The CLI, web audit, and single-package API are free forever. Developer ($15/mo) adds batch scanning and CI/CD automation for builders. Pro ($29/mo) adds team-scale monitoring and alerts — priced per project, not per seat. A 50-person team pays the same as a 5-person team.
Backdoored CI pipeline. 1 npm publisher, 4M+ weekly downloads. Commit score: CRITICAL before the incident.
Stolen npm credentials. 1 publisher, 99M weekly downloads, OpenSSF Scorecard 8.1/10. Commit score: CRITICAL.
Self-replicating worm. 637 package versions in 39 minutes. Installed Claude Code & VS Code persistence hooks. Two OpenAI devices affected.
Dormant publisher hijack. 141 packages across @mastra/*, ~8M weekly downloads, 88 minutes. The injected typosquat easy-day-js scored 30 — its target dayjs scored 90. Read the analysis.
npm audit flagged none of these beforehand. Behavioral signals flagged all of them.
Monitoring catches score changes before the next one reaches your tree.
Ecosystem response
PostCSS creator Andrey Sitnik moved nanoid and nanospy to Staged Publishing on June 19. Hono creator Yusuke Wada merged it into Hono on June 22 — four days later. preact shipped the same hardening earlier without announcement. Four packages, ~290M combined weekly downloads, all verified by our detector.
"I already moved nanoid and nanospy to the new process, we can test them." — Andrey Sitnik, PostCSS creator · postcss/postcss#2096 · June 2026
Verify it yourself:
scan nanoid
·
scan hono
·
scan preact
·
scan postcss
(PostCSS itself is in flight — "in a week or two", per the thread; see hono#5035 for Hono's adoption). Monitoring flags when each promotes from stage to latest. The score moves before the install does.
Individual developers, open source maintainers, evaluators.
npx proof-of-commitment) Builders, open source maintainers, dev-stage projects wanting automation without team overhead.
30-day money-back guarantee. Cancel anytime, no contract.
Small teams, indie devs with multiple projects, security-conscious startups.
30-day money-back guarantee. Cancel anytime, no contract.
Mid-market companies, compliance-driven orgs, platform teams.
Open source CLI and web audit are free forever. Paid tiers add batch API, CI automation, and monitoring. Start free, upgrade when your pipeline needs it.
Free tier: 200 req/day, no credit card required. Your key appears on this page in seconds — paid tiers ($15+/mo) work the same way.
Get your API key →— or —
Get a free API key now →Socket and Snyk charge per developer — the cost compounds as your team grows. Commit is priced per project. A 50-person team pays the same as a 5-person team.
| Team size / scenario | Socket.dev | Snyk | Commit |
|---|---|---|---|
| Solo dev / OSS maintainer building integrations | $25/mo (Team min) | $25/mo (Team min) | $15/mo Developer tier |
| 5-dev startup 10 projects | $125/mo | $125/mo | $29/mo 77% cheaper |
| 15-dev team 20 projects | $750/mo | $1,575/mo | $29/mo 96% cheaper |
| 50-dev company 50 projects | $2,500/mo | $5,250/mo | $199/mo 92% cheaper |
Socket Team at $25/dev/mo · Snyk Team at $25/dev/mo, Ignite at $105/dev/mo · Commit Developer $15/mo for solo builders · Commit Pro flat $29/mo regardless of team size. Socket and Snyk are excellent tools — they're just priced for a different model.
Different tools, different attack surfaces. Use ArgusRed/Semgrep for your own code; use Commit for your dependency graph. Full comparison →
Developer ($15/mo) is for builders: you get 5× more API requests than free, batch scanning for up to 5 packages at once, GitHub Action auto-triggers on PR, and monitoring for 15 packages (5× the free-tier weekly digest) with daily scans + instant email alerts the moment any score drops a tier. It's the right tier when you're building something with Commit's API but aren't yet running team-scale pipelines.
Pro ($29/mo) is for teams in production: 10,000 requests/month (pooled), batch up to 20 packages, 10 monitored projects, Slack/webhook alerts, 90-day history, and priority badge CDN. If you're integrating into a team CI/CD pipeline, Pro is the right tier.
Per-seat pricing is standard in security SaaS because it's easy to enforce — SSO gives you headcount. But it creates perverse incentives: teams avoid adding contributors to save costs, and security coverage gets gaps.
Commit's data comes from public registries — we don't touch your code, so we don't need to count seats. Per-project pricing aligns cost with value: you pay for what you monitor, not for who's on your team. A growing team shouldn't cost more for the same security coverage. That's the structural advantage of being metadata-only.
No. Use all of them. Socket detects malicious code after it's published. Snyk finds known CVEs. Commit identifies structural exposure before any code changes — it maps which packages are the kind of thing that gets targeted. The ua-parser-js attack (October 2021, ~8M weekly downloads, one maintainer) triggered zero warnings in Socket or Snyk beforehand. The same structural pattern — concentrated publish authority over a high-volume install base — flagged axios CRITICAL months before its March 2026 credential-theft incident.
They answer different questions. Automated code scanners (Semgrep, ArgusRed, CodeQL) search your own source code for exploitable vulnerabilities — they run after you've written the code. Commit audits the packages you depend on, before they enter your codebase.
The relevant sequence: Commit flags a dependency as CRITICAL in your PR review → you reject the import → there's nothing for a code scanner to find later. If you skip the supply-chain check, the best a scanner can do is find the exploit after you've already shipped the risky dependency to production.
Pricing model also differs. Token-based scanners cost more as you scan more repos more often. Commit is flat per project — continuous monitoring included at every tier, regardless of how frequently packages change. Use both approaches if your budget allows; if you're prioritising, supply-chain exposure is where most real-world package-level incidents originate.
A project is a dependency manifest you want Commit to monitor continuously —
typically a package.json or GitHub repository.
Pro covers 10 projects with daily scans. Enterprise covers unlimited projects with hourly scans.
Single-package audits via the API don't count toward your project limit.
Yes. The CLI (npx proof-of-commitment), the scoring algorithm, and the web audit tool
are MIT-licensed and free forever. Security tools that hide their methodology are asking for blind trust —
that's not how we want to operate. The value in Pro and Enterprise isn't the algorithm (it's public)
— it's the infrastructure: monitoring, alerts, historical data, and CI/CD integration.
Free tier: 200 single-package requests per day with a free API key (instant signup at
/get-started, no card). Anonymous (no key): 15/day per IP — kept tight
because corporate NAT, CGN, and CI runners share IPs. Batch requests (up to 5 packages) come with
Developer ($15/mo); up to 20 packages with Pro ($29/mo).
If you hit the limit, the API returns HTTP 429 with a Retry-After header and an upgrade link.
Paste your dependencies. See which packages are structurally exposed. No account required.
Didn't upgrade. Why? Email pico@amdal.dev — I'm trying to figure out what's missing. One sentence is enough.
Almost there
Enter your email to continue to payment. Your key is delivered immediately after checkout.
Secure checkout via Stripe. Cancel anytime.