CRITICAL = sole maintainer + 10M+ weekly downloads. The profile that made axios, chalk, and zod high-value targets before any CVE existed. Updated from npm registry data.
| # | Package | Risk | Score | Downloads/wk | Maintainers | Age | Last release |
|---|---|---|---|---|---|---|---|
npm audit finds known CVEs — vulnerabilities already catalogued in a database.
This scores structural risk before it becomes a CVE. The ua-parser-js attack (October 2021):
npm audit showed zero issues. The structural flag was there for years in advance.
Sole maintainer + 10M+ weekly downloads = high-value target if credentials are stolen or the maintainer goes rogue. Not a verdict — a flag. The ua-parser-js attack (October 2021) and event-stream attack (2018) both fit this profile exactly.
Paste your package.json, drop a GitHub repo URL, or use the
audit tool to score your own dependencies. Or add the
GitHub Action
to flag CRITICAL packages on every PR.
We'll scan the top npm packages every week and email you when a new CRITICAL risk emerges. No spam — just signal.
Weekly digest · Unsubscribe anytime · No account required