Because doing so is computationally expensive and would be making false promises.
False positives where it incorrectly flagged a safe package would result in the need for a human review step, which is even more expensive.
False negatives where malware patterns didn't match anything previously would happen all the time, so if people learned to "trust" the scanning they would get caught out - at which point what value is the scanning adding?
I don't know if there are legal liability issues here too, but that would be worth digging into.
As it stands, there are already third parties that are running scans against packages uploaded to npm and PyPI and helping flag malware. Leaving this to third parties feels like a better option to me, personally.
>Leaving this to third parties feels like a better option to me, personally.
Seems too late to me. At this point the module/package was already added into the ecosystem, it could potentially be some time (months?) before it is flagged by third party and removed.
False positives where it incorrectly flagged a safe package would result in the need for a human review step, which is even more expensive.
False negatives where malware patterns didn't match anything previously would happen all the time, so if people learned to "trust" the scanning they would get caught out - at which point what value is the scanning adding?
I don't know if there are legal liability issues here too, but that would be worth digging into.
As it stands, there are already third parties that are running scans against packages uploaded to npm and PyPI and helping flag malware. Leaving this to third parties feels like a better option to me, personally.