Most of npm runs on packages nobody maintains.
npm audit finds known vulnerabilities. oss-health-scan finds abandoned dependencies before they become one.
$ npx oss-health-scan
🪦 Hall of Risk — the most-depended-on dead packages
—
deprecated or archived, of 123 most-depended-on packages
—
downloads / week these dead packages still pull
—
"cold" — no upstream push in 1–7 years
Deprecated → 5/100, archived → 8/100 — hard flags from the registry itself. Only one of these even trips a CVE; that's the point — npm audit is blind to abandonment. Full writeup →
Loading census…
— live proof: packages I actively triage —
Packages
—
Avg Health
—
npm / week
—
Stars
—
Open PRs
—
Package Health Scores
Loading health data...
npm Downloads Distribution
Health Score Breakdown
Action Queue
Loading...