proof-of-commitment
v1.6.0
Published
Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked
Downloads
1,002
Maintainers
piiiicoReadme
proof-of-commitment
Supply chain risk scorer for npm, PyPI, Cargo (Rust), and Go modules. Behavioral signals that can't be faked.
npx proof-of-commitment axios zod chalk──────────────────────────────────────────────────────────────────────────
Package Risk Score Publishers Downloads Age
──────────────────────────────────────────────────────────────────────────
axios 🔴 CRITICAL 89 1 102.0M/wk 11.6y
↳ 30+ GitHub contributors — publish-access concentration risk despite active community
└ longevity=25 momentum=25 releases=20 publishers=4 github=15
zod 🔴 CRITICAL 83 1 154.0M/wk 6.1y
↳ 30+ GitHub contributors — publish-access concentration risk despite active community
└ longevity=25 momentum=25 releases=18 publishers=4 github=11
chalk 🔴 CRITICAL 75 1 414.6M/wk 12.7y
↳ 30+ GitHub contributors — publish-access concentration risk despite active community
└ longevity=25 momentum=22 releases=13 publishers=4 github=11
──────────────────────────────────────────────────────────────────────────
⚠ 3 CRITICAL packages found.
CRITICAL = sole npm publisher + >10M weekly downloads (publish-access concentration risk)
Full breakdown: https://getcommit.dev/audit?packages=axios,zod,chalkWhat this does
npm audit finds known CVEs — vulnerabilities already catalogued in a database. This scores structural risk before it becomes a CVE.
The axios attack on April 1st, 2026: npm audit showed zero issues beforehand. Proof of Commitment flagged axios as CRITICAL (1 npm publisher, 96M downloads/week) — the exact publish-access concentration profile that made it a high-value target.
Score dimensions:
- Longevity (25 pts) — years in production
- Download Momentum (25 pts) — weekly download trend
- Release Consistency (20 pts) — days since last release
- Publisher Depth (15 pts) — npm publish-access holders
- GitHub Backing (15 pts) — organization/team support
CRITICAL = sole npm publisher + >10M weekly downloads (publish-access concentration risk)
Usage
# Score npm packages
npx proof-of-commitment axios zod chalk lodash express
# Score PyPI packages
npx proof-of-commitment --pypi litellm langchain requests numpy
# Score Rust crates
npx proof-of-commitment --cargo serde tokio reqwest
# Score Go modules (full module path required — host/owner/repo)
npx proof-of-commitment --golang github.com/gin-gonic/gin golang.org/x/net
# Auto-detect from manifest / lock / module file
npx proof-of-commitment --file package.json # npm
npx proof-of-commitment --file package-lock.json # full transitive
npx proof-of-commitment --file requirements.txt # PyPI
npx proof-of-commitment --file Cargo.toml # Rust direct deps
npx proof-of-commitment --file go.mod # Go direct + indirect
npx proof-of-commitment --file go.sum # Go full transitive set
# Short alias
npx poc axios zod chalkGo modules note: Go has no centralized download counter and no publisher registry. Scoring is GitHub-primary: longevity, release cadence, GitHub contributor count, OpenSSF Scorecard, and stars (popularity proxy). The "publishers" column in Go output shows GitHub push-access contributors — the closest equivalent to npm publishers.
Zero-install MCP server (for Claude, Cursor, Windsurf)
Add to your AI tool's config:
{
"mcpServers": {
"proof-of-commitment": {
"type": "streamable-http",
"url": "https://poc-backend.amdal-dev.workers.dev/mcp"
}
}
}Then ask: "Audit the dependencies in my package.json" or "What's the risk profile of vercel/ai?"
GitHub Action
Posts audit results directly on your PR:
- uses: piiiico/proof-of-commitment@main
with:
fail-on-critical: false
comment-on-pr: trueLinks
- Web demo: https://getcommit.dev/audit
- Live watchlist: https://getcommit.dev/watchlist (top 25 npm packages by structural risk)
- GitHub: https://github.com/piiiico/proof-of-commitment