npm and GitHub have always had an awkward overlap. One of the goals at Socket is to provide an aligned 'union' view into the data both services offer. Keen eye!
There is a smattering a tools across the eco system that provide this kind of info (packagephobia, avanka etc) and it would be fantastic to surface these in a unified product UI. You will know we've met our goals when socket becomes your goto service to navigate npm!
Same reason most of the malware ecosystem focused on windows instead of macOS for many years. Scale of your potential target, and also volume of noise that is made when something bad happens. Also it supports nested dependencies and the tools can accommodate large deep trees without much pain, so they tend to grow in size over time.
Is Node really that much more widepsread than dotnet, Java, or Python? Or is it more about the general experience level/knowledge of the typical JS developer, where it's more likely to have Bootcamp/self-taught experience than a formal CompSci education?
Right now the integration is fairly slim, it just does typo squat warnings when you install a package that has a similar name to a more common package. The warning comes in the form of a comment in PRs that include additions of packages that meet this criteria.
We have a bunch of other detections listed here: https://socket.dev/npm/issue which have not been added to the GitHub App yet, but are available on a per-package basis for manual research at the moment. Over the next few release cycles we will be adding additional issue checks and warnings to the Github integration so that you can get a warning when dependencies add new capabilities, add suspicious things like analytics or install scripts or add unknown publishers to their maintainer list, or start publishing binary or obfuscated code. These will be automatically turned on and rolled out as we determine them to be not too noisy and provide interesting signals.
3. It will be a paid product, but is free while it is in beta. We plan on keeping it free for open source.
We are looking into providing support for the Deno ecosystem down the road as well. The capabilities stuff they have is super great, but you lose all of that benefit for every dependency as soon as you turn it off, so we think there is probably room for this kind of analysis there. Hopefully Socket can provide a similar signal that --allow-net provides, but for all of npm!
Started as Jekyll, but then converted to just markdown in GitHub.
My CMS is just Github basically, you can basically read and navigate the files in Github with very little content loss:
https://github.com/bcomnes/bret.io/tree/master/src
The loose collection of build tools are wrapped up in this tool: https://github.com/bcomnes/siteup
Its deployed to Neocities with this custom action: https://github.com/bcomnes/deploy-to-neocities
My stylesheet base lives here https://github.com/bcomnes/mine.css