Yes, it brings up a very good point… Just because it doesn’t have any problems doesn’t mean that somebody has actually looked for it. Right now that’s a problem across basically all tooling. Unless you have somebody auditing those packages, you have no confidence. The ^Lift team does auditing of the top hundred modules for the npm enterprise offering. So we do some thorough auditing of those packages and keep an eye on those, but there isn’t a good indicator for thoroughly audited.

[ ] This is a challenge that we had early on. I at one point could tell you that – Chris, there is not a list of those npm packages someplace; I could probably dig that up though.

At one point I could tell you that we audited every 12,000 of those modules early on for child process [unintelligible ] So I could tell you that we audited those for one thing. Even then, there’s gonna be blind spots, so I think the goal is to figure out how to incentivize those individuals to audit things, and then to figure out how to capture those efforts. It’s gonna be a challenge, and it’s something that we’re looking forward to as a challenge… But there’s no tooling that really gives you that confidence level yet.

For me, that’s frustrating; it can be frustrating, but we’re gonna expose all of the signals that we do have. Right now we have the database, and I know there’s some differences in those databases. Right now we maintain our database, which was at one point in time donated to the NodeJS Foundation, which sort of kindled and started up the Node Security Working Group… So they’re maintaining ecosystem reports right now, so we’re doing just some of that, as well as we have internal research that goes into our data set as well.