Narrative
Critical dependencies deserve visible trust
Critical but under-signaled dependency that agents should not trust blindly.
View GitHub repoLegacy risk
expressjs / express
The repo is everywhere, but market depth and formal coverage still look too shallow for the blast radius it carries.
Seeded laneseeded_lane
55trust
Operator Scenarios
Switch the room from narrative to repricing.
Live now
Exploit odds spike on Ollama
Injects a critical incident into a fast-growth repo and flips the agent verdict from review to block.
Available
LangChain funds trust aggressively
Shows how increasing the security budget and audit coverage can move a high-growth repo into the allow range.
Available
Express recovers maintainership
Demonstrates that operational discipline can rehabilitate a legacy dependency's trust profile.
Signal composition
Trust breakdown
Security Budget
47Weight 26%Confidence 74%
Stake Depth
42Weight 22%Confidence 74%
Audit Coverage
58Weight 20%Confidence 74%
Maintainer Responsiveness
61Weight 12%Confidence 90%
Incident Pressure
44Weight 12%Confidence 90%
Adoption Confidence
92Weight 8%Confidence 74%
Agent Verdict
Hold the dependency
Trust and security signals are too weak for autonomous use without stronger audit coverage or market backing.
Threshold 74Provenance
Every signal carries a disclosure label.
Critical dependency demo laneDemo Seeded
Real repo with explicit seeded signals to illustrate systemic risk.
Source linkRecent events
Trust moves when the repo moves.
Maintainer queue drifted upward
Mar 9, 2026, 10:45 AMSlower response times pushed the repo further into review territory.
Derived-3.4