npm package commitment scores: zod has 139M weekly downloads and one maintainer

Supply chain attacks are not a novel threat. But there's a pattern in the data that rarely gets called out directly: the most-downloaded npm packages are often maintained by a single person. High downloads + one maintainer = one stolen credential away from a breach affecting millions of builds. Why I built npm commitment scoring I've been building Proof of Commitment — an MCP server that exposes behavioral trust signals to AI agents. The thesis: behavioral signals are harder to fake than declarative ones (READMEs, star counts, review ratings). Last week I shipped a GitHub repo commitment scorer. This week: npm packages. The scoring model looks at five dimensions: Longevity (25 pts) — how long the package has existed Download momentum (25 pts) — recent volume + trend (growing/stable/declining) Release consistency (20 pts) — version count + recency of last publish Maintainer depth (15 pts) — number of current maintainers GitHub backing (15 pts) — if linked repo, pulls GitHub commit score