cross-spawn

npm · Rank #15 of 116

72 / 100 C

CRITICAL — Single npm publisher with 190M weekly downloads. One compromised credential could push malicious code to every downstream project.

npx proof-of-commitment · Audit the rest of your tree →

Risk analysis

cross-spawn has a single npm publisher and 190M weekly downloads. This is the exact structural profile exploited in the axios and LiteLLM supply chain attacks: one compromised credential would expose every downstream project.

Why "CRITICAL" doesn't mean "bad"

A CRITICAL flag means this package has the structural preconditions for a supply chain attack — not that an attack is happening. Both axios (score 86) and chalk (score 75) are flagged CRITICAL. They're well-maintained. They're also one stolen credential away from a repeat of the March 2026 attacks.

The flag surfaces a fact: 1 person can push code to 190M machines per week. Whether that's a problem depends on your risk tolerance.

What the score measures

Publisher depth — How many people can push to npm? Single-publisher packages are the #1 structural risk.
Longevity — Older packages have track records. New packages with high adoption are higher risk.
Release consistency — Regular releases signal active oversight. Long gaps mean unpatched vulnerabilities.
Download trend — Growing packages attract more scrutiny (and more attacks).
OpenSSF Scorecard — Process security: branch protection, code review, CI/CD safety.

cross-spawn is one package. Score them all.

You came looking for cross-spawn. Your node_modules has hundreds more. Some of them have the same single-publisher profile. Run one command to score every dependency you ship:

npx proof-of-commitment

Auto-detects your lockfile. Scores every dependency. Zero install.

Try online audit → Quickstart → Free API key →

cross-spawn

Risk analysis

Why "CRITICAL" doesn't mean "bad"

What the score measures

cross-spawn is one package. Score them all.

Add the badge to your README

Related packages