CRITICAL = sole maintainer + 10M+ weekly downloads. The profile that makes packages like
six, certifi, and charset-normalizer high-value targets
before any CVE exists. Updated from PyPI registry data.
| # | Package | Risk | Score | Downloads/wk | Maintainers | Age | Last release |
|---|---|---|---|---|---|---|---|
pip audit finds known CVEs — vulnerabilities already catalogued in a database.
This scores structural risk before it becomes a CVE. A sole-maintainer package
with 300M+ weekly downloads is a high-value target regardless of CVE history.
Sole maintainer + 10M+ weekly downloads = high-value target if credentials are stolen or the maintainer goes rogue. Not a verdict — a flag. The ua-parser-js attack (October 2021) and other supply chain incidents fit this profile exactly.
Paste your requirements.txt or pyproject.toml in the
audit tool to score your Python dependencies. Or add the
GitHub Action
to flag CRITICAL packages on every PR.