Automated snapshot for report #002. The DepScope index tracks 22,588 packages and 632 vulnerabilities as of 2026-04-20. See report #001 for methodology.
Health distribution
| Bucket | Count |
|---|---|
| Critical (< 40) | 3,564 |
| Poor (40–59) | 9,388 |
| Fair (60–79) | 7,229 |
| Good (80+) | 2,389 |
| Unknown | 18 |
Popular but vulnerable
| Ecosystem | Package | Vulns | Weekly |
|---|---|---|---|
| npm | next | 42 | 34,757,357 |
| npm | angular | 9 | 524,838 |
| conda | numpy | 8 | 425,437 |
| pypi | lmdb | 5 | 893,100 |
| pypi | paddlepaddle | 5 | 370,918 |
| pypi | vllm | 4 | 3,139,157 |
| pypi | composio-core | 4 | 102,346 |
| pypi | Pillow | 3 | 108,511,966 |
| pypi | pillow | 3 | 108,511,966 |
| conda | pillow | 3 | 235,364 |
| cargo | rust-crypto | 3 | 216,521 |
| pypi | pip | 2 | 128,105,971 |
| npm | react | 2 | 125,187,902 |
| npm | eslint-plugin-prettier | 2 | 27,258,312 |
| pypi | ujson | 2 | 21,698,954 |
Zombie packages
| Package | Weekly | Why |
|---|---|---|
| mimic-fn | 104,431,747 | Renamed to mimic-function |
| pkg-dir | 78,705,523 | Renamed to `package-directory`. |
| path-is-absolute | 76,082,652 | This package is no longer relevant as Node.js 0.12 is unmaintained. |
| find-cache-dir | 42,672,386 | Renamed to `find-cache-directory`. |
| @types/uuid | 37,184,147 | This is a stub types definition. uuid provides its own type definitions, so you do not need this installed. |
| read-pkg-up | 36,291,504 | Renamed to read-package-up |
| node-domexception | 35,298,273 | Use your platform's native DOMException instead |
| no-case | 34,918,820 | Use `change-case` |
| p-finally | 29,798,243 | Deprecated |
| camel-case | 28,182,607 | Use `change-case` |
| param-case | 27,221,685 | Use `change-case` |
| pascal-case | 24,504,886 | Use `change-case` |
| os-tmpdir | 24,464,495 | This is not needed anymore. `require('os').tmpdir()` in Node.js 4 and up is good. |
| snake-case | 20,292,295 | Use `change-case` |
| lodash.isequal | 19,136,778 | This package is deprecated. Use require('node:util').isDeepStrictEqual instead. |
Worst health, popular
| Package | Health | Weekly |
|---|---|---|
| angular | 8 | 524,838 |
| level-concat-iterator | 16 | 571,283 |
| user-home | 17 | 2,683,639 |
| trim-right | 17 | 3,089,154 |
| crypto | 17 | 1,537,680 |
| bin-version-check | 20 | 4,092,095 |
| path-is-absolute | 20 | 76,082,652 |
| scmp | 20 | 3,755,528 |
| yaeti | 20 | 1,263,002 |
| p-finally | 20 | 29,798,243 |
Ecosystem comparison
| Ecosystem | Packages | Avg health | Deprecated |
|---|---|---|---|
| conda | 127 | 69.3 | 0 |
| pub | 169 | 68.0 | 2 |
| composer | 912 | 64.2 | 25 |
| npm | 11,831 | 60.5 | 203 |
| pypi | 3,482 | 57.8 | 5 |
| nuget | 715 | 56.1 | 23 |
| rubygems | 1,263 | 54.7 | 0 |
| cargo | 1,272 | 49.6 | 41 |
| hex | 302 | 48.5 | 69 |
| go | 422 | 46.5 | 1 |
| maven | 502 | 42.3 | 0 |
| cran | 309 | 42.0 | 0 |
| cpan | 477 | 41.0 | 0 |
| cocoapods | 139 | 40.7 | 0 |
| hackage | 300 | 39.7 | 0 |
| swift | 58 | 33.7 | 2 |
| homebrew | 290 | 31.1 | 2 |
Previous reports: all updates. Raw data via API.