[eatonphil]

I'd like to see an algorithmic grading system that grades every repo publicly on things like: number of (transitive) dependencies, regularity of releases (explicitly not frequency since some things release reliably once a year), test coverage, and so on.

I'd like this to be public so that anyone can enter in a package and check out its score. My thought is that over time this might influence/produce a natural selection of only high quality repos.

My other idea, which is what this post is getting at, is that some group of devs band together to build a "distribution" of reliable JavaScript packages like every Linux distro does with the packages they distribute.

[tlb]

I like the last idea best. It's not an unreasonable amount of work -- every project basically does this on their own now. One or two dedicated people could do a great job.

[acemarke]

A recently announced tool called Socket is trying to do exactly that scoring approach :

https://socket.dev/

[eatonphil]

I've seen some of these and my angle is separate from security. So far all the grading systems have been focused on security and not code quality, including not counting (transitive) dependencies.

It's not just better packages I want but fewer of them.

The tools like socket.dev could of course choose to incorporate stuff like this.

Also, to make permanent progress it's important the the grades all be public. Not sure if socket.dev is public.

[Tknl]

Some of these data points are captured by Synk advisor https://snyk.io/advisor/