[thenerdhead]

Cool project. How do you feel about projects like OpenSSF scorecards or even the checks that socket.dev do today on these packages to help determine risk?

https://github.com/ossillate-inc/packj/blob/main/.packj.yaml

Secondly, what about impersonation where attackers imitate a popular package and its respective metadata?

[ashishbijlani]

Thanks! We need more such efforts to improve supply-chain security of open-source software.

Packj detects typo-squatting (impersonation) as well.