DEV Community

Aarav Maloo
Aarav Maloo

Posted on

I made revera, a tool that scores NPM packages before you blindly install them

Ever installed an npm package without really knowing what you were pulling into your project? I did too, and it bugged me enough that I built Revera.
Revera scores any npm package using a weighted algorithm across maintainability, trust signals, release history, download trends, and more, giving you a single, explainable score before you npm install blindly.
Some of the features I'm proud of:

πŸ” why breaks down exactly why a package scored the way it did
🩺 doctor checks that your setup is healthy
⚑ 24h local caching for speed
πŸ” GitHub login for higher rate limits
βš™οΈ Fully customizable scoring config
πŸ“‚ audit scans your working directory and scores everything at once

It's still evolving, though, the algorithm isn't perfect yet, but it's getting close, and every bit of feedback (good or brutal) helps me improve it.
Would genuinely love for you to try it out:
πŸ“¦ npm: https://www.npmjs.com/package/@aaravmaloo/revera
πŸ’» GitHub: https://github.com/aaravmaloo/revera

Top comments (1)

Collapse
 
nazar-boyko profile image
Nazar Boyko

Hijacked updates are the case I'd design the score around. A package can have years of great history and then one malicious release, and at that exact moment every signal built on history says it's trustworthy. Does revera score the latest version specifically, or the package as a whole? Weighting recent anomalies, like a maintainer change plus a new install script landing in the same release, would catch the scenario people are actually scared of. The why command is a good call either way, an explainable score is the difference between a tool people trust and one they ignore.