npm maintains a list of vulnerabilities found in JavaScript packages. Among other things, this work feeds npm audit
One idea that might make the JS community discover/realize the benefits of SES could be to announce something along the lines of:
running
node -r esm code.jsinstead ofnode code.js, it solves 40% of known npm vulnerabilities out of the box
“40%” is obviously completely random at this stage. It’s my best guess for now
To move away from guess to something reasonnably significant, it would take:
- take a random sample of known vulnerabilities
- reproduce the vulnerability
- figure out whether it goes away with SES out of the box (or with how much additional work)
- report back the finding
- accumulate results
The bigger the random sample, the more accurate the number