I scanned the top 20 npm packages. Everyone passed CVE checks, but here's what the static analysis found

Every time you run npm install , you're trusting someone else's code to run on your machine. Not eventually — right now. Postinstall hooks fire the second a package lands. No review, no prompt. I built plum to change that. It's a CLI that downloads the package tarball into memory, reads the source, and scores it before anything touches your project. I pointed it at the 20 most downloaded npm packages. The results are mostly reassuring — but a few are worth talking about. How plum works When you