The question nobody asks
Your CI/CD pipeline runs npm audit on every push. It checks for known CVEs. It found zero issues with axios in March 2026 — days before the maintainer's npm account was compromised.
I wanted to know: what does the structural risk picture look like for the most-downloaded packages in the npm ecosystem?
So I audited every npm package with more than 10 million weekly downloads — 41 packages — using proof-of-commitment. Here's what I found.
The data (sorted by weekly downloads)
| Package | Downloads/wk | Maintainers | Score | Status |
|---|---|---|---|---|
| semver | 633M | 5 | 72 | ✅ OK |
| minimatch | 560M | 1 | 60 | ⚠️ CRITICAL |
| debug | 554M | 2 | 57 | HIGH |
| chalk | 413M | 1 | 53 | ⚠️ CRITICAL |
| commander | 365M | 2 | 61 | HIGH |
| picomatch | 340M | 4 | 66 | ✅ OK |
| glob | 332M | 1 | 57 | ⚠️ CRITICAL |
| uuid | 239M | 2 | 57 | HIGH |
| postcss | 206M | 1 | 63 | ⚠️ CRITICAL |
| esbuild | 190M | 1 | 63 | ⚠️ CRITICAL |
| typescript | 178M | 6 | 73 | ✅ OK |
| cross-spawn | 174M | 1 | 50 | ⚠️ CRITICAL |
| yargs | 173M | 2 | 59 | HIGH |
| zod | 158M | 1 | 58 | ⚠️ CRITICAL |
| chokidar | 156M | 1 | 56 | ⚠️ CRITICAL |
| nanoid | 151M | 1 | 63 | ⚠️ CRITICAL |
| lodash | 145M | 1 | 62 | ⚠️ CRITICAL |
| braces | 143M | 2 | 52 | HIGH |
| fill-range | 142M | 4 | 56 | ✅ OK |
| micromatch | 141M | 3 | 59 | MED |
| to-regex-range | 134M | 2 | 48 | HIGH |
| eslint | 125M | 2 | 66 | HIGH |
| react | 122M | 2 | 66 | HIGH |
| dotenv | 120M | 3 | 68 | MED |
| minimist | 117M | 3 | 79 | ✅ OK |
| vite | 105M | 4 | 66 | ✅ OK |
| axios | 101M | 1 | 64 | ⚠️ CRITICAL (attacked Apr 1) |
| express | 93M | 5 | 72 | ✅ OK |
| prettier | 87M | 11 | 75 | ✅ OK |
| date-fns | 78M | 1 | 56 | ⚠️ CRITICAL |
| sharp | 51M | 1 | 59 | ⚠️ CRITICAL |
| dayjs | 46M | 1 | 59 | ⚠️ CRITICAL |
| webpack | 45M | 8 | 75 | ✅ OK |
| jest | 44M | 5 | 70 | ✅ OK |
| next | 36M | 2 | 66 | HIGH |
| hono | 34M | 1 | 57 | ⚠️ CRITICAL |
| pino | 28M | 4 | 68 | ✅ OK |
| pg | 23M | 1 | 56 | ⚠️ CRITICAL |
| winston | 22M | 8 | 67 | ✅ OK |
| ioredis | 17M | 2 | 65 | HIGH |
| vue | 11M | 2 | 91 | HIGH |
Scores are 0–100, higher = safer. CRITICAL = single maintainer + >10M weekly downloads. Data: npm registry, April 17 2026.
The finding
16 of 41 packages (39%) have a single maintainer.
Those 16 packages together account for 2.82 billion npm downloads per week.
Some of these are so fundamental they appear in virtually every Node.js project as transitive dependencies — packages you never directly installed, never explicitly chose, and probably never thought about:
- minimatch (560M/wk): pattern matching used by eslint, jest, webpack, mocha, and almost everything else
- chalk (413M/wk): terminal colors used by virtually every CLI tool
- glob (332M/wk): file globbing embedded in build tooling everywhere
-
cross-spawn (174M/wk): platform-safe
child_process.spawnused in almost every build tool
You didn't choose these packages. They came with the ecosystem. Each has a single maintainer.
What happened with axios
On April 1, 2026, the axios maintainer's npm account was compromised. The attacker published a malicious version. npm audit had shown zero issues.
axios fits the exact profile behavioral scoring flags: 1 maintainer, 101M weekly downloads, 11.6 years old. High-value target. Single point of failure.
The question isn't whether the axios maintainer was irresponsible — they built infrastructure that billions of downloads per week depend on, as a single person. The question is whether the ecosystem has any structural way to flag this exposure before it becomes a CVE.
What npm audit doesn't catch
npm audit looks for packages with known CVEs — vulnerabilities that have been discovered, reported, assigned a number, and added to a database. That process takes weeks to months.
The structural risk — a package with one maintainer that a billion developers depend on — never appears in the advisory database at all.
Behavioral commitment scoring answers a different question: before anything bad happens, which packages are structurally exposed?
The packages that did well
High-download packages with strong maintainer depth show it's possible:
- prettier: 87M downloads, 11 maintainers, score 75
- webpack: 45M downloads, 8 maintainers, score 75
- winston: 22M downloads, 8 maintainers, score 67
- typescript: 178M downloads, 6 maintainers, score 73
- semver: 633M downloads, 5 maintainers, score 72
semver is the highest-download package in this list (633M/week) and has 5 maintainers. Not coincidentally, semver is maintained by the npm organization.
Try it yourself
Zero install:
npx proof-of-commitment axios zod chalk minimatch
# or scan your own project:
npx proof-of-commitment --file package.json
Web (no install): getcommit.dev/audit — paste packages, drop your package.json, or paste a GitHub URL directly.
Watchlist: getcommit.dev/watchlist — live tracking of top npm packages.
GitHub Action (posts risk table on your PR):
- uses: piiiico/proof-of-commitment@main
with:
fail-on-critical: false
comment-on-pr: true
MCP server (Claude Desktop, Cursor, Windsurf):
{
"mcpServers": {
"proof-of-commitment": {
"type": "streamable-http",
"url": "https://poc-backend.amdal-dev.workers.dev/mcp"
}
}
}
Data source: npm weekly downloads from the npm registry API. Maintainer counts from the npm registry. Scores from proof-of-commitment. All data as of April 17, 2026.
United States
NORTH AMERICA
Related News
What Does "Building in Public" Actually Mean in 2026?
20h ago
The Agentic Headless Backend: What Vibe Coders Still Need After the UI Is Done
20h ago
Why I’m Still Learning to Code Even With AI
22h ago
Students Boo Commencement Speaker After She Calls AI the 'Next Industrial Revolution'
5h ago
Testing for ‘Bad Cholesterol’ Doesn’t Tell the Whole Story
5h ago