npm trust leaderboard

We scored the 125 most-downloaded
npm packages. Here's what we found.

Every week, these packages are installed 11.3B times. Most are safe. Some are structural time bombs — one compromised credential away from a supply chain attack affecting millions of developers.

28
CRITICAL risk
single maintainer, massive reach
95
SAFE
multiple maintainers, healthy signals
11.3B
weekly installs
combined across all 125 packages
Jun 3, 2026
last updated
live data from npm registry
CRITICAL = 1 maintainer controlling millions of weekly installs. No malicious code detected — just the structural condition that makes an attack catastrophic if it happens. How we score →
Rank Package Downloads/wk Trust Score Risk Level Maintainers Age
#1 semver 742M
93
SAFE 4 15.3y
#2 debug 633M
78
SAFE 2 14.5y
#3 ms 490M
86
SAFE 6 14.5y
#4 chalk 432M
75
CRITICAL 1 12.8y
#5 commander 416M
88
SAFE 2 14.8y
#6 tslib 376M
85
SAFE 6 11.4y
#7 glob 366M
76
CRITICAL 1 15.4y
#8 @types/node 344M
85
CRITICAL 1 10y
#9 ajv 306M
83
SAFE 2 11y
#10 readable-stream 303M
84
SAFE 3 13.9y
#11 which 301M
89
SAFE 4 14.8y
#12 uuid 266M
83
SAFE 2 15.2y
#13 esbuild 234M
82
CRITICAL 1 8.5y
#14 ws 222M
92
SAFE 4 14.5y
#15 cross-spawn 215M
72
CRITICAL 1 11.9y
#16 typescript 206M
94
SAFE 6 13.7y
#17 yargs 198M
80
SAFE 2 12.5y
#18 fs-extra 188M
88
SAFE 3 14.5y
#19 zod 185M
83
CRITICAL 1 6.2y
#20 inherits 174M
64
CRITICAL 1 15.2y
#21 qs 162M
84
SAFE 2 15.3y
#22 lodash 156M
81
CRITICAL 1 14.1y
#23 form-data 153M
86
SAFE 6 15.1y
#24 node-fetch 148M
85
SAFE 5 11.3y
#25 rimraf 142M
74
CRITICAL 1 15.3y
#26 mkdirp 139M
67
CRITICAL 1 15.4y
#27 dotenv 138M
86
SAFE 3 12.9y
#28 react 134M
90
SAFE 2 14.6y
#29 eslint 132M
89
SAFE 2 12.9y
#30 vite 129M
91
SAFE 2 6.1y
#31 minimist 129M
76
SAFE 3 12.9y
#32 react-dom 127M
90
SAFE 2 12.1y
#33 @types/react ↑ trending 121M
88
CRITICAL 1 10y
#34 rollup 117M
98
SAFE 5 11.1y
#35 once 116M
65
CRITICAL 1 13.8y
#36 axios 113M
88
CRITICAL 1 11.8y
#37 body-parser 111M
84
SAFE 4 12.4y
#38 serve-static 109M
82
SAFE 3 12.2y
#39 prettier 109M
95
SAFE 11 9.4y
#40 express 108M
90
SAFE 5 15.4y
#41 async 91M
85
SAFE 5 15.5y
#42 rxjs 88M
82
SAFE 3 14.2y
#43 date-fns 87M
71
CRITICAL 1 11.7y
#44 chai 78M
82
CRITICAL 1 14.5y
#45 typescript-eslint 70M
91
SAFE 2 6.8y
#46 jest-mock 66M
97
SAFE 5 10.2y
#47 vitest 65M
93
SAFE 5 4.5y
#48 sharp 62M
80
CRITICAL 1 12.8y
#49 cors 57M
80
SAFE 3 13.3y
#50 dayjs 54M
87
CRITICAL 1 8.2y
#51 immer 50M
88
SAFE 2 9.7y
#52 webpack 48M
99
SAFE 8 14.2y
#53 react-router 48M
91
SAFE 2 12.3y
#54 bluebird 47M
77
CRITICAL 1 12.7y
#55 jest 46M
97
SAFE 5 14.3y
#56 jsonwebtoken 45M
80
SAFE 3 12.9y
#57 react-router-dom 42M
91
SAFE 2 9.5y
#58 graphql 40M
99
