I've seen some of these and my angle is separate from security. So far all the grading systems have been focused on security and not code quality, including not counting (transitive) dependencies.
It's not just better packages I want but fewer of them.
The tools like socket.dev could of course choose to incorporate stuff like this.
Also, to make permanent progress it's important the the grades all be public. Not sure if socket.dev is public.
It's not just better packages I want but fewer of them.
The tools like socket.dev could of course choose to incorporate stuff like this.
Also, to make permanent progress it's important the the grades all be public. Not sure if socket.dev is public.