[Rule] Suspicious packages #3
Description
Idea
Create a rule that alerts if a package is suspicious based on configurable parameters
Rule Specifications
Name: suspicious-packages
Arguments:
downloads: Minimum amount of downloads per month in NPMlast-update: Last package update in months in NPMmaintainers: Minimum number of maintainers in NPMopen-issues: Minimum amount of open issues in GitHubstars: Minimum amount of stars in GitHubwatchers: Minimum amount of watchers in GitHubforks: Minimum amount of forks in GitHubarchived: Archived or not
Because a suspicious package may be the combination of many indicators, like:
- low downloads
- low downloads and last updated 9 months ago
- archived: yes
I think is better instead to add different setups like:
"suspicious-packages": [
"error",
{
"base": {archived: true},
"indicators": [{forks: 3, stars: 4}, {downloads: 10, "last-update": 6}],
"whitelist": []
}
]
Implementation
Use the API of NPM, NPM.io, Libraries.io and GitHub
NPM.io:
https://api.npms.io/v2/package/adviser
NPM:
- Downloads: https://api.npmjs.org/downloads/point/last-month/adviser
- Last Update: https://registry.npmjs.org/adviser
- Maintainers: https://registry.npmjs.org/adviser
Libraries.io:
Good API, we can avoid some GitHub requests and have a fallback for rate limits. Heads up, it also has rate limits
https://libraries.io/npm/adviser
GitHub:
- Open Issues: https://api.github.com/repos/jam3/adviser/issues
- Stars, Watchers, etc: https://api.github.com/repos/jam3/adviser
Notes
- Feel free to add more indicators to identify suspicious packages
- GitHub without being logged in has a rate limit, be ready to get an invalid response, also you may want to add an option in the config to add a token and use it.
- Create documentation for the rule within /docs/rules
- Add metadata to the rule
- Update the Plugin general README and add the new rule
- Just scan dependencies (not devDependencies or dependencies of dependencies, etc)
Metadata
Metadata
Assignees
Labels
No labels