⚠️ Algolia search returns malicious/dangerous packages removed from npm registry search #2002
Description
Describe the feature
While working on another search-related topic #1996 I've found that Algolia returns packages, which are basically ad for download stolen e-books. It appears that npm already marked these packages as malicious.
Example (marked as "Security holding package"):
https://npmx.dev/package/dowload_ebok_voir_grand_by_luc_poirier_bdn67
https://www.npmjs.com/package/dowload_ebok_voir_grand_by_luc_poirier_bdn67
https://registry.npmjs.org/dowload_ebok_voir_grand_by_luc_poirier_bdn67
Example similar but NOT marked as dangerous:
https://npmx.dev/package/dowload_ebok_bone_t01_by_jeff_smith_g9wli
https://www.npmjs.com/package/dowload_ebok_bone_t01_by_jeff_smith_g9wli
https://registry.npmjs.org/dowload_ebok_bone_t01_by_jeff_smith_g9wli
NPM also filters out packages that looks similar, but not yet marked as "security holding", but Algolia search returns it.
Algolia result for "download_ebook":
https://npmx.dev/search?q=dowload_ebook
npm search result:
https://npmx.dev/search?q=download_ebook&p=npm
https://registry.npmjs.org/-/v1/search?text=download_ebook&size=10
npmjs.org:
https://www.npmjs.com/search?q=dowload_ebook
To discuss:
- add internal logic to detect malicious packages and mark in UI when entered by direct link (similar to e18e issues). Maybe shold be part of e18e
- add internal filtering of Algolia results to remove such packages
Additional information
- Would you be willing to help implement this feature?
Final checks
- Read the contribution guide.
- Check existing issues.