Safety & review process

Read
before
you run.

d4not library is an index of links to external repositories. We don't host, serve, or own the code behind any entry. That means you are responsible for reviewing what you run. Here's everything we actually do to help you make that call — and where our responsibility ends.

Public beta. d4not library is currently one person (@d4not) with one indexed project. The trust levels, scanning pipeline, and reviewer program described below are the target — some are live, some are manual, and some don't exist yet. Each section flags its real state.

How trust levels work

✓ Reviewed

Human-reviewed

@d4not personally cloned the repository, read the source, checked the dependencies, and signed off. Reviewer handle and date appear on the project page. During beta, @d4not is the only reviewer — response is manual and slow.

◐ Automated scan

Dependency audit PHASE 2

Aspirational. When live, repos get run through npm audit / pip-audit / cargo audit equivalents automatically. Today this badge is not assigned to anything — the scanner isn't wired up yet. Everything currently sits in "Reviewed" or "Unverified."

! Unverified

Not yet reviewed

Default for every new submission. Treat it exactly like any public repo you found on the internet. Read the source before running anything.

Important: even a "Reviewed" badge means a human read the code at a point in time. Repos change. Authors can push commits after review. Always check the commit history and compare the reviewed date with the latest push date.

What we look for when reviewing

During beta, these checks are manual and done by @d4not personally. Automation lands in Phase 2.

Known CVEs in declared dependencies (npm, pip, cargo, maven, gem)
Hardcoded credentials or API keys in committed files
Obvious network callbacks to non-declared hosts
Obfuscated code that resists reading
Missing or fabricated licenses
Supply-chain red flags: dep names that typo-squat popular packages

What d4not library does not guarantee

That code is free from bugs, security issues or undisclosed backdoors
That the repo won't change after indexing
That the license declared in the repo is legally valid
That the code does what the description says
That running it won't break your environment

d4not library assumes no liability for any damage, data loss, security breach or legal issue arising from code you find through this index. We are curators, not guarantors.

How to report a bad entry

If you find malware, a backdoor, stolen code, or a license violation, email contact@d4notlibrary.com. During beta there's no SLA — response time depends on when @d4not sees the message. Confirmed bad actors are removed immediately and their submitter account is banned. A proper in-app report button + moderation queue lands in Phase 2.

How to help review

A formal reviewer program — with community volunteers, application flow, and shared responsibilities — is planned for Phase 2, once the index has enough projects to make reviewer effort worthwhile. For now, @d4not is the only reviewer. If you're keen to help before then, email contact@d4notlibrary.com and we'll figure something out case by case.

Still nervous?

Good. Healthy skepticism is the right default. Read the code. Check the commits. Run it in a sandbox first.

Browse reviewed projects only →

Readbeforeyou run.

How trust levels work

Human-reviewed

Dependency audit PHASE 2

Not yet reviewed

What we look for when reviewing

What d4not library does not guarantee

How to report a bad entry

How to help review

Read
before
you run.