publish access (distinct from GitHub contributors)
• Release consistency — regular releases signal active oversight
• Download trend — growing, stable, or declining adoption
• GitHub backing — contributor depth and OpenSSF Scorecard process security
• Trusted Publishing — whether the package uses npm OIDC provenance to publish from CI, eliminating stolen-credential attacks

Depth-2 transitive risk

1 critical transitive dependency of stripe at depth 2 — across 1 total nodes in the graph.

How this is calculated: depth-2 transitive risk methodology.

Related reading

• Mini Shai-Hulud Didn't Need Your Maintainer's Password
• Half of npm's Top Packages Don't Use Trusted Publishing
• Why npm audit Returns Zero Vulnerabilities for the Most Dangerous Packages

Use this data