CRAdarCheck

Report · 2026-07-02

State of CRA Readiness 2026

The EU Cyber Resilience Act will require software makers to ship no known exploitable vulnerabilities. So we measured what the ecosystem actually installs today.

Weekly npm downloads landing on known-vulnerable versions, across the top 500 packages alone

5B

Share of all downloads

4.7%

of 106.7B weekly downloads analyzed

Packages still installed in vulnerable versions

55 / 500

≥1% of their weekly installs on a vulnerable version

Distinct known vulnerabilities involved

166

OSV/GHSA identifiers, many years old

Where the vulnerable installs concentrate

Top packages by absolute weekly downloads onto known-vulnerable versions.

brace-expansion: 419,724,038 of 750,074,048 weekly downloads (56%) on known-vulnerable versionsbrace-expansion419.7Mminimatch: 400,695,478 of 896,555,903 weekly downloads (45%) on known-vulnerable versionsminimatch400.7Muuid: 337,733,588 of 408,237,233 weekly downloads (83%) on known-vulnerable versionsuuid337.7Mjs-yaml: 294,123,106 of 367,920,824 weekly downloads (80%) on known-vulnerable versionsjs-yaml294.1Mpicomatch: 237,204,070 of 520,694,887 weekly downloads (46%) on known-vulnerable versionspicomatch237.2Majv: 222,405,711 of 463,768,289 weekly downloads (48%) on known-vulnerable versionsajv222.4Mws: 198,352,254 of 307,892,203 weekly downloads (64%) on known-vulnerable versionsws198.4Mpostcss: 194,714,713 of 354,031,716 weekly downloads (55%) on known-vulnerable versionspostcss194.7Mform-data: 188,833,235 of 258,462,844 weekly downloads (73%) on known-vulnerable versionsform-data188.8Mqs: 171,517,824 of 259,353,732 weekly downloads (66%) on known-vulnerable versionsqs171.5M0209.9M419.7M
Weekly downloads landing on versions with ≥1 known vulnerability (OSV). Exact numbers in the table below.

The data

PackageWeekly downloadsOn vulnerable versionsShareExample advisories
brace-expansion750,074,048419,724,03856%GHSA-f886-m6hf-6m8vGHSA-v6h2-p8h4-qcjw
minimatch896,555,903400,695,47845%GHSA-23c5-xmqv-rm74GHSA-3ppc-4f35-3m26GHSA-7r86-cg39-jmmj
uuid408,237,233337,733,58883%GHSA-w5hq-g745-h8pq
js-yaml367,920,824294,123,10680%GHSA-h67p-54hq-rp68GHSA-mh29-5h37-fv8m
picomatch520,694,887237,204,07046%GHSA-3v7f-55p6-f55pGHSA-c2c7-rcm5-vvqj
ajv463,768,289222,405,71148%GHSA-2g4f-4pwh-qvx6
ws307,892,203198,352,25464%GHSA-96hv-2xvq-fx4pGHSA-58qx-3vcg-4xpx
postcss354,031,716194,714,71355%GHSA-qx2v-qp2m-jg93GHSA-7fh5-64p2-3v2j
form-data258,462,844188,833,23573%GHSA-hmw2-7cc7-3qxxGHSA-fjxv-7rqg-78g4
qs259,353,732171,517,82466%GHSA-6rw7-vpxm-498pGHSA-q8mj-m7cp-5q26GHSA-w7fw-mjwx-w883
esbuild288,741,321142,993,66050%GHSA-67mh-4wv8-2f99GHSA-g7r4-m6w7-qqqr
lodash230,988,097134,975,52358%GHSA-f23m-r3pf-42rhGHSA-r5fr-rjxr-66jcGHSA-xxjr-mmjv-4gpg
@babel/core217,644,605122,118,88056%GHSA-4x5r-pxfx-6jf8
yaml244,390,622115,752,79547%GHSA-48c2-rrv3-qjmp
path-to-regexp251,430,478113,278,78245%GHSA-37ch-88jc-xwx2GHSA-9wv6-86v2-598jGHSA-rhx6-c78j-4q9w
semver1,179,730,215107,030,2439%GHSA-c2qf-rxjj-qqgw
@opentelemetry/core129,959,049101,455,29678%GHSA-8988-4f7v-96qf
tar126,702,48398,239,64678%GHSA-34x7-hfp2-rc4vGHSA-83g3-92jg-28cxGHSA-8qq5-rm4j-mr97
axios170,659,73996,592,16757%GHSA-3g43-6gmg-66jwGHSA-3p68-rc4w-qgx5GHSA-43fc-jf86-j433
diff179,060,72994,945,11653%GHSA-73rr-hh4g-fpgx

These are not obscure packages — they are the infrastructure of modern software. Old versions stay pinned in lockfiles and CI images for years; every listed advisory is public and patched in newer releases.

The counterpoint that makes it worse

We also resolved what a fresh install of each top package would fetch today — latest version plus direct dependencies: 0 of 681 resolved versions carried a known vulnerability. The maintainers have done their job. The vulnerable downloads above are overwhelmingly old versions that shipped products are still pulling — pinned lockfiles, abandoned apps, unmaintained CI. Exactly the software the Cyber Resilience Act holds manufacturers accountable for.

Why this matters after 11 September 2026

Methodology

Is your product shipping one of these?

Scan your own SBOM against the same database in 30 seconds — free, nothing stored. Then check what the CRA expects from you.

Continuous monitoring for your products, at launch:

Published by CRAdar. Data: OSV.dev + npm registry, point-in-time. Educational analysis, not legal advice; advisory applicability to a specific product requires individual assessment. Press inquiries: hello@cradar.dev.