Report · 2026-07-02
State of CRA Readiness 2026
The EU Cyber Resilience Act will require software makers to ship no known exploitable vulnerabilities. So we measured what the ecosystem actually installs today.
Weekly npm downloads landing on known-vulnerable versions, across the top 500 packages alone
5B
Share of all downloads
4.7%
of 106.7B weekly downloads analyzed
Packages still installed in vulnerable versions
55 / 500
≥1% of their weekly installs on a vulnerable version
Distinct known vulnerabilities involved
166
OSV/GHSA identifiers, many years old
Where the vulnerable installs concentrate
Top packages by absolute weekly downloads onto known-vulnerable versions.
The data
These are not obscure packages — they are the infrastructure of modern software. Old versions stay pinned in lockfiles and CI images for years; every listed advisory is public and patched in newer releases.
The counterpoint that makes it worse
We also resolved what a fresh install of each top package would fetch today — latest version plus direct dependencies: 0 of 681 resolved versions carried a known vulnerability. The maintainers have done their job. The vulnerable downloads above are overwhelmingly old versions that shipped products are still pulling — pinned lockfiles, abandoned apps, unmaintained CI. Exactly the software the Cyber Resilience Act holds manufacturers accountable for.
Why this matters after 11 September 2026
- ▸The CRA (Regulation (EU) 2024/2847) requires products on the EU market to ship without known exploitable vulnerabilities and to handle new ones “without delay” (Annex I).
- ▸From 11 September 2026, actively exploited vulnerabilities must be reported to ENISA within 24 hours. From 11 December 2027, full compliance and CE marking are mandatory.
- ▸Your dependencies' CVEs are legally your CVEs. If your lockfile pins one of the versions above, that's your compliance gap — fines reach €15M or 2.5% of global turnover.
Methodology
- • Package set: top 500 npm packages by download count (npm-high-impact (top packages by npm download counts)); 500 with per-version download data.
- • Download data: npm registry per-version counts, last-week, per-version (api.npmjs.org). Versions with ≥1% of a package's weekly downloads were analyzed.
- • Vulnerability data: OSV.dev, queried per exact version on 2026-07-02.
- • “Vulnerable” = the version matches ≥1 published OSV/GHSA advisory. Exploitability in a given product depends on usage — that assessment (VEX) is precisely what the CRA expects manufacturers to do.
- • Data is a point-in-time snapshot; advisories change daily. Raw dataset and collector script available on request: hello@cradar.dev.
Is your product shipping one of these?
Scan your own SBOM against the same database in 30 seconds — free, nothing stored. Then check what the CRA expects from you.
Continuous monitoring for your products, at launch:
Published by CRAdar. Data: OSV.dev + npm registry, point-in-time. Educational analysis, not legal advice; advisory applicability to a specific product requires individual assessment. Press inquiries: hello@cradar.dev.