Every week, these packages are installed 22.1B times. Most are safe. Some are structural time bombs — one compromised credential away from a supply chain attack affecting millions of developers.
| Rank | Package | Downloads/wk | Trust Score | Risk Level | Maintainers | Age |
|---|---|---|---|---|---|---|
| #1 | semver | 760M | 93 | SAFE | 4 | 15.3y |
| #2 | minimatch | 634M | 78 | CRITICAL | 1 | 14.9y |
| #3 | debug | 534M | 78 | SAFE | 2 | 14.5y |
| #4 | ansi-styles | 515M | 74 | CRITICAL | 1 | 12.9y |
| #5 | strip-ansi | 446M | 70 | CRITICAL | 1 | 12.5y |
| #6 | chalk | 437M | 75 | CRITICAL | 1 | 12.9y |
| #7 | commander | 427M | 88 | SAFE | 2 | 14.8y |
| #8 | ms | 411M | 86 | SAFE | 6 | 14.5y |
| #9 | wrap-ansi | 407M | 71 | CRITICAL | 1 | 10.8y |
| #10 | lru-cache | 404M | 82 | CRITICAL | 1 | 14.9y |
| #11 | picomatch | 390M | 83 | SAFE | 4 | 7.6y |
| #12 | string-width | 385M | 73 | CRITICAL | 1 | 10.9y |
| #13 | tslib | 380M | 85 | SAFE | 6 | 11.5y |
| #14 | supports-color | 375M | 75 | CRITICAL | 1 | 12y |
| #15 | glob | 369M | 76 | CRITICAL | 1 | 15.4y |
| #16 | @types/node | 356M | 85 | CRITICAL | 1 | 10.1y |
| #17 | source-map | 321M | 86 | SAFE | 24 | 14.8y |
| #18 | color-name | 320M | 76 | SAFE | 3 | 11.6y |
| #19 | color-convert | 316M | 74 | CRITICAL | 1 | 15y |
| #20 | ajv | 314M | 83 | SAFE | 2 | 11y |
| #21 | readable-stream | 310M | 84 | SAFE | 3 | 13.9y |
| #22 | escape-string-regexp | 304M | 69 | CRITICAL | 1 | 12y |
| #23 | which | 297M | 86 | SAFE | 4 | 14.8y |
| #24 | glob-parent | 289M | 76 | SAFE | 4 | 11.4y |
| #25 | has-flag | 285M | 61 | CRITICAL | 1 | 10.9y |
| #26 | p-locate | 271M | 67 | CRITICAL | 1 | 9.6y |
| #27 | safe-buffer | 265M | 67 | SAFE | 2 | 10.4y |
| #28 | json-schema-traverse | 262M | 61 | CRITICAL | 1 | 9y |
| #29 | signal-exit | 255M | 71 | SAFE | 2 | 11.1y |
| #30 | yallist | 239M | 67 | CRITICAL | 1 | 10.5y |
| #31 | p-limit | 236M | 72 | CRITICAL | 1 | 9.6y |
| #32 | postcss | 231M | 83 | CRITICAL | 1 | 12.6y |
| #33 | locate-path | 230M | 70 | CRITICAL | 1 | 9.6y |
| #34 | string_decoder | 226M | 76 | SAFE | 4 | 12.5y |
| #35 | uuid | 225M | 83 | SAFE | 2 | 15.2y |
| #36 | https-proxy-agent | 215M | 83 | CRITICAL | 1 | 12.9y |
| #37 | esbuild | 204M | 87 | CRITICAL | 1 | 8.5y |
| #38 | agent-base | 193M | 81 | CRITICAL | 1 | 12.9y |
| #39 | isarray | 191M | 66 | CRITICAL | 1 | 13.1y |
