Founder of socket here. npm has since unpublished the chunk packages that the 'everything' package depends on (or perhaps made them private), so those packages are no longer being taken into account in the package score.

You're right that a package that depends on literally everything would absolutely have a score of 0 in our system.