⚡️ Run a static analysis of your module's dependencies.

Requirements

• Node.js version 20 or higher

Getting Started

This package is available in the Node Package Repository and can be easily installed with npm or yarn.

$ npm i @nodesecure/scanner
# or
$ yarn add @nodesecure/scanner

Usage example

import * as scanner from "@nodesecure/scanner";
import fs from "node:fs/promises";

// CONSTANTS
const kPackagesToAnalyze = ["mocha", "cacache", "is-wsl"];

const payloads = await Promise.all(
  kPackagesToAnalyze.map((name) => scanner.from(name))
);

const promises = [];
for (let i = 0; i < kPackagesToAnalyze.length; i++) {
  const data = JSON.stringify(payloads[i], null, 2);

  promises.push(fs.writeFile(`${kPackagesToAnalyze[i]}.json`, data));
}
await Promise.allSettled(promises);

API

See types/api.d.ts for a complete TypeScript definition.

function cwd(
  location: string,
  options?: Scanner.Options
): Promise<Scanner.Payload>;
function from(
  packageName: string,
  options?: Omit<Scanner.Options, "includeDevDeps">
): Promise<Scanner.Payload>;
function verify(
  packageName?: string | null
): Promise<tarball.ScannedPackageResult>;

Options is described with the following TypeScript interface:

interface Options {
  /**
   * Maximum tree depth
   *
   * @default Infinity
   */
  readonly maxDepth?: number;

  readonly registry?: string | URL;

  /**
   * Enables the use of Arborist for rapidly walking over the dependency tree.
   * When enabled, it triggers different methods based on the presence of `node_modules`:
   * - `loadActual()` if `node_modules` is available.
   * - `loadVirtual()` otherwise.
   *
   * When disabled, it will iterate on all dependencies by using pacote
   */
  packageLock?: {
    /**
     * Fetches all manifests for additional metadata.
     * This option is useful only when `usePackageLock` is enabled.
     *
     * @default false
     */
    fetchManifest?: boolean;

    /**
     * Specifies the location of the manifest file for Arborist.
     * This is typically the path to the `package.json` file.
     */
    location: string;
  };

  highlight?: {
    contacts: Contact[];
  };

  /**
   * Include project devDependencies (only available for cwd command)
   *
   * @default false
   */
  readonly includeDevDeps?: boolean;

  /**
   * Vulnerability strategy name (npm, snyk, node)
   *
   * @default NONE
   */
  readonly vulnerabilityStrategy?: Vuln.Strategy.Kind;

  /**
   * Analyze root package.
   *
   * @default false for from() API
   * @default true  for cwd()  API
   */
  readonly scanRootNode?: boolean;
}

Additional APIs are available at:

• from
• extractors

Workspaces

Click on one of the links to access the documentation of the workspace:

name	package and link
tarball	@nodesecure/tarball
tree-walker	@nodesecure/tree-walker
mama	@nodesecure/mama
contact	@nodesecure/contact
conformance	@nodesecure/conformance
npm-types	@nodesecure/npm-types
i18n	@nodesecure/i18n
rc	@nodesecure/rc

Contributors ✨

Thanks goes to these wonderful people (emoji key):

Gentilhomme 💻 📖 👀 🛡️ 🐛	Tony Gorez 💻 📖 👀 🐛	Haze 💻	Maksim Balabash 💻	Antoine Coulon 💻 🛡️	Nicolas Hallaert 💻	Yefis 💻
Franck Hallaert 💻	Ange TEKEU 💻	Vincent Dhennin 💻	Kouadio Fabrice Nguessan 🚧	PierreDemailly 💻 👀 🐛 ⚠️	Kishore 💻

License

MIT