Every week, these packages are installed 7.7B times. Most are safe. Some are structural time bombs — one compromised credential away from a supply chain attack affecting millions of developers.
| Rank | Package | Downloads/wk | Trust Score | Risk Level | Maintainers | Age |
|---|---|---|---|---|---|---|
| #1 | semver | 640M | 92 | SAFE | 5 | 15.2y |
| #2 | debug | 556M | 79 | SAFE | 2 | 14.4y |
| #3 | ms | 416M | 85 | SAFE | 6 | 14.3y |
| #4 | chalk | 412M | 75 | CRITICAL | 1 | 12.7y |
| #5 | commander ↑ trending | 370M | 86 | SAFE | 2 | 14.7y |
| #6 | tslib | 360M | 86 | SAFE | 6 | 11.3y |
| #7 | glob | 335M | 79 | CRITICAL | 1 | 15.3y |
| #8 | @types/node ↑ trending | 313M | 88 | CRITICAL | 1 | 9.9y |
| #9 | readable-stream | 272M | 84 | SAFE | 3 | 13.7y |
| #10 | which | 242M | 87 | SAFE | 5 | 14.7y |
| #11 | uuid | 242M | 85 | SAFE | 2 | 15.1y |
| #12 | esbuild ↑ trending | 201M | 88 | CRITICAL | 1 | 8.4y |
| #13 | ws ↑ trending | 192M | 90 | SAFE | 4 | 14.4y |
| #14 | typescript ↑ trending | 183M | 98 | SAFE | 6 | 13.6y |
| #15 | cross-spawn | 180M | 72 | CRITICAL | 1 | 11.8y |
| #16 | yargs | 174M | 81 | SAFE | 2 | 12.4y |
| #17 | fs-extra | 168M | 86 | SAFE | 3 | 14.4y |
| #18 | inherits ↑ trending | 152M | 67 | CRITICAL | 1 | 15y |
| #19 | lodash ↑ trending | 147M | 87 | CRITICAL | 1 | 14y |
| #20 | node-fetch ↑ trending | 131M | 88 | SAFE | 5 | 11.2y |
| #21 | rimraf | 130M | 77 | CRITICAL | 1 | 15.2y |
| #22 | eslint ↑ trending | 128M | 91 | SAFE | 2 | 12.8y |
| #23 | react ↑ trending | 127M | 91 | SAFE | 2 | 14.5y |
| #24 | dotenv ↑ trending | 120M | 94 | SAFE | 3 | 12.8y |
| #25 | mkdirp | 116M | 67 | CRITICAL | 1 | 15.3y |
| #26 | minimist | 116M | 79 | SAFE | 3 | 12.8y |
| #27 | @types/react ↑ trending | 112M | 88 | CRITICAL | 1 | 9.9y |
| #28 | once | 111M | 68 | CRITICAL | 1 | 13.7y |
| #29 | vite ↑ trending | 108M | 91 | SAFE | 4 | 6y |
| #30 | rollup ↑ trending | 106M | 99 | SAFE | 5 | 10.9y |
| #31 | axios | 100M | 86 | CRITICAL | 1 | 11.6y |
| #32 | express ↑ trending | 93M | 97 | SAFE | 5 | 15.3y |
| #33 | prettier | 89M | 97 | SAFE | 11 | 9.3y |
| #34 | typescript-eslint ↑ trending | 69M | 91 | SAFE | 2 | 6.7y |
| #35 | chai ↑ trending | 64M | 83 | CRITICAL | 1 | 14.4y |
| #36 | jest-mock | 62M | 92 | SAFE | 5 | 10.1y |
| #37 | vitest ↑ trending | 51M | 93 | SAFE | 5 | 4.4y |
| #38 | webpack | 44M | 97 | SAFE | 8 | 14.1y |
| #39 | jest | 43M | 92 | SAFE | 5 | 14.2y |
| #40 | got | 33M | 85 | CRITICAL | 1 | 12.1y |
| #41 | moment | 31M | 84 | SAFE | 5 | 14.5y |
| #42 | archiver | 24M | 74 | CRITICAL | 1 | 13.5y |
| #43 | superagent | 18M | 89 | SAFE | 7 | 14.7y |
| #44 | cross-env ↑ trending | 17M | 73 | CRITICAL | 1 | 10.6y |
| #45 | request | 15M | 83 | SAFE | 4 | 15.2y |
| #46 | multer ↑ trending | 14M | 91 | SAFE | 5 | 12.2y |
| #47 | mocha | 13M | 90 | SAFE | 3 | 14.4y |
| #48 | supertest | 13M | 86 | SAFE | 6 | 13.8y |
| #49 | nodemon | 12M | 83 | CRITICAL | 1 | 15.2y |
| #50 | sinon | 10M | 91 | SAFE | 4 | 15.3y |
| #51 | fastify | 7M | 92 | SAFE | 5 | 9.5y |
| #52 | nock | 6M | 87 | SAFE | 4 | 14.6y |
| #53 | mobx | 3M | 85 | SAFE | 6 | 10.2y |
