Run npx proof-of-commitment express . Express itself scores 89/100 — consistent releases, broad maintainer team, 12+ years of history. But Express's direct dependencies tell a different story. Two of them score CRITICAL: escape-html — score 61, 1 maintainer, 77.9M downloads/week. Last published: September 1, 2015 . Version 1.0.3 is the only version this package has ever had, pushed nearly 11 years ago. once — score 68, 1 maintainer (isaacs, former npm CEO), 114M downloads/week. Last published: September 2016 . Nearly 10 years of no changes, still pulling 114 million weekly installs. Neither has a CVE. npm audit shows zero issues. But each has an npm token that can publish a new version — and there's no mechanism preventing a compromised token from pushing 1.0.4 tomorrow. What "no updates since 2015" actually means The intuitive read: it's stable, nothing needs to change . That's often true. escape-html is a 20-line utility. Once you correctly escape < , > , and & , you're done.…