npm-risk is a zero-dependency CLI that checks npm packages for basic supply-chain risk signals before you install them. It looks at publish recency, install scripts, dependencies, maintainers, known vulnerabilities, and GitHub health, then gives you a simple LOW / MEDIUM / HIGH risk score. Try it: npx npm-risk For more in-depth information: https://medium.com/@Freedruk/npm-risk-a-lightweight-way-to-think-before-you-install-47b66996e943

Wispr Flow: Dictation That Works Everywhere — Stop typing. Start speaking. 4x faster.

Stop typing. Start speaking. 4x faster.

Hey Product Hunt 👋

I built npm-risk because installing an npm package means trusting code that may run on your machine, your CI, or your production build.

Before adding a dependency, I wanted a fast way to ask:
“Is there anything here that deserves a closer look?”

So npm-risk checks basic risk signals like:
Recently published versions
Install lifecycle scripts
Runtime dependency count
Maintainer count
Known npm vulnerabilities
GitHub repo health
Open issues, stars, archive status, and recent activity

It is intentionally zero-dependency and lightweight. It is not a full security scanner, and it does not replace npm audit or manual review. It is meant to be a quick first-pass signal before you install.

Try it with:
npx npm-risk <package-name>

I’d love feedback on the scoring, heuristics, and what checks should be added next.

Wispr Flow: Dictation That Works Everywhere — Stop typing. Start speaking. 4x faster.

Stop typing. Start speaking. 4x faster.

npm-risk

Check npm package risk before you install

Check npm package risk before you install