| #54 | parcel ↑ trending | 344K | 75 | SAFE | 1 | 13y |
| #55 | redux | 0 | 63 | SAFE | 6 | 14.5y |
| #56 | react-dom | 0 | 66 | SAFE | 2 | 12y |
| #57 | vue | 0 | 66 | SAFE | 2 | 12.4y |
| #58 | @angular/core | 0 | 66 | SAFE | 2 | 10y |
| #59 | next | 0 | 70 | SAFE | 3 | 14.8y |
| #60 | svelte | 0 | 71 | SAFE | 3 | 9.4y |
| #61 | recoil | 0 | 49 | SAFE | 3 | 6y |
| #62 | hapi | 0 | 64 | SAFE | 4 | 14.7y |
| #63 | zustand | 0 | 66 | SAFE | 3 | 7y |
| #64 | react-router | 0 | 67 | SAFE | 2 | 12.2y |
| #65 | react-router-dom | 0 | 67 | SAFE | 2 | 9.3y |
| #66 | @reduxjs/toolkit | 0 | 70 | SAFE | 6 | 6.4y |
| #67 | koa | 0 | 72 | SAFE | 11 | 12.5y |
| #68 | nestjs | 0 | 32 | SAFE | 1 | 10.3y |
| #69 | passport | 0 | 50 | SAFE | 1 | 14.5y |
| #70 | helmet | 0 | 57 | SAFE | 2 | 14.2y |
| #71 | jsonwebtoken | 0 | 62 | SAFE | 3 | 12.8y |
| #72 | prisma | 0 | 66 | SAFE | 2 | 9.9y |
| #73 | bcrypt | 0 | 69 | SAFE | 5 | 15.2y |
| #74 | mongoose | 0 | 71 | SAFE | 4 | 15.3y |
| #75 | typeorm | 0 | 71 | SAFE | 4 | 10y |
| #76 | sequelize | 0 | 72 | SAFE | 9 | 15y |
| #77 | knex | 0 | 74 | SAFE | 5 | 13y |
| #78 | morgan | 0 | 53 | SAFE | 2 | 12.2y |
| #79 | yup | 0 | 55 | SAFE | 1 | 11.5y |
| #80 | date-fns | 0 | 56 | SAFE | 1 | 11.5y |
| #81 | zod | 0 | 58 | SAFE | 1 | 6.1y |
| #82 | dayjs | 0 | 59 | SAFE | 1 | 8y |
| #83 | ajv | 0 | 61 | SAFE | 2 | 10.9y |
| #84 | winston | 0 | 67 | SAFE | 8 | 15.3y |
| #85 | pino | 0 | 68 | SAFE | 4 | 10.2y |
| #86 | joi | 0 | 71 | SAFE | 6 | 13.6y |
| #87 | unzipper | 0 | 51 | SAFE | 1 | 9.8y |
| #88 | pm2 | 0 | 56 | SAFE | 1 | 12.9y |
| #89 | concurrently | 0 | 58 | SAFE | 2 | 11.2y |
| #90 | sharp | 0 | 59 | SAFE | 1 | 12.7y |
| #91 | @aws-sdk/client-s3 | 0 | 67 | SAFE | 2 | 6.3y |
| #92 | firebase | 0 | 70 | SAFE | 4 | 14.2y |
| #93 | q | 0 | 50 | SAFE | 2 | 15.3y |
| #94 | bluebird | 0 | 55 | SAFE | 1 | 12.6y |
| #95 | underscore | 0 | 58 | SAFE | 2 | 15.3y |
| #96 | body-parser | 0 | 59 | SAFE | 3 | 12.3y |
| #97 | rxjs | 0 | 60 | SAFE | 3 | 14.1y |
| #98 | immer | 0 | 61 | SAFE | 2 | 9.5y |
| #99 | qs | 0 | 61 | SAFE | 2 | 15.2y |
| #100 | async | 0 | 63 | SAFE | 5 | 15.3y |
| #101 | ramda | 0 | 64 | SAFE | 8 | 11.9y |
| #102 | form-data | 0 | 64 | SAFE | 6 | 14.9y |
| #103 | pug | 0 | 47 | SAFE | 2 | 12.7y |
| #104 | crypto-js | 0 | 48 | SAFE | 1 | 13y |
| #105 | bcryptjs | 0 | 51 | SAFE | 1 | 13y |
| #106 | cookie-parser | 0 | 56 | SAFE | 3 | 12.2y |
| #107 | ejs | 0 | 58 | SAFE | 1 | 15.2y |
| #108 | serve-static | 0 | 59 | SAFE | 3 | 12.1y |
| #109 | cors | 0 | 62 | SAFE | 3 | 13.2y |
| #110 | compression | 0 | 64 | SAFE | 3 | 12.3y |
| #111 | handlebars | 0 | 68 | SAFE | 6 | 14.7y |
| #112 | graphql | 0 | 72 | SAFE | 6 | 11.2y |
| #113 | @apollo/client | 0 | 69 | SAFE | 4 | 6.6y |
Trust Score measures behavioral commitment signals: publish frequency, maintainer depth, download momentum, and age. It does not scan for malicious code — use Socket for that. How Commit compares to other tools →
Paste your package.json and get a full trust audit of every dependency — including transitive ones you never chose.