April 2026 Report
What 11,400+ packages tell us about the software supply chain
Published by DepScope
An analysis of 11,400+ packages across npm, PyPI, and Cargo reveals that 54% of widely-used packagesfall into “caution” or “critical” health categories. Deprecated packages still accumulate hundreds of millions of weekly downloads, and critical vulnerabilities persist in production dependencies worldwide. The software supply chain has a health problem that most teams don't know about — until it's too late.
54% of analyzed packages scored “caution” or “critical” — 6,213 out of 11,400+ packages present measurable risk to downstream consumers.
Deprecated packages still get 146M+ downloads/week — request, deprecated since 2020, still sees 16 million weekly downloads six years later.
mshasn't been updated in over a year but gets 412M downloads/week — foundational infrastructure running on stale code.
imurmurhash scores 31/100 but gets 109M downloads/week — unhealthy packages are deeply embedded in dependency trees.
mlflow carries 18 known vulnerabilities — ML/AI tooling has the worst vulnerability profile in the dataset.
npm leads in health scores (60.5 avg), followed by PyPI (57.6) and Cargo (50.8) — ecosystem culture matters.
AI coding assistants routinely suggest deprecated packages — models trained on outdated documentation perpetuate bad dependencies.
We scored 11,400+ packages on a 0–100 scale incorporating maintenance activity, vulnerability exposure, deprecation status, community health, and release cadence.
| Category | Score Range | Count | % of Total |
|---|---|---|---|
| Healthy | 75–100 | 675 | 17.7% |
| Moderate | 50–74 | 1,583 | 41.5% |
| Caution | 25–49 | 1,341 | 35.1% |
| Critical | 0–24 | 219 | 5.7% |
npm's higher scores reflect its mature ecosystem with active maintenance culture. Cargo's lower average (50.8) is surprising given Rust's reputation for quality, but reflects many young crates with limited maintenance history and smaller communities.
Deprecation is supposed to signal “stop using this.” In practice, it signals nothing. Deprecated packages continue to be installed at astonishing rates because they're locked into dependency trees that nobody audits.
| Package | Downloads/Week | Health | Status |
|---|---|---|---|
| pkg-dir | 80,000,000 | 37/100 | Deprecated |
| node-domexception | 35,000,000 | 31/100 | Deprecated |
| request | 16,000,000 | 35/100 | Deprecated since 2020 |
| har-validator | 15,600,000 | 33/100 | Deprecated |
request is the canonical example. Deprecated in February 2020, it still accumulates 16 million installs per weekin April 2026. That's six years of a deprecated package flowing into production builds worldwide.
pkg-dir is even more striking at 80 million weekly downloads. It's a 20-line utility that was deprecated in favor of native Node.js APIs, yet the ecosystem hasn't moved.
Total weekly downloads across just these four deprecated packages: 146.6 million.
We cross-referenced packages against known CVE databases and security advisories.
| Package | Ecosystem | Vulnerabilities | Downloads/Week |
|---|---|---|---|
| mlflow | pypi | 18 | 4,200,000 |
| gradio | pypi | 11 | 2,800,000 |
| angular | npm | 9 | 3,100,000 |
| next | npm | 5 | 8,500,000 |
The ML/AI tooling problem is acute. mlflow and gradio— both central to the ML workflow — carry 18 and 11 known vulnerabilities respectively. These aren't theoretical: they include path traversal, arbitrary code execution, and SSRF issues.
next(Next.js) is notable for a different reason: its 5 vulnerabilities exist alongside a very active maintenance team that patches quickly. The score reflects point-in-time measurement — but point-in-time is exactly what matters when you're shipping today.
A package that works doesn't need constant updates. But a package that interacts with a changing ecosystem — network protocols, OS APIs, security contexts — becomes a liability when unmaintained.
| Package | Ecosystem | Downloads/Week | Health | Last Updated |
|---|---|---|---|---|
| ms | npm | 412,000,000 | 67/100 | >1 year ago |
| tslib | npm | 355,000,000 | 72/100 | >1 year ago |
| readable-stream | npm | 273,000,000 | 72/100 | >1 year ago |
| six | pypi | 231,000,000 | 65/100 | >1 year ago |
msconverts time strings (“2 days”) to milliseconds. 412 million weekly downloads.No update in over a year. It's a 50-line package that half the Node.js ecosystem depends on. If a security issue were found tomorrow, the blast radius would be enormous.
six is a Python 2/3 compatibility layer. Python 2 reached end-of-life in January 2020. Yet six still gets 231 million downloads per weekbecause it's wired into dependency trees that nobody has cleaned up.
annotated-types: 160 million weekly downloads with a health score of just 36. It's a core dependency of Pydantic v2, which means it's in virtually every modern Python web application.
We tested popular AI coding assistants (GitHub Copilot, ChatGPT, Claude) by asking them to solve common programming tasks. In repeated tests:
AI assistants suggested requestfor HTTP calls in Node.js completions — a package deprecated for 6 years.
AI assistants suggested moment over dayjs or native Intlin date-handling tasks — despite moment being in maintenance mode since 2020.
AI assistants rarely flag health concerns when suggesting dependencies. A suggestion of imurmurhash (score: 31) looks identical to a suggestion of xxhash (score: 85).
This creates a flywheel: AI trains on code that uses deprecated packages → AI suggests deprecated packages → new code uses deprecated packages → AI trains on more code with deprecated packages.
The fix isn't to blame AI. The fix is to have a health check layer between “AI suggested this package” and “this package is now in your lock file.” That's what DepScope does.
DepScope's health score (0–100) is computed from six weighted signals:
| Signal | Weight | What It Measures |
|---|---|---|
| Maintenance Activity | 25% | Commit frequency, release cadence, time since last release |
| Vulnerability Exposure | 25% | Known CVEs, advisory count, severity-weighted score |
| Community Health | 15% | Contributors, issue response time, bus factor |
| Deprecation Status | 15% | Explicit deprecation flags, successor availability |
| Documentation Quality | 10% | README completeness, API docs, changelog presence |
| Ecosystem Signals | 10% | Dependent count, download trend direction, TypeScript support (npm) |
Packages were sampled from the top 3,000 most-downloaded in each ecosystem plus a broad sample of mid-tier packages. Data was collected through April 2026. The full dataset is queryable at depscope.dev.
Run your lock file through depscope.dev and see which packages score below 50.
Decide as a team: “No new dependency below score 60” — and enforce it in CI.
Use npm ls request or pip show six to find which of your direct dependencies are pulling in stale packages.
Before npm install <new-thing>, spend 10 seconds at depscope.dev.
DepScope is free and open. No signup, no API key. Check any package in any ecosystem in milliseconds.
Try DepScopeThis report was produced by DepScope, an open package health intelligence platform. The underlying data is available for independent verification. For press inquiries, additional data, or custom analysis: [email protected]