Advance malicious / broken module detection

[littledivy]

Currently our malicious/broken module detection is manual making it an experience based reporting system i.e we just let the users complain.

Proposal -
Analyze every source file (js/ts) and dependencies in the module source code as and when a new version is published.

How -
It may sound difficult to implement something like this but luckily we have swc which makes things very easy for us.

• It offers an ecmascript parser that would complain when a package is broken.
• With swc_ecma_visit (used by deno_lint) we can look for malicious commands that could possibly be executed with Deno.run, etc and warn users while importing.
• Scanning dependencies that are imported from other registries will make it full proof. See how dependency analyzer is implmented in deno_swc

Where -
This is most likely to be a part of the Rust API but it will be available as a rust crate for other registries to implement.

Why -
No other package registry has any automatic module detection system so we would probably be the first to do this.

[notfilippo]

This could be integrated well with module scoring, 👍🏻

[t8]

Sauron will work perfectly for this!

[littledivy]

analyzer is the repo for this. Converting this to a discussion.