One thing that I usually check is if the npm package has more than 1 person with release rights. This implies that the trick factor isn’t gonna kill the project. It also implies that the maintainer has succeeded to build a trustable community around the package. I always check their github repo to see how many contributors it has and/or if there’s one boss developer who does the majority of the work. Number of open PRs and the feedback on PRs in general also tells about the attention the maintainer(s) give to the community. For me a bigger community equals to some sort of guarantee that it’ll not die soon and “given enough eyeballs all bugs are shallow”.