How Commit Scores npm Packages: The Methodology Behind getcommit.dev/audit In October 2021, ua-parser-js was compromised. ~8 million downloads per week. npm audit showed zero issues. The structural risk — a sole maintainer controlling a widely-used package — was visible in public registry data long before anyone filed a CVE (CVE-2021-41265/CVE-2021-41266). This article explains how behavioral commitment scoring identifies that risk. When I published the supply chain risk analysis, the most common question was: "How does your scoring actually work? Show me the math." Fair question. If you're going to trust a tool with your dependency decisions, you should be able to inspect, debate, and reject specific choices in the methodology. This is that article. The Problem: npm audit Answers the Wrong Question npm audit is a CVE scanner. It checks a package's version against a database of known vulnerabilities. When a CVE is filed, catalogued, and propagated, your tool will catch it. That's useful.…