Since this installed a malicious dependency from NPM (and later with bunjs) in the pre install script, it would need at least complex correlation to catch. Maybe building and installing all AUR packages, which would cost far too much for the Arch team.
Individually and automatically scanning only the PKGBUILDs (the stuff actually on the AUR) would likely not have caught this.
That doesn’t mean it’s a bad idea to run a basic scan over every change, but it wouldn’t magically “fix” aur malware.
Since this installed a malicious dependency from NPM (and later with bunjs) in the pre install script, it would need at least complex correlation to catch. Maybe building and installing all AUR packages, which would cost far too much for the Arch team.
Individually and automatically scanning only the PKGBUILDs (the stuff actually on the AUR) would likely not have caught this.
That doesn’t mean it’s a bad idea to run a basic scan over every change, but it wouldn’t magically “fix” aur malware.
It’s enough to build a pattern match and scan against it being elsewhere. Surely they did at least much to find all these packages with malware.