| #40 | ws | 187M | 92 | SAFE | 4 | 14.5y |
| #41 | cross-spawn | 183M | 72 | CRITICAL | 1 | 12y |
| #42 | typescript | 182M | 94 | SAFE | 6 | 13.7y |
| #43 | inherits | 178M | 64 | CRITICAL | 1 | 15.2y |
| #44 | graceful-fs | 174M | 72 | CRITICAL | 1 | 14.9y |
| #45 | yargs | 173M | 84 | SAFE | 3 | 12.6y |
| #46 | qs | 165M | 84 | SAFE | 2 | 15.4y |
| #47 | is-glob | 163M | 71 | SAFE | 3 | 11.5y |
| #48 | zod | 161M | 83 | CRITICAL | 1 | 6.3y |
| #49 | braces | 160M | 74 | SAFE | 2 | 11.6y |
| #50 | fs-extra | 160M | 86 | SAFE | 3 | 14.6y |
| #51 | fill-range | 159M | 78 | SAFE | 3 | 11.5y |
| #52 | lodash | 159M | 80 | CRITICAL | 1 | 14.1y |
| #53 | form-data | 157M | 87 | SAFE | 6 | 15.1y |
| #54 | chokidar | 156M | 80 | CRITICAL | 1 | 14.1y |
| #55 | node-fetch | 151M | 85 | SAFE | 5 | 11.4y |
| #56 | @babel/core | 150M | 94 | SAFE | 4 | 8.6y |
| #57 | fast-glob | 144M | 74 | CRITICAL | 1 | 9.5y |
| #58 | dotenv | 142M | 86 | SAFE | 3 | 12.9y |
| #59 | execa | 140M | 78 | SAFE | 2 | 10.5y |
| #60 | react | 138M | 90 | SAFE | 2 | 14.6y |
| #61 | vite | 136M | 91 | SAFE | 2 | 6.1y |
| #62 | mkdirp | 135M | 67 | CRITICAL | 1 | 15.4y |
| #63 | micromatch | 132M | 81 | SAFE | 3 | 11.5y |
| #64 | minimist | 130M | 76 | SAFE | 3 | 13y |
| #65 | react-dom | 130M | 90 | SAFE | 2 | 12.1y |
| #66 | @types/react | 126M | 85 | CRITICAL | 1 | 10.1y |
| #67 | undici | 126M | 95 | SAFE | 3 | 7.9y |
| #68 | rimraf | 122M | 74 | CRITICAL | 1 | 15.3y |
| #69 | http-proxy-agent | 116M | 80 | CRITICAL | 1 | 12.9y |
| #70 | axios | 116M | 88 | CRITICAL | 1 | 11.8y |
| #71 | tailwindcss | 115M | 92 | SAFE | 3 | 8.7y |
| #72 | eslint | 115M | 89 | SAFE | 2 | 12.9y |
| #73 | body-parser | 113M | 84 | SAFE | 4 | 12.4y |
| #74 | prettier | 113M | 97 | SAFE | 11 | 9.4y |
| #75 | serve-static | 111M | 82 | SAFE | 3 | 12.3y |
| #76 | once | 105M | 65 | CRITICAL | 1 | 13.8y |
| #77 | rollup | 104M | 98 | SAFE | 5 | 11.1y |
| #78 | @types/react-dom | 98M | 81 | CRITICAL | 1 | 10.1y |
| #79 | express | 93M | 90 | SAFE | 5 | 15.5y |
| #80 | async | 92M | 85 | SAFE | 5 | 15.5y |
| #81 | jose | 84M | 84 | CRITICAL | 1 | 12.3y |
| #82 | rxjs | 78M | 82 | SAFE | 3 | 14.3y |
| #83 | date-fns | 76M | 71 | CRITICAL | 1 | 11.7y |
| #84 | jsdom | 76M | 94 | SAFE | 6 | 14.6y |
| #85 | ora | 73M | 77 | CRITICAL | 1 | 10.3y |
