Has anyone ever written a static analyzer to audit an npm package? Say I'm looking to add a new npm dependency, and I do my due diligence, pouring over the code, scanning the issues log, etc, and everything looks kosher. But then it would still be nice to run it through some kind automated analyzer, which also recursively scans dependencies. I ask because even simply grepping each file for the string "eval" would have flagged this.
There is a ‘npm audit’ command but that checks for known versions of a package that have a vulnerability so it’s not a static analyzer as far as I know.
Yeah I am thinking more something like linting+ for packages. And for published code, not code from the git repo.
% analyze-some-npm-package some-package@2.1.1
→ some-package/foo.js contains a syntax error
→ some-package/bar.js calls eval() on line blah blah
→ sub-dependency@2.3.4 is only 2 hours old
...that sort of thing. I suppose it would be a pretty big undertaking.
I think all of those cases are possible today, you just need the right tools.
For example:
1. contains a syntax error: this is solved with TypeScript or flow which can run against a .js file
2. calls to eval(): this is solved by linting the .js file
3. only 2 hours old: this is solved by looking at npm publish date for the package version...take a look at the "time" key here: https://registry.npmjs.com/eslint-scope
