Comment by dns_snek
2 months ago
There's no point in reading the code in the Git repository or its commit history because that's not the code that you're actually executing. You have to read what's in your node_modules, everything else is irrelevant.
This is often overlooked, to the point I created a website focusing on "the code we actually put into our computers":
https://whatsrc.org/
It doesn't index all of npm, only if the package was reference by a Linux distribution somehow (e.g. package-lock.json in a tar file used in an Arch Linux PKGBUILD).