| #86 | typescript-eslint | 73M | 91 | SAFE | 2 | 6.8y |
| #87 | chai | 68M | 82 | CRITICAL | 1 | 14.5y |
| #88 | terser | 67M | 81 | CRITICAL | 1 | 8.1y |
| #89 | sharp | 61M | 87 | CRITICAL | 1 | 12.8y |
| #90 | playwright | 60M | 93 | SAFE | 4 | 11.4y |
| #91 | cors | 59M | 80 | SAFE | 3 | 13.4y |
| #92 | vitest | 57M | 89 | SAFE | 4 | 4.5y |
| #93 | jest-mock | 56M | 94 | SAFE | 5 | 10.2y |
| #94 | dayjs | 56M | 87 | CRITICAL | 1 | 8.2y |
| #95 | autoprefixer | 53M | 81 | CRITICAL | 1 | 13.2y |
| #96 | immer | 51M | 85 | SAFE | 2 | 9.7y |
| #97 | webpack | 49M | 99 | SAFE | 8 | 14.3y |
| #98 | bluebird | 48M | 77 | CRITICAL | 1 | 12.7y |
| #99 | react-router | 48M | 91 | SAFE | 2 | 12.4y |
| #100 | inquirer | 47M | 93 | SAFE | 3 | 13.1y |
| #101 | jsonwebtoken | 47M | 80 | SAFE | 3 | 12.9y |
| #102 | jest | 46M | 94 | SAFE | 5 | 14.3y |
| #103 | hono | 44M | 79 | CRITICAL | 1 | 4.5y |
| #104 | react-router-dom | 42M | 91 | SAFE | 2 | 9.5y |
| #105 | @testing-library/jest-dom ↑ trending | 41M | 90 | SAFE | 17 | 6.9y |
| #106 | graphql | 41M | 99 | SAFE | 6 | 11.4y |
| #107 | @babel/preset-env | 41M | 94 | SAFE | 4 | 8.6y |
| #108 | zustand | 40M | 94 | SAFE | 3 | 7.2y |
| #109 | handlebars | 39M | 87 | SAFE | 6 | 14.8y |
| #110 | @modelcontextprotocol/sdk | 38M | 74 | SAFE | 6 | 1.6y |
| #111 | lodash-es | 37M | 84 | SAFE | 3 | 11.4y |
| #112 | cheerio | 37M | 81 | SAFE | 2 | 14.7y |
| #113 | @testing-library/react ↑ trending | 37M | 94 | SAFE | 17 | 7y |
| #114 | @swc/core | 37M | 88 | CRITICAL | 1 | 7.3y |
| #115 | compression | 36M | 82 | SAFE | 3 | 12.4y |
| #116 | moment | 34M | 83 | SAFE | 5 | 14.7y |
| #117 | ejs | 33M | 81 | CRITICAL | 1 | 15.3y |
| #118 | luxon | 32M | 79 | SAFE | 2 | 9.1y |
| #119 | pg | 32M | 82 | CRITICAL | 1 | 15.5y |
| #120 | @aws-sdk/client-s3 ↑ trending | 32M | 92 | SAFE | 2 | 6.4y |
| #121 | tweetnacl | 32M | 70 | CRITICAL | 1 | 11.9y |
| #122 | rc | 32M | 78 | SAFE | 9 | 13.9y |
| #123 | next | 31M | 95 | SAFE | 4 | 14.9y |
| #124 | got | 31M | 80 | CRITICAL | 1 | 12.2y |
| #125 | node-forge | 30M | 85 | SAFE | 3 | 13y |
| #126 | pino | 30M | 88 | SAFE | 4 | 10.3y |
| #127 | redux | 29M | 88 | SAFE | 6 | 14.7y |
| #128 | sass | 29M | 88 | SAFE | 2 | 9y |
| #129 | openai | 26M | 92 | SAFE | 18 | 5.9y |
| #130 | archiver | 25M | 79 | CRITICAL | 1 | 13.7y |
| #131 | underscore | 24M | 76 | SAFE | 2 | 15.4y |
