Idea

Create a rule that alerts if a package is suspicious based on configurable parameters

Rule Specifications

Name: suspicious-packages
Arguments:

• downloads: Minimum amount of downloads per month in NPM
• last-update: Last package update in months in NPM
• maintainers: Minimum number of maintainers in NPM
• open-issues: Minimum amount of open issues in GitHub
• stars: Minimum amount of stars in GitHub
• watchers: Minimum amount of watchers in GitHub
• forks: Minimum amount of forks in GitHub
• archived: Archived or not

Because a suspicious package may be the combination of many indicators, like:

1. low downloads
2. low downloads and last updated 9 months ago
3. archived: yes

I think is better instead to add different setups like:

"suspicious-packages": [
      "error",
      {
        "base": {archived: true},
        "indicators": [{forks: 3, stars: 4}, {downloads: 10, "last-update": 6}],
        "whitelist": []
      }
    ]

Implementation

Use the API of NPM, NPM.io, Libraries.io and GitHub

NPM.io:
https://api.npms.io/v2/package/adviser

NPM:

• Downloads: https://api.npmjs.org/downloads/point/last-month/adviser
• Last Update: https://registry.npmjs.org/adviser
• Maintainers: https://registry.npmjs.org/adviser

Libraries.io:
Good API, we can avoid some GitHub requests and have a fallback for rate limits. Heads up, it also has rate limits
https://libraries.io/npm/adviser

GitHub:

• Open Issues: https://api.github.com/repos/jam3/adviser/issues
• Stars, Watchers, etc: https://api.github.com/repos/jam3/adviser

Notes

• Feel free to add more indicators to identify suspicious packages
• GitHub without being logged in has a rate limit, be ready to get an invalid response, also you may want to add an option in the config to add a token and use it.
• Create documentation for the rule within /docs/rules
• Add metadata to the rule
• Update the Plugin general README and add the new rule
• Just scan dependencies (not devDependencies or dependencies of dependencies, etc)