🕵️‍♂️ Dependencies Should Not Be Silent: Inspect What Your npm Packages Actually Do

SO , Every time you run: npm install some-package you are executing someone else's code on your machine . But here’s the uncomfortable truth: Do you really know what that code is doing? Most don’t. 🚀 From User to Producer: How I Realized the Risk Before I first started building npm packages, I was just a user like everyone else. Install a package, trust it works, move on. But when you switch from user → producer , everything changes: you see how packages execute , which scripts run automatically, and the sheer power even a tiny package can hold . Then I read about this: npm supply-chain attack happened sometime back. A single compromised package could affect millions of machines . 💡 That’s when I thought: “Even a small package can impact huge systems. What if we could see what it does before we install it ?” That thought sparked npm-telemetry . ⚠️ The Problem With Blind Trust npm packages can: 🌐 Make network requests 📁 Access the file system 🔐 Read environment variables ⚙️ Spawn child