Add a new flag to detect native addon #47
Description
I think it could be cool to have a flag for Node.js native addon. I recently read an article by Marcin Hope where he use a native addon to execute malicious code. I don't really know how to prevent this kind of malicious packages except to start by identifying that they are native addons.
The article
https://blog.phylum.io/nodejs-npm-malicious-javascript-package/
One of the problems for implementation is to know what to look for identification:
- binding.gyp file
- file with extension like
.node,.cetc.. - usage of packages like
node-pre-gyp,node-gyp-build
It might also be nice to detect if this is a N-API addon, or old addon etc.