Quickstart · 5 minutes

From zero to risk report

Proof of Commitment audits your npm and PyPI dependencies for supply chain risk — the exact attack profile that hit LiteLLM (March 2026) and axios (April 2026). Both were CRITICAL by these metrics before the attacks.

01

Run it now

Zero install. One command. Results in seconds. 

# Audit specific packages
npx proof-of-commitment axios zod chalk

No global install. npx fetches and runs it once, cached for next time. The web demo also works if you prefer a browser: getcommit.dev/audit

02

Reading your report

Each package is scored 0–100. Lower is higher risk. Four signals drive the score.

Example output 
┌─────────────────────────────────────────────────────────────────┐
│  Supply Chain Audit — 3 packages                                │
├──────────┬──────────┬───────┬─────────────┬──────────┬─────────┤
│ Package  │ Risk     │ Score │ Maintainers │ Dls/week │ Age     │
├──────────┼──────────┼───────┼─────────────┼──────────┼─────────┤
│ axios    │ CRITICAL │  86   │ 1           │ 100M     │ 11.6y   │
│ zod      │ CRITICAL │  83   │ 1           │ 159M     │  6.1y   │
│ chalk    │ CRITICAL │  75   │ 1           │ 411M     │ 12.7y   │
└──────────┴──────────┴───────┴─────────────┴──────────┴─────────┘

⚠  3 CRITICAL packages found
   Single maintainer + >10M weekly downloads = the axios attack profile

What the score measures

Longevity 0–25 pts

How long has the package existed? Abandoned packages get reactivated for attacks.

Maintainer depth 0–15 pts

Single maintainer + millions of weekly downloads = the LiteLLM/axios attack surface.

Release consistency 0–20 pts

Regular releases signal active oversight. Long gaps = vulnerability accumulation.

Download trend 0–25 pts

Growing packages attract more scrutiny and attacks. Rapid adoption + single maintainer = high risk.

Risk flags

CRITICAL Single maintainer + >10M weekly downloads — the exact profile that enabled both the LiteLLM and axios attacks.
HIGH Single maintainer + >1M downloads, or package <1 year old with rapid adoption.
WARN No release in 12+ months — vulnerability window is open.
03

Add to CI

One workflow file. Auto-detects your dependencies. Posts the audit table as a PR comment — updated on re-run, no comment spam. 

name: Supply Chain Audit

on:
  push:
    branches: [main]
    paths: [package.json, requirements.txt]
  pull_request:
    paths: [package.json, requirements.txt]

jobs:
  audit:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write   # needed for PR comments
    steps:
      - uses: actions/checkout@v4

      - name: Commit Supply Chain Audit
        uses: piiiico/proof-of-commitment@main
        with:
          fail-on-critical: false   # set true to block merges on CRITICAL
          comment-on-pr: true       # posts audit table on the PR, updates on re-run

What you get

  • PR comment with the full audit table — auto-updated on re-run
  • GitHub Step Summary with risk breakdown
  • Output variables: has-critical, critical-count, audit-summary
  • Optional: fail-on-critical: true blocks merges when CRITICAL packages are found
04

Use with Claude, Cursor, or Windsurf

The MCP server lets your AI assistant audit dependencies on demand — no install, no API key. Add it once to your MCP config, then ask naturally.

Claude Desktop / Cursor / Windsurf config 
{
  "mcpServers": {
    "proof-of-commitment": {
      "type": "streamable-http",
      "url": "https://poc-backend.amdal-dev.workers.dev/mcp"
    }
  }
}

Then ask:

"Audit my package.json for supply chain risk"
"Which of axios, zod, chalk is highest risk?"
"Is vercel/ai actively maintained?"

7 MCP tools available: dependency auditing, single package lookup, GitHub repo scoring, and Norwegian business registry. Full reference →

Ready to go deeper?

Full API reference, response schema, rate limits, and REST examples.

Try the web demo Full README on GitHub