Because doing so is computationally expensive and would be making false promises.
False positives where it incorrectly flagged a safe package would result in the need for a human review step, which is even more expensive.
False negatives where malware patterns didn't match anything previously would happen all the time, so if people learned to "trust" the scanning they would get caught out - at which point what value is the scanning adding?
I don't know if there are legal liability issues here too, but that would be worth digging into.
As it stands, there are already third parties that are running scans against packages uploaded to npm and PyPI and helping flag malware. Leaving this to third parties feels like a better option to me, personally.
>Leaving this to third parties feels like a better option to me, personally.
Seems too late to me. At this point the module/package was already added into the ecosystem, it could potentially be some time (months?) before it is flagged by third party and removed.
Sure, but I'd guess PyPI could cut off much of the really bad stuff, such as malware, by AI (as everything is know called). Having a waiting list for false positives would not hurt anyone much. Yet, a foreseeable alternative is that PyPI and friends continue to be dumpyards, but communities will build up whitelists.
