⚡️ Run a static analysis of your module's dependencies.
- Node.js version 18 or higher
This package is available in the Node Package Repository and can be easily installed with npm or yarn.
$ npm i @nodesecure/scanner
# or
$ yarn add @nodesecure/scannerimport * as scanner from "@nodesecure/scanner";
import fs from "node:fs/promises";
// CONSTANTS
const kPackagesToAnalyze = ["mocha", "cacache", "is-wsl"];
const payloads = await Promise.all(
kPackagesToAnalyze.map((name) => scanner.from(name))
);
const promises = [];
for (let i = 0; i < kPackagesToAnalyze.length; i++) {
const data = JSON.stringify(payloads[i], null, 2);
promises.push(fs.writeFile(`${kPackagesToAnalyze[i]}.json`, data));
}
await Promise.allSettled(promises);See types/api.d.ts for a complete TypeScript definition.
function cwd(
location: string,
options?: Scanner.Options
): Promise<Scanner.Payload>;
function from(
packageName: string,
options?: Omit<Scanner.Options, "includeDevDeps">
): Promise<Scanner.Payload>;
function verify(
packageName?: string | null
): Promise<tarball.ScannedPackageResult>;Options is described with the following TypeScript interface:
interface Options {
/**
* Maximum tree depth
*
* @default Infinity
*/
readonly maxDepth?: number;
readonly registry?: string | URL;
/**
* Enables the use of Arborist for rapidly walking over the dependency tree.
* When enabled, it triggers different methods based on the presence of `node_modules`:
* - `loadActual()` if `node_modules` is available.
* - `loadVirtual()` otherwise.
*
* When disabled, it will iterate on all dependencies by using pacote
*/
packageLock?: {
/**
* Fetches all manifests for additional metadata.
* This option is useful only when `usePackageLock` is enabled.
*
* @default false
*/
fetchManifest?: boolean;
/**
* Specifies the location of the manifest file for Arborist.
* This is typically the path to the `package.json` file.
*/
location: string;
};
highlight?: {
contacts: Contact[];
};
/**
* Include project devDependencies (only available for cwd command)
*
* @default false
*/
readonly includeDevDeps?: boolean;
/**
* Vulnerability strategy name (npm, snyk, node)
*
* @default NONE
*/
readonly vulnerabilityStrategy?: Vuln.Strategy.Kind;
/**
* Analyze root package.
*
* @default false for from() API
* @default true for cwd() API
*/
readonly scanRootNode?: boolean;
}Click on one of the links to access the documentation of the workspace:
| name | package and link |
|---|---|
| tarball | @nodesecure/tarball |
| tree-walker | @nodesecure/tree-walker |
| mama | @nodesecure/mama |
| contact | @nodesecure/contact |
| conformance | @nodesecure/conformance |
| npm-types | @nodesecure/npm-types |
| i18n | @nodesecure/i18n |
| rc | @nodesecure/rc |
Thanks goes to these wonderful people (emoji key):
MIT
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
![@allcontributors[bot]](https://avatars.githubusercontent.com/in/23186?s=64&v=4){kind=small}
