Vouch: A multi-ecosystem distributed package review system.


Vouch is a package review tool. It leverages user generated micro-reviews to evaluate software dependencies. Reviews can comment on a single code line or a whole package. A VSCode extension simplifies the review process. Many small micro-reviews might be translatable across package versions.

Inspired by projects such as cargo-crev, Vouch was created to address problems such as NPM module hijacks: Alert: NPM modules hijacked | Hacker News

Vouch has built-in support (for now) for reviewing Python (pypi) and Javascript (NPM) packages. However, its extension system is open ended. Anyone can write their own standalone extension to support any ecosystem.

I've tried to make extension development as simple as possible. All that's required is a bin entry point such as:

use vouch_lib::extension::FromLib;
use vouch_py_lib;

fn main() {
    let mut extension = vouch_py_lib::PyExtension::new();
    vouch_lib::extension::commands::run(&mut extension).unwrap();

And satisfying the vouch_lib::extension::Extension trait (currently 4 functions).

I would be happy to hear any feedback or to receive any help with beta testing. I hope the community finds this tool useful.

Thanks for your time.

1 Like

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.