| #132 | ua-parser-js | 24M | 84 | CRITICAL | 1 | 13.9y |
| #133 | @anthropic-ai/sdk ↑ trending | 24M | 90 | SAFE | 13 | 3.4y |
| #134 | joi | 22M | 90 | SAFE | 6 | 13.7y |
| #135 | ioredis | 22M | 88 | SAFE | 2 | 11.2y |
| #136 | @babel/preset-react | 21M | 94 | SAFE | 4 | 8.6y |
| #137 | winston | 21M | 90 | SAFE | 8 | 15.4y |
| #138 | @tanstack/react-router ↑ trending | 20M | 91 | SAFE | 5 | 3.7y |
| #139 | preact | 18M | 98 | SAFE | 6 | 10.8y |
| #140 | @reduxjs/toolkit | 18M | 98 | SAFE | 6 | 6.6y |
| #141 | superagent | 18M | 89 | SAFE | 7 | 14.8y |
| #142 | crypto-js | 17M | 69 | CRITICAL | 1 | 13.1y |
| #143 | multer | 17M | 87 | SAFE | 5 | 12.4y |
| #144 | cross-env | 17M | 70 | CRITICAL | 1 | 10.7y |
| #145 | request | 16M | 82 | SAFE | 4 | 15.4y |
| #146 | concurrently | 15M | 86 | SAFE | 2 | 11.3y |
| #147 | supertest | 15M | 86 | SAFE | 6 | 14y |
| #148 | socket.io | 15M | 86 | SAFE | 2 | 15.5y |
| #149 | mocha | 14M | 90 | SAFE | 2 | 14.6y |
| #150 | turbo | 14M | 90 | SAFE | 2 | 13.1y |
| #151 | q | 14M | 71 | SAFE | 2 | 15.5y |
| #152 | unzipper | 14M | 74 | CRITICAL | 1 | 9.9y |
| #153 | @google-cloud/storage ↑ trending | 13M | 89 | CRITICAL | 1 | 9.8y |
| #154 | vue | 13M | 90 | SAFE | 2 | 12.5y |
| #155 | ai | 12M | 98 | SAFE | 5 | 12.3y |
| #156 | yup | 12M | 77 | CRITICAL | 1 | 11.6y |
| #157 | ramda | 12M | 86 | SAFE | 8 | 12.1y |
| #158 | helmet | 12M | 85 | SAFE | 2 | 14.4y |
| #159 | morgan | 12M | 84 | SAFE | 3 | 12.3y |
| #160 | @nestjs/common ↑ trending | 12M | 89 | CRITICAL | 1 | 9.1y |
| #161 | puppeteer | 12M | 76 | SAFE | 2 | 13.2y |
| #162 | @nestjs/core ↑ trending | 11M | 89 | CRITICAL | 1 | 9.1y |
| #163 | papaparse | 11M | 77 | SAFE | 2 | 11.6y |
| #164 | sinon | 11M | 88 | SAFE | 4 | 15.5y |
| #165 | redis | 11M | 96 | SAFE | 5 | 15.5y |
| #166 | prisma | 11M | 88 | SAFE | 2 | 10y |
| #167 | nodemon | 11M | 81 | CRITICAL | 1 | 15.4y |
| #168 | drizzle-orm | 11M | 83 | SAFE | 4 | 4.8y |
| #169 | class-validator | 10M | 78 | SAFE | 2 | 10.2y |
| #170 | mysql2 | 10M | 87 | HIGH | 1 | 13.2y |
| #171 | cookie-parser | 10M | 78 | SAFE | 3 | 12.3y |
| #172 | xlsx | 9M | 71 | HIGH | 1 | 12.5y |
| #173 | less | 9M | 92 | SAFE | 5 | 15.4y |
| #174 | bcryptjs | 9M | 73 | HIGH | 1 | 13.1y |
| #175 | stylelint | 8M | 94 | SAFE | 4 | 11.5y |
| #176 | firebase | 8M | 92 | SAFE | 4 | 14.3y |
