A comparison of process security scores vs behavioral risk signals on npm's most critical packages. OpenSSF Scorecard measures whether a project follows secure development practices. Code review enforcement. Branch protection. SLSA provenance. Dangerous workflow detection. It's a process security score: does this repo handle its own development securely? I've been building getcommit.dev , which measures something different: behavioral commitment signals. Publisher depth. Download concentration. Release consistency. Whether a single npm account holds publish access for a package downloaded 400 million times per week. This week I added Scorecard integration to the API. Each package audit now returns both scores. The comparison is worth seeing. The seven CRITICAL packages These are npm packages that score CRITICAL on behavioral signals: one npm publisher + more than 10 million weekly downloads.…