Oh, I could definitively use this! @contra @sindresorhus are you guys actively working on this one? If not I could help a bit. I guess the black-list (https://github.com/gulpjs/plugins/blob/master/src/blackList.json) should be published to a separate npm package (and moved to a separate repo), as to make it usable both from the web site and the CLI.

I think baking the blackList into the cli would be a mistake as you'd only get the blackList as of the last time you updated gulp. I'd prefer it did a web request to grab the blacklist as the results would be fresher.

@robrich I was more thinking of having the black-list as a separate npm module which gulp could depend on as a peer-dependency with * or something permissive like this. But yeh, with this you would get the black-list from the last time of running npm install.

Shooting a request is another option, whatever you guys prefer. But yeh, would be cool to have some kind of more automated verification system as of today I'm checking the black-list "by hand" and instead of scripting this I would prefer to contribute here.

this would be easy to implement, but i think we should add a mechanism for keeping the blacklist up to date where we don't need to bump package versions. maybe just a request for the file when it is run.

@phated @robrich I'm totally fine with shooting a HTTP request when gulp is run with the --verify option. Can we assume that the http://gulpjs.com/plugins/blackList.json URL will be accessible / not-changed and that we can use it for the purpose of the --verify option? Or should we have another, dedicated URL?

@pkozlowski-opensource I think that should be a fine url to use, if the location of the actual file changes, we can just redirect it from there.

It would be handy to check the blacklist status directly without adding things to package.json:

gulp --verify gulp-hocus-pocus

@phated Think you can work this into the new CLI module?

This was already added in 4 by @pkozlowski-opensource and then I cleaned it up a bit.