Static analysis on module source code?

[reggi]

I'm really impressed by what https://socket.dev/ for node modules. They have an impressive tool that does static analysis on npm source code and checks for vulnerabilities and other red flags.

Not to throw the people who created dashport under the bus, but just as as cautionary tale they released this module a year ago without oak dependency here: https://github.com/oslabs-beta/dashport/blob/main/deps.ts. This is the kind of static analysis I'd be curious about and issues like this will drive people crazy in the future. Not sure if the current linter would have caught this example.

I'd imagine on the https://deno.land/x/dashport page it would say "Uses unpinned third-party dependencies" in red, as a message to the maintainers to fix this, and to the users to be cautionary.

I'd also want to see things like the repo being set up for some continuous deployment practices, test coverage, malicious urls, things like that.

[kitsonk]

deno_graph provides an API for dependency analysis and is used extensively throughout the eco-system. We will be adding dependency analysis to modules as part of deno.land/x in the near future.