@nodesecure/scanner 2.0.1 → 3.1.0

package/src/tarball.js

@@ -1,100 +1,63 @@
 // Import Node.js Dependencies
-import { join, extname, dirname } from "path";
-import fs from "fs/promises";
+import path from "path";
 import os from "os";
 import timers from "timers/promises";
 
 // Import Third-party Dependencies
-import { runASTAnalysis } from "@nodesecure/js-x-ray";
-import { parseManifestAuthor } from "@nodesecure/utils";
-import difference from "lodash.difference";
-import isMinified from "is-minified-code";
+import { runASTAnalysisOnFile } from "@nodesecure/js-x-ray";
 import pacote from "pacote";
 import ntlp from "@nodesecure/ntlp";
-import builtins from "builtins";
 
 // Import Internal Dependencies
-import { getTarballComposition, isSensitiveFile, getPackageName, constants } from "./utils/index.js";
+import {
+  getTarballComposition, isSensitiveFile, filterDependencyKind, analyzeDependencies, booleanToFlags,
+  NPM_TOKEN
+} from "./utils/index.js";
+import * as manifest from "./manifest.js";
 import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
 
 // CONSTANTS
-const DIRECT_PATH = new Set([".", "..", "./", "../"]);
-const NATIVE_CODE_EXTENSIONS = new Set([".gyp", ".c", ".cpp", ".node", ".so", ".h"]);
-const NATIVE_NPM_PACKAGES = new Set(["node-gyp", "node-pre-gyp", "node-gyp-build", "node-addon-api"]);
-const NODE_CORE_LIBS = new Set(builtins({ experimental: true }));
-
-export async function readManifest(dest, ref) {
-  const packageStr = await fs.readFile(join(dest, "package.json"), "utf-8");
-  const packageJSON = JSON.parse(packageStr);
-  const {
-    description = "", author = {}, scripts = {}, dependencies = {}, devDependencies = {}, gypfile = false
-  } = packageJSON;
-
-  ref.description = description;
-  ref.author = typeof author === "string" ? parseManifestAuthor(author) : author;
-
-  // TODO: handle this to @nodesecure/flags
-  ref.flags.hasScript = [...Object.keys(scripts)]
-    .some((value) => constants.NPM_SCRIPTS.has(value.toLowerCase()));
+const kNativeCodeExtensions = new Set([".gyp", ".c", ".cpp", ".node", ".so", ".h"]);
+const kJsExtname = new Set([".js", ".mjs", ".cjs"]);
+
+export async function scanJavascriptFile(dest, file, packageName) {
+  const result = await runASTAnalysisOnFile(path.join(dest, file), { packageName });
+
+  const warnings = result.warnings.map((curr) => Object.assign({}, curr, { file }));
+  if (!result.ok) {
+    return {
+      file,
+      warnings,
+      isMinified: false,
+      tryDependencies: [],
+      dependencies: [],
+      filesDependencies: []
+    };
+  }
+  const { packages, files } = filterDependencyKind(result.dependencies, path.dirname(file));
 
   return {
-    packageDeps: [...Object.keys(dependencies)],
-    packageDevDeps: Object.keys(devDependencies),
-    packageGyp: gypfile
+    file,
+    warnings,
+    isMinified: result.isMinified,
+    tryDependencies: [...result.dependencies.getDependenciesInTryStatement()],
+    dependencies: packages,
+    filesDependencies: files
   };
 }
 
-export async function scanFile(dest, file, options) {
-  const { name, ref } = options;
-
-  try {
-    const str = await fs.readFile(join(dest, file), "utf-8");
-    const isMin = file.includes(".min") || isMinified(str);
-
-    const ASTAnalysis = runASTAnalysis(str, { isMinified: isMin });
-    ASTAnalysis.dependencies.removeByName(name);
-
-    const dependencies = [];
-    const filesDependencies = [];
-    for (const depName of ASTAnalysis.dependencies) {
-      if (depName.startsWith(".")) {
-        const indexName = DIRECT_PATH.has(depName) ? join(depName, "index.js") : join(dirname(file), depName);
-        filesDependencies.push(indexName);
-      }
-      else {
-        dependencies.push(depName);
-      }
-    }
-    const inTryDeps = [...ASTAnalysis.dependencies.getDependenciesInTryStatement()];
-
-    if (!ASTAnalysis.isOneLineRequire && isMin) {
-      ref.composition.minified.push(file);
-    }
-    ref.warnings.push(...ASTAnalysis.warnings.map((curr) => Object.assign({}, curr, { file })));
-
-    return { inTryDeps, dependencies, filesDependencies };
-  }
-  catch (error) {
-    if (!("code" in error)) {
-      ref.warnings.push({ file, kind: "parsing-error", value: error.message, location: [[0, 0], [0, 0]] });
-    }
-
-    return null;
-  }
-}
-
 export async function scanDirOrArchive(name, version, options) {
   const { ref, tmpLocation, locker } = options;
 
   const isNpmTarball = !(tmpLocation === null);
-  const dest = isNpmTarball ? join(tmpLocation, `${name}@${version}`) : process.cwd();
+  const dest = isNpmTarball ? path.join(tmpLocation, `${name}@${version}`) : process.cwd();
   const free = await locker.acquireOne();
 
   try {
     // If this is an NPM tarball then we extract it on the disk with pacote.
     if (isNpmTarball) {
       await pacote.extract(ref.flags.includes("isGit") ? ref.gitUrl : `${name}@${version}`, dest, {
-        ...constants.NPM_TOKEN,
+        ...NPM_TOKEN,
         registry: getLocalRegistryURL(),
         cache: `${os.homedir()}/.npm`
       });
@@ -102,103 +65,67 @@ export async function scanDirOrArchive(name, version, options) {
     }
 
     // Read the package.json at the root of the directory or archive.
-    const { packageDeps, packageDevDeps, packageGyp } = await readManifest(dest, ref);
+    const { packageDeps, packageDevDeps, author, description, hasScript, hasNativeElements } = await manifest.readAnalyze(dest);
+    ref.author = author;
+    ref.description = description;
 
     // Get the composition of the (extracted) directory
     const { ext, files, size } = await getTarballComposition(dest);
     ref.size = size;
     ref.composition.extensions.push(...ext);
     ref.composition.files.push(...files);
-    if (files.some((path) => isSensitiveFile(path))) {
-      ref.flags.push("hasBannedFile");
-    }
+    const hasBannedFile = files.some((path) => isSensitiveFile(path));
+    const hasNativeCode = