@cyberhub/pkgtrust
v0.3.0
Published
Trust scoring for npm packages — maintainer risk, package health, and supply chain signals
Readme
pkgtrust
Trust scoring for npm packages — maintainer risk, package health, and supply chain signals.
Before you npm install, know what you're getting into.
# Install globally (recommended)
npm install -g @cyberhub/pkgtrust
pkgtrust scan express
# Or use via npx
npx --package=@cyberhub/pkgtrust pkgtrust scan express [email protected]
████████████████░░░░ 82/100 A TRUSTED
Confidence: high
Breakdown:
Maintainer Trust: ██████████████████░░ 88
Package Health: ████████████████░░░░ 78
Supply Chain: ████████████████████ 95
Community: ██████████████░░░░░░ 72
Flags:
MEDIUM 30 direct dependencies
LOW No provenance attestation on latest version
INFO Published with 2FA enabled (signed)Install
# Install globally (recommended)
npm install -g @cyberhub/pkgtrust
# Then use from anywhere
pkgtrust scan lodash
pkgtrust compare axios got node-fetch
pkgtrust maintainer sindresorhus
# Or use via npx (no install needed)
npx --package=@cyberhub/pkgtrust pkgtrust scan lodashCommands
Scan a package
pkgtrust scan express
pkgtrust scan @anthropic-ai/sdk
pkgtrust scan react --jsonScan your project
Scans all dependencies in package.json:
pkgtrust scanCompare packages
pkgtrust compare axios got node-fetchOutput:
Metric axios got node-fetch
─────────────────── ──────────── ──────────── ────────────
Trust Score 78 82 85
Grade B+ A A
Maintainer Trust 75 80 90
Package Health 80 85 82
Supply Chain 85 90 95
Flags 3 2 1
Winner: node-fetchMaintainer lookup
pkgtrust maintainer sindresorhusCI gate
Fail the build if any dependency scores below threshold:
pkgtrust gate --min-score=50Exit code 0 = pass, 1 = fail. Use in CI:
- run: npx @cyberhub/pkgtrust gate --min-score=50JSON output
pkgtrust scan express --json
pkgtrust scan --json > trust-report.jsonScoring Methodology
Each package gets a composite trust score (0-100) from four categories:
| Category | Weight | What it measures | |----------|--------|-----------------| | Maintainer Trust | 40% | Account age, publication record, maintainer changes, multi-maintainer, publish cadence, email domain, 2FA | | Package Health | 30% | Install scripts, dependency count, license, provenance, size changes, binary detection, deprecation | | Supply Chain | 20% | Typosquatting risk, known compromises, source-registry consistency | | Community | 10% | GitHub stars, contributors, commit recency, CI, downloads |
Grades
| Grade | Score | Tier | |-------|-------|------| | A+ | 95-100 | Trusted | | A | 85-94 | Trusted | | B+ | 75-84 | Standard | | B | 65-74 | Standard | | C+ | 55-64 | Caution | | C | 45-54 | Caution | | D | 30-44 | Caution | | F | 0-29 | Avoid |
Confidence
Shows how many data signals were available:
- High — 70%+ of signals available (npm metadata + GitHub + downloads)
- Medium — 40-69% signals
- Low — <40% signals (score less reliable)
Known Compromise Database
pkgtrust cross-references against historically compromised packages:
| Package | Incident | |---------|----------| | event-stream | Malicious flatmap-stream injection (2018) | | ua-parser-js | Cryptominer in v0.7.29/0.8.0/1.0.0 (2021) | | colors | Maintainer sabotaged with infinite loop (2022) | | faker | Maintainer deleted all code (2022) | | node-ipc | Protestware targeting Russian IPs (2022) | | @ledgerhq/connect-kit | Wallet drainer injection (2023) |
Programmatic API
import { scanPackage, scanProject, comparePackages } from '@cyberhub/pkgtrust';
// Score a single package
const score = await scanPackage('express');
console.log(score.score, score.grade, score.tier);
// Scan project dependencies
const result = await scanProject('./my-project');
console.log(result.summary.averageScore);
// Compare alternatives
const comparison = await comparePackages(['axios', 'got', 'node-fetch']);
console.log(comparison.winner);Options
| Flag | Description |
|------|-------------|
| --json | Output as JSON |
| --min-score=N | Gate threshold (default: 50) |
| --sync | Sync scores to nrupak.com for trending |
How it works
- Fetches package metadata from
registry.npmjs.org - Queries 8 security databases in parallel (GitHub Advisories, OSV.dev, npm audit, Snyk, Socket.dev, npms.io, Bundlephobia, deps.dev)
- Fetches GitHub repo health and OpenSSF Scorecard
- Scores across 18+ signals in 4 categories with live CVE data
- Applies transitive risk — if your dependency depends on a breached package, you get flagged
- Applies maintainer cross-reference — if a maintainer has compromised history, all their packages get flagged
- Produces composite score with letter grade and risk tier
- Stores results locally + optionally syncs to nrupak.com dashboard
Features
- 8 Security Databases: GitHub Advisories, OSV.dev, npm audit, Snyk, Socket.dev, npms.io, Bundlephobia, deps.dev
- Transitive Risk: Flags packages that depend on breached dependencies
- Maintainer Cross-Reference: Flags packages by compromised maintainers
- Package Compare:
pkgtrust compare axios got node-fetch - CI Gate:
pkgtrust gate --min-score=50fails builds below threshold - Dependency Tree: Visualizes full dep chain with vuln indicators
- GitHub PR Bot: Auto-comments trust scores on PRs with dependency changes
- Leaderboard: Top packages ranked by trust at nrupak.com/trust/leaderboard
- Verified Maintainers: Maintainers can claim and verify their profiles
Dashboard
Public trust scores at nrupak.com/trust:
- Search: Look up any npm package or maintainer
- Browse: Filter all scored packages by tier, sort by score/date
- Compare: Side-by-side comparison at /trust/compare
- Leaderboard: Top packages ranked at /trust/leaderboard
- Maintainer Profiles: OSINT view with GitHub data, packages, verified badges
- GitHub PR Bot: Setup at /trust/github-app
Zero Dependencies
pkgtrust has zero runtime dependencies. Built with only Node.js built-in fetch API.
License
MIT — Nrupak Shah