Tools to ensure a third-party npm package library has unit-testing

Let’s keep this question focused on the tools/services that ensure third-party Javascript/Typescript code is tested and can be run for all packages in a monorepo / or flat repo at scale (for up to 100k packages).

Generic Health requirements

  • has tests and code coverage

  • tests / coverage is passing for that release.

  • has static types and uses strict mode (typescript)

  • issues – number frequency

  • deprecation / archive status

  • security risks (from internal dependencies and base cod e)

  • age of files

  • esm support

  • contributors/maintainers(more the better)

  • stars (github)

Why ask about this?

At scale having thousands (to millions) of packages it becomes increasingly more time consuming to track down deprecated and un-tested / unmaintained codebase as a repo ages.

Add on the complexity of multiple projects and it quickly consumes an entire day/week/month for an upgrade looking through things on a surface level and then diving deeper.

*Ideally it would be great to identify problematic / untested packages in usage and then flag the package and let the user know that they need to manually add testing for that node module (and contribute it) or consider an alternative.
*

The ideal solution would do the following (and maybe nothing does this yet)

  • tracks down a package from the host repo url, reports the code testing coverage. Likely attempting to grab it from a testing badge and as a fallback building it…and possibly running the suites (very expensive and error prone).
  • codesmell on how tests are written.
  • reports
    • coverage and test badging
    • package age
    • repo archive status
    • reports last publish date
    • Reports known security issues.
  • generates a possible solution
  • scales and runs for all packages. Brought within node_modules
  • allows for splitting production VS develop dependencies in analysis.
  • provides suggestions and potential alternatives to archived/deprecated/unsecure packages
  • has a way to report this health easily to the associated git hosted repo. (github at minimum)
  • running the same check twice should return similar results. (if this is generative Ai this probably will not meet expectations)

I have looked at

  • dependabot – it does not look for tests nor does it have a way to run or scrape testing results from badges on a github Readme.