npm.tax

Model the risk of a supply-chain compromise in an npm dependency tree, explore scenarios, and share a report to convince your boss that you're sitting ducks.

Theme
Scenario

This scenario has a 36.21% modeled chance of at least one package compromise in 1 year.

Expected time to breach
2.2 years

This scenario uses 872 modeled packages (the project itself + 23 direct + 848 transitive) and a 1.41e-6 daily per-package breach probability.

Adjust parameters below to see how they affect overall risk.

Dependency iceberg
Dependency iceberg showing 23 direct dependencies above 848 transitive dependencies.
Direct

23

Transitive

848

34.98% additional modeled probability from the below-surface tree.

Modeled surface
872
includes the project itself

Look up a real package's risk

Pull dependency counts from npm and npmx, then use them as the starting point for the scenario.

Tune the model

23
0200
848
05000
1yr
1d3yr
1.41e-6
1e-8 (~0.00037%/yr)1e-3 (~30.6%/yr)

About the default

Default dependency counts use Table 2 from Pinning Is Futile: a median GitHub npm project has 23 direct and 848 transitive dependencies when development dependencies are included. The daily per-package probability is still a scenario assumption.

Cumulative breach probability

The full tree is the risk line. The dashed lines show how much direct dependencies alone understate the surface area.

1 year horizon
Line chart showing cumulative breach probability over time for all modeled packages, project plus direct dependencies, and half of the transitive dependency tree0%25%50%75%100%0d73d146d219d292d365dDaysBreach Probability
All 872 packages
Project + direct (24)
Half transitive (448)

Model notes

Each package has a daily breach probability p. With n total modeled packages, including the project itself, the chance that none are breached on a given day is (1 - p)^n.

Over d days, the chance of staying breach-free is (1 - p)^(n x d). The model treats package-days as independent, so use it as directional evidence rather than a forecast.

Formula

P(breach) = 1 - (1 - p)n x d