Package Score
The package score rule flags packages whose overall risk score falls below a configurable threshold. This provides a holistic quality signal that factors in maintenance, code quality, known vulnerabilities, and supply chain risk.
What it detects
Each package is assigned a composite score from 0 (highest risk) to 1 (lowest risk). The score aggregates multiple signals:
| Signal | What it measures |
|---|---|
| Supply chain risk | Dependency chain complexity, known vulnerable transitive deps |
| Quality | Code quality indicators, test coverage signals |
| Maintenance | Recent commit activity, issue response time, release frequency |
| Vulnerability | Known CVEs and security advisories |
| License | License compatibility and risk |
When a package's overall score falls below your configured threshold, all versions of that package are flagged.
How it works
- When a package is requested, nproxy queries its threat intelligence API for the package's score (results are cached for 24 hours)
- For each version, if the overall score is below the configured threshold, that version is flagged
- In block mode, flagged versions are stripped from the packument. In warn mode, the install proceeds normally with a warning logged
Configuration
| Setting | Value |
|---|---|
| Default level (Free) | off |
| Default level (Pro) | warn |
Parameter: threshold | Minimum acceptable score (0 to 1). Default: 0.4 |
Adjusting the threshold
Set the threshold parameter in the dashboard under Rules > Package Score:
- 0.2 — Very permissive. Only flags packages with serious quality or security concerns.
- 0.4 (default) — Balanced. Flags packages that are notably below average.
- 0.6 — Stricter. Flags a larger number of packages, including some that are simply unmaintained.
- 0.8 — Very strict. Will flag many commonly used packages. Only recommended for high-security environments.
Fail-open behavior
If the threat intelligence service is unreachable, the rule fails open — no packages are flagged by this rule. Scores are cached for 24 hours to minimize latency.
Limitations
- The score applies to the package as a whole, not to individual versions. All versions of a package have the same score. This means you cannot use this rule to allow an older version of a low-scoring package while blocking newer ones.
- Scores change over time as packages are re-evaluated. A package that scores 0.5 today might score 0.3 next month if it becomes unmaintained.
- Newly published packages may not yet have a score. Packages without scores are not flagged by this rule (they effectively score 1.0).
Recommended setting
Warn on the Pro plan as a default. Start by monitoring which packages trigger the rule in your audit trail, then consider switching to block once you understand the impact on your dependency tree.
For teams new to nproxy, consider leaving this rule off initially and enabling it after you are comfortable with the other six rules. Score-based rules can be noisy for projects with large dependency trees.
Note: the package score rule is complementary to the vulnerability rule. The score rule provides a holistic package-level risk assessment, while the vulnerability rule blocks specific versions with known CVEs. Both can be enabled simultaneously for maximum coverage.