SAFE 6 11.3y
#59 hono 40M
79
CRITICAL 1 4.5y
#60 next 39M
95
SAFE 4 14.9y
#61 zustand 39M
94
SAFE 3 7.2y
#62 handlebars 38M
87
SAFE 6 14.8y
#63 @modelcontextprotocol/sdk 35M
73
SAFE 6 1.6y
#64 compression 35M
82
SAFE 3 12.4y
#65 got 35M
83
CRITICAL 1 12.2y
#66 pino 34M
88
SAFE 4 10.3y
#67 moment 34M
83
SAFE 5 14.6y
#68 redux 33M
88
SAFE 6 14.7y
#69 ejs 33M
81
CRITICAL 1 15.3y
#70 @aws-sdk/client-s3 ↑ trending 31M
92
SAFE 2 6.4y
#71 archiver 29M
84
CRITICAL 1 13.7y
#72 @anthropic-ai/sdk ↑ trending 25M
89
SAFE 14 3.3y
#73 openai 25M
92
SAFE 18 5.9y
#74 underscore 24M
76
SAFE 2 15.4y
#75 winston 24M
89
SAFE 8 15.4y
#76 joi 21M
90
SAFE 6 13.7y
#77 @reduxjs/toolkit 21M
98
SAFE 6 6.6y
#78 superagent 20M
89
SAFE 7 14.8y
#79 cross-env 19M
70
CRITICAL 1 10.7y
#80 crypto-js 19M
69
CRITICAL 1 13.1y
#81 concurrently 18M
86
SAFE 2 11.3y
#82 multer 17M
87
SAFE 5 12.3y
#83 request 15M
82
SAFE 4 15.4y
#84 ramda 15M
86
SAFE 8 12y
#85 supertest 14M
86
SAFE 6 13.9y
#86 ai 14M
98
SAFE 5 12.3y
#87 mocha 14M
90
SAFE 2 14.6y
#88 q 13M
71
SAFE 2 15.4y
#89 unzipper 13M
74
CRITICAL 1 9.9y
#90 vue 12M
90
SAFE 2 12.5y
#91 prisma 12M
86
SAFE 2 10y
#92 nodemon 12M
81
CRITICAL 1 15.3y
#93 yup 12M
77
CRITICAL 1 11.6y
#94 helmet 11M
85
SAFE 2 14.3y
#95 morgan 11M
84
SAFE 3 12.3y
#96 sinon 11M
91
SAFE 4 15.5y
#97 bcryptjs 10M
73
CRITICAL 1 13.1y
#98 cookie-parser 9M
78
SAFE 3 12.3y
#99 fastify 8M
94
SAFE 5 9.7y
#100 koa 8M
98
SAFE 11 12.6y
#101 firebase 8M
92
SAFE 4 14.3y
#102 passport 7M
72
HIGH 1 14.7y
#103 @ai-sdk/openai ↑ trending 7M
82
SAFE 3 2.1y
#104 @ai-sdk/anthropic ↑ trending 7M
82
SAFE 3 2.1y
#105 nock 7M
88
SAFE 4 14.7y
#106 @apollo/client 6M
90
SAFE 4 6.7y
#107 mongoose 6M
91
SAFE 3 15.5y
#108 @angular/core 6M
85
SAFE 2 10.1y
#109 bcrypt 5M
81
SAFE 5 15.3y
#110 @langchain/core ↑ trending 5M
86
SAFE 13 2.5y
#111 typeorm 4M
86
SAFE 2 10.1y
#112 svelte 4M
91
SAFE 3 9.5y
#113 knex 4M
89
SAFE 5 13.1y
#114 mobx 4M
94
SAFE 6 10.3y
#115 pug 4M
67
SAFE 2 12.8y
#116 @langchain/openai 3M
83
SAFE 13 2.5y
#117 pm2 3M
76
HIGH 1 13y
#118 sequelize 3M
88
SAFE 9 15.1y
#119 langchain 2M
83
SAFE 8 3.3y
#120 recoil 487K
68
SAFE 3 6.1y
#121 parcel 428K
70
SAFE 1 13.1y
#122 x402 256K
56
SAFE 2 1.3y
#123 llamaindex 112K
55
SAFE 2 2.9y
#124 hapi 90K
77
SAFE 4 14.8y
#125 nestjs 16K
42
SAFE 1 10.4y

Trust Score measures behavioral commitment signals: publish frequency, maintainer depth, download momentum, and age. It does not scan for malicious code — use Socket for that. How Commit compares to other tools →

Audit your own dependencies

Paste your package.json and get a full trust audit of every dependency — including transitive ones you never chose.

Audit my dependencies → How we score