Comment by kpcyrd

This is often overlooked, to the point I created a website focusing on "the code we actually put into our computers":

https://whatsrc.org/

It doesn't index all of npm, only if the package was reference by a Linux distribution somehow (e.g. package-lock.json in a tar file used in an Arch Linux PKGBUILD).