proof-of-commitment 1.3.0 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -8
- package/index.js +11 -5
- package/package.json +3 -2
package/README.md
CHANGED
|
@@ -8,18 +8,21 @@ npx proof-of-commitment axios zod chalk
|
|
|
8
8
|
|
|
9
9
|
```
|
|
10
10
|
──────────────────────────────────────────────────────────────────────────
|
|
11
|
-
Package Risk Score
|
|
11
|
+
Package Risk Score Publishers Downloads Age
|
|
12
12
|
──────────────────────────────────────────────────────────────────────────
|
|
13
13
|
axios 🔴 CRITICAL 89 1 102.0M/wk 11.6y
|
|
14
|
-
|
|
14
|
+
↳ 30+ GitHub contributors — publish-access concentration risk despite active community
|
|
15
|
+
└ longevity=25 momentum=25 releases=20 publishers=4 github=15
|
|
15
16
|
zod 🔴 CRITICAL 83 1 154.0M/wk 6.1y
|
|
16
|
-
|
|
17
|
+
↳ 30+ GitHub contributors — publish-access concentration risk despite active community
|
|
18
|
+
└ longevity=25 momentum=25 releases=18 publishers=4 github=11
|
|
17
19
|
chalk 🔴 CRITICAL 75 1 414.6M/wk 12.7y
|
|
18
|
-
|
|
20
|
+
↳ 30+ GitHub contributors — publish-access concentration risk despite active community
|
|
21
|
+
└ longevity=25 momentum=22 releases=13 publishers=4 github=11
|
|
19
22
|
──────────────────────────────────────────────────────────────────────────
|
|
20
23
|
|
|
21
24
|
⚠ 3 CRITICAL packages found.
|
|
22
|
-
CRITICAL = sole
|
|
25
|
+
CRITICAL = sole npm publisher + >10M weekly downloads (publish-access concentration risk)
|
|
23
26
|
Full breakdown: https://getcommit.dev/audit?packages=axios,zod,chalk
|
|
24
27
|
```
|
|
25
28
|
|
|
@@ -27,16 +30,16 @@ chalk 🔴 CRITICAL 75 1 414.6M/wk 12.
|
|
|
27
30
|
|
|
28
31
|
`npm audit` finds *known* CVEs — vulnerabilities already catalogued in a database. This scores *structural risk before it becomes a CVE*.
|
|
29
32
|
|
|
30
|
-
The axios attack on April 1st, 2026: `npm audit` showed zero issues beforehand. Proof of Commitment flagged axios as CRITICAL (1
|
|
33
|
+
The axios attack on April 1st, 2026: `npm audit` showed zero issues beforehand. Proof of Commitment flagged axios as CRITICAL (1 npm publisher, 96M downloads/week) — the exact publish-access concentration profile that made it a high-value target.
|
|
31
34
|
|
|
32
35
|
**Score dimensions:**
|
|
33
36
|
- **Longevity** (25 pts) — years in production
|
|
34
37
|
- **Download Momentum** (25 pts) — weekly download trend
|
|
35
38
|
- **Release Consistency** (20 pts) — days since last release
|
|
36
|
-
- **
|
|
39
|
+
- **Publisher Depth** (15 pts) — npm publish-access holders
|
|
37
40
|
- **GitHub Backing** (15 pts) — organization/team support
|
|
38
41
|
|
|
39
|
-
**CRITICAL** = sole
|
|
42
|
+
**CRITICAL** = sole npm publisher + >10M weekly downloads (publish-access concentration risk)
|
|
40
43
|
|
|
41
44
|
## Usage
|
|
42
45
|
|
package/index.js
CHANGED
|
@@ -65,7 +65,7 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
|
|
|
65
65
|
padEnd(clr(c.bold, 'Package'), COL.name),
|
|
66
66
|
padEnd(clr(c.bold, 'Risk'), COL.risk),
|
|
67
67
|
padEnd(clr(c.bold, 'Score'), COL.score),
|
|
68
|
-
padEnd(clr(c.bold, '
|
|
68
|
+
padEnd(clr(c.bold, 'Publishers'), COL.maintainers),
|
|
69
69
|
padEnd(clr(c.bold, 'Downloads'), COL.downloads),
|
|
70
70
|
padEnd(clr(c.bold, 'Age'), COL.age),
|
|
