Ever installed an npm package without really knowing what you were pulling into your project? I did too, and it bugged me enough that I built Revera.
Revera scores any npm package using a weighted algorithm across maintainability, trust signals, release history, download trends, and more, giving you a single, explainable score before you npm install blindly.
Some of the features I'm proud of:
π why breaks down exactly why a package scored the way it did
π©Ί doctor checks that your setup is healthy
β‘ 24h local caching for speed
π GitHub login for higher rate limits
βοΈ Fully customizable scoring config
π audit scans your working directory and scores everything at once
It's still evolving, though, the algorithm isn't perfect yet, but it's getting close, and every bit of feedback (good or brutal) helps me improve it.
Would genuinely love for you to try it out:
π¦ npm: https://www.npmjs.com/package/@aaravmaloo/revera
π» GitHub: https://github.com/aaravmaloo/revera
Top comments (1)
Hijacked updates are the case I'd design the score around. A package can have years of great history and then one malicious release, and at that exact moment every signal built on history says it's trustworthy. Does revera score the latest version specifically, or the package as a whole? Weighting recent anomalies, like a maintainer change plus a new install script landing in the same release, would catch the scenario people are actually scared of. The why command is a good call either way, an explainable score is the difference between a tool people trust and one they ignore.