npm.tax

Model the risk of a supply-chain compromise in an npm dependency tree, explore scenarios, and share a report to convince your boss that you're sitting ducks.

Package report for@clack/promptsResolved package graph from npm metadata

@clack/prompts has a 0.309% modeled chance of at least one package compromise in 1 year.

Expected time to breach: 323 years

For @clack/prompts, this scenario uses 6 modeled packages (the package itself + 4 direct + 1 transitive) and a 1.41e-6 daily per-package breach probability.

Adjust parameters below to see how they affect overall risk.

Dependency iceberg: Direct
4
Transitive
1
0.0514% additional modeled probability from the below-surface tree.
Modeled surface: 6; includes the package itself

Look up a real package's risk

Pull dependency counts from npm and npmx, then use them as the starting point for the scenario.

Tune the model

Direct dependencies4

0200

Transitive dependencies1

05000

Time period1yr

1d3yr

Daily breach prob / package1.41e-6

1e-8 (~0.00037%/yr)1e-3 (~30.6%/yr)

Or enter exact value:

About the default

Default dependency counts use Table 2 from Pinning Is Futile: a median GitHub npm project has 23 direct and 848 transitive dependencies when development dependencies are included. The daily per-package probability is still a scenario assumption.

Cumulative breach probability

The full tree is the risk line. The dashed lines show how much direct dependencies alone understate the surface area.

1 year horizon

All 6 packages

Package + direct (5)

Half transitive (6)

Model notes

Each package has a daily breach probability p. With n total modeled packages, including the package itself, the chance that none are breached on a given day is (1 - p)^n.

Over d days, the chance of staying breach-free is (1 - p)^(n x d). The model treats package-days as independent, so use it as directional evidence rather than a forecast.

Formula

P(breach) = 1 - (1 - p)^{n x d}