Microsoft have been making their code analysis tools available in GitHub post-aquisition; doing the same for npm could really help improve the risks JS programmers face when pulling in libraries from npm.