npm audit is a CVE scanner. It queries a database of known vulnerabilities against the package versions in your lockfile. When a CVE is filed, catalogued, and propagated, it will appear. Before that: silence. The problem with that model is that supply chain attacks don't announce themselves. Before the ua-parser-js attack (October 2021, 8M weekly downloads), before the LiteLLM attack (March 2026), before the Bitwarden CLI incident — every tool returned clean. The structural preconditions for compromise were visible in public registry data. The tools just weren't looking. Proof-of-commitment measures those preconditions. Here's how the scoring works, from registry data to CRITICAL flag. Five Dimensions, All Public Data Every package gets scored across five behavioral dimensions. No proprietary data sources, no scraping, no access required beyond the public npm registry and GitHub API. 1. Longevity (25 pts) Package age in years, from pkg.time["created"] in the registry response.…