71
71
|
].join(' ');
|
|
@@ -98,12 +98,18 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
|
|
|
98
98
|
|
|
99
99
|
console.log(row);
|
|
100
100
|
|
|
101
|
+
// Show GitHub contributor context for CRITICAL packages with active communities
|
|
102
|
+
if (pkg.riskFlags && pkg.riskFlags.includes('CRITICAL') && pkg.githubContributors && pkg.githubContributors > 1) {
|
|
103
|
+
const ghCount = pkg.githubContributors === 35 ? '30+' : pkg.githubContributors;
|
|
104
|
+
console.log(clr(c.dim, ` ↳ ${ghCount} GitHub contributors — publish-access concentration risk despite active community`));
|
|
105
|
+
}
|
|
106
|
+
|
|
101
107
|
// Score breakdown if available
|
|
102
108
|
if (pkg.scoreBreakdown) {
|
|
103
109
|
const b = pkg.scoreBreakdown;
|
|
104
110
|
const breakdown = clr(c.dim,
|
|
105
111
|
` └ longevity=${b.longevity} momentum=${b.downloadMomentum} ` +
|
|
106
|
-
`releases=${b.releaseConsistency}
|
|
112
|
+
`releases=${b.releaseConsistency} publishers=${b.maintainerDepth} github=${b.githubBacking}`
|
|
107
113
|
);
|
|
108
114
|
console.log(breakdown);
|
|
109
115
|
}
|
|
@@ -115,7 +121,7 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
|
|
|
115
121
|
if (effectiveCritical > 0) {
|
|
116
122
|
const suffix = totalScanned ? ` (in ${totalScanned} packages scanned)` : '';
|
|
117
123
|
console.log('\n' + clr(c.red + c.bold, `⚠ ${effectiveCritical} CRITICAL package${effectiveCritical > 1 ? 's' : ''} found${suffix}.`));
|
|
118
|
-
console.log(clr(c.dim, ' CRITICAL = sole
|
|
124
|
+
console.log(clr(c.dim, ' CRITICAL = sole npm publisher + >10M weekly downloads (publish-access concentration risk)'));
|
|
119
125
|
} else {
|
|
120
126
|
const suffix = totalScanned ? ` (${totalScanned} packages scanned)` : '';
|
|
121
127
|
console.log('\n' + clr(c.green, `✓ No CRITICAL packages found${suffix}.`));
|
|
@@ -153,13 +159,13 @@ ${clr(c.bold, 'Examples:')}
|
|
|
153
159
|
npx proof-of-commitment axios chalk --json | jq '.criticalCount'
|
|
154
160
|
|
|
155
161
|
${clr(c.bold, 'Score meaning:')}
|
|
156
|
-
🔴 CRITICAL Sole
|
|
162
|
+
🔴 CRITICAL Sole npm publisher + >10M downloads/wk (publish-access concentration risk)
|
|
157
163
|
🟠 HIGH Score < 40
|
|
158
164
|
🟡 MODERATE Score 40–59
|
|
159
165
|
🟡 GOOD Score 60–74
|
|
160
166
|
🟢 HEALTHY Score 75+
|
|
161
167
|
|
|
162
|
-
${clr(c.bold, 'Score dimensions:')} longevity · download momentum · release consistency ·
|
|
168
|
+
${clr(c.bold, 'Score dimensions:')} longevity · download momentum · release consistency · publisher depth · GitHub backing
|
|
163
169
|
|
|
164
170
|
${clr(c.bold, 'Web:')} ${WEB}
|
|
165
171
|
${clr(c.bold, 'MCP:')} ${clr(c.dim, 'Add to Claude Desktop / Cursor for AI-assisted auditing')}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "proof-of-commitment",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.4.0",
|
|
4
4
|
"description": "Supply chain risk scorer for npm and PyPI packages — behavioral signals that can't be faked",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|
|
@@ -22,7 +22,8 @@
|
|
|
22
22
|
"risk",
|
|
23
23
|
"behavioral",
|
|
24
24
|
"commitment",
|
|
25
|
-
"maintainer"
|
|
25
|
+
"maintainer",
|
|
26
|
+
"publisher"
|
|
26
27
|
],
|
|
27
28
|
"author": "piiiico",
|
|
28
29
|
"license": "MIT",
|