One interesting challenge while building PACO was avoiding false positives.
For example, some repositories use workspaces (like npm workspaces or monorepos) where dependencies may resolve locally instead of from public registries.
PACO currently checks the official registries (NPM, PyPI, RubyGems) and flags dependencies that appear unpublished or removed, but I'm still improving detection for monorepos and internal workspace dependencies.
If anyone has ideas or feedback on improving detection accuracy, I'd love to hear them.
r00tSid•5h ago
Another improvement I'm exploring is adding support for additional ecosystems like Go modules and Maven.
Supply chain attacks aren't limited to JavaScript ecosystems, so expanding PACO's coverage is something I'm actively working on.
r00tSid•8h ago
One interesting challenge while building PACO was avoiding false positives.
For example, some repositories use workspaces (like npm workspaces or monorepos) where dependencies may resolve locally instead of from public registries.
PACO currently checks the official registries (NPM, PyPI, RubyGems) and flags dependencies that appear unpublished or removed, but I'm still improving detection for monorepos and internal workspace dependencies.
If anyone has ideas or feedback on improving detection accuracy, I'd love to hear them.