> This results in 5 false positives (out of 56 benign inputs), which are caused by limitations of the static analysis (3/5) or node types outside of the safe set (2/5).
Besides that, it's good to see more security tools - especially when the research is open source: https://github.com/sola-da/Synode
eg) nodejs profile with:
- exec disabled
- file write access limited to ./tmp, ./docs, ./tests
- file read access limited to ./tmp, ./docs
- network listening: port 1000~11000 allowed
And why not have a 'sesame points' system for dependencies?
- ownership-change within 3 weeks: -20 points,
- static analysis finds something wrong: -20 points
- badges: 'file-read badge', 'exec-badge', etc.