GitHub - NodeSecure/scanner: ⚡️ A package API to run a static analysis of your module's dependencies. This is the CLI engine! (original) (raw)
⚡️ Run a static analysis of your module's dependencies.
Requirements
- Node.js version 20 or higher
Getting Started
This package is available in the Node Package Repository and can be easily installed with npm or yarn.
$ npm i @nodesecure/scanner
or
$ yarn add @nodesecure/scanner
Usage example
import * as scanner from "@nodesecure/scanner"; import fs from "node:fs/promises";
// CONSTANTS const kPackagesToAnalyze = ["mocha", "cacache", "is-wsl"];
const payloads = await Promise.all( kPackagesToAnalyze.map((name) => scanner.from(name)) );
const promises = []; for (let i = 0; i < kPackagesToAnalyze.length; i++) { const data = JSON.stringify(payloads[i], null, 2);
promises.push(fs.writeFile(${kPackagesToAnalyze[i]}.json, data));
}
await Promise.allSettled(promises);
API
See types/api.d.ts for a complete TypeScript definition.
function cwd( location: string, options?: Scanner.Options ): Promise<Scanner.Payload>; function from( packageName: string, options?: Omit<Scanner.Options, "includeDevDeps"> ): Promise<Scanner.Payload>; function verify( packageName?: string | null ): Promise<tarball.ScannedPackageResult>;
Options is described with the following TypeScript interface:
interface Options { /**
- Maximum tree depth
- @default Infinity */ readonly maxDepth?: number;
readonly registry?: string | URL;
/**
- Enables the use of Arborist for rapidly walking over the dependency tree.
- When enabled, it triggers different methods based on the presence of
node_modules: loadActual()ifnode_modulesis available.
loadVirtual()otherwise.
- When disabled, it will iterate on all dependencies by using pacote
/
packageLock?: {
/*
- Fetches all manifests for additional metadata.
- This option is useful only when
usePackageLockis enabled. - @default false */ fetchManifest?: boolean;
/**
* Specifies the location of the manifest file for Arborist.
* This is typically the path to the `package.json` file.
*/
location: string;};
highlight?: { contacts: Contact[]; };
/**
- Include project devDependencies (only available for cwd command)
- @default false */ readonly includeDevDeps?: boolean;
/**
- Vulnerability strategy name (npm, snyk, node)
- @default NONE */ readonly vulnerabilityStrategy?: Vuln.Strategy.Kind;
/**
- Analyze root package.
- @default false for from() API
- @default true for cwd() API */ readonly scanRootNode?: boolean; }
Additional APIs are available at:
Workspaces
Click on one of the links to access the documentation of the workspace:
| name | package and link |
|---|---|
| tarball | @nodesecure/tarball |
| tree-walker | @nodesecure/tree-walker |
| mama | @nodesecure/mama |
| contact | @nodesecure/contact |
| conformance | @nodesecure/conformance |
| npm-types | @nodesecure/npm-types |
| i18n | @nodesecure/i18n |
| rc | @nodesecure/rc |
Contributors ✨
Thanks goes to these wonderful people (emoji key):
Gentilhomme
Tony Gorez
Haze
Maksim Balabash
Antoine Coulon
Nicolas Hallaert
Yefis
Franck Hallaert
Ange TEKEU
Vincent Dhennin
Kouadio Fabrice Nguessan
PierreDemailly
KishoreLicense
MIT