| #177 | aws-sdk | 8M | 76 | SAFE | 2 | 13.5y |
| #178 | @ai-sdk/openai ↑ trending | 7M | 86 | SAFE | 3 | 2.2y |
| #179 | passport | 7M | 72 | HIGH | 1 | 14.7y |
| #180 | @ai-sdk/anthropic ↑ trending | 7M | 86 | SAFE | 3 | 2.2y |
| #181 | better-sqlite3 | 7M | 83 | HIGH | 1 | 9.8y |
| #182 | fastify | 7M | 90 | SAFE | 5 | 9.7y |
| #183 | @apollo/client ↑ trending | 7M | 93 | SAFE | 4 | 6.8y |
| #184 | log4js | 7M | 75 | SAFE | 2 | 15.4y |
| #185 | koa | 7M | 94 | SAFE | 11 | 12.6y |
| #186 | nock | 7M | 85 | SAFE | 4 | 14.7y |
| #187 | lit | 6M | 89 | SAFE | 8 | 13.9y |
| #188 | event-stream | 6M | 64 | HIGH | 1 | 14.8y |
| #189 | cypress | 6M | 85 | SAFE | 2 | 12.3y |
| #190 | @angular/core | 6M | 85 | SAFE | 2 | 10.1y |
| #191 | mongoose | 6M | 91 | SAFE | 3 | 15.5y |
| #192 | @angular/cli | 5M | 85 | SAFE | 2 | 9.4y |
| #193 | bcrypt | 5M | 81 | SAFE | 5 | 15.3y |
| #194 | coa | 5M | 70 | SAFE | 2 | 14.9y |
| #195 | svelte | 5M | 91 | SAFE | 3 | 9.6y |
| #196 | @langchain/core ↑ trending | 5M | 86 | SAFE | 14 | 2.6y |
| #197 | knex | 4M | 92 | SAFE | 5 | 13.1y |
| #198 | mobx | 4M | 94 | SAFE | 6 | 10.3y |
| #199 | jotai | 4M | 81 | SAFE | 2 | 5.8y |
| #200 | typeorm | 4M | 86 | SAFE | 2 | 10.1y |
| #201 | @langchain/openai | 3M | 83 | SAFE | 14 | 2.6y |
| #202 | bunyan | 3M | 66 | HIGH | 1 | 14.4y |
| #203 | pug | 3M | 65 | SAFE | 2 | 12.8y |
| #204 | csv-parser | 3M | 79 | SAFE | 4 | 12.1y |
| #205 | @apollo/server | 3M | 87 | SAFE | 6 | 6.8y |
| #206 | pm2 | 3M | 76 | HIGH | 1 | 13y |
| #207 | solid-js | 3M | 81 | HIGH | 1 | 8.1y |
| #208 | sequelize | 3M | 85 | SAFE | 9 | 15.1y |
| #209 | langchain | 2M | 83 | SAFE | 8 | 3.3y |
| #210 | node-ipc | 730K | 69 | SAFE | 1 | 12.3y |
| #211 | recoil | 487K | 68 | SAFE | 3 | 6.1y |
| #212 | chalk-animation | 415K | 57 | SAFE | 1 | 8.9y |
| #213 | parcel | 347K | 70 | SAFE | 1 | 13.1y |
| #214 | x402 | 203K | 56 | SAFE | 2 | 1.3y |
| #215 | llamaindex | 118K | 55 | SAFE | 2 | 2.9y |
| #216 | hapi | 66K | 72 | SAFE | 4 | 14.9y |
| #217 | nestjs | 13K | 42 | SAFE | 1 | 10.5y |
Trust Score measures behavioral commitment signals: publish frequency, maintainer depth, download momentum, and age. It does not scan for malicious code — use Socket for that. How Commit compares to other tools →
Paste your package.json and get a full trust audit of every dependency — including transitive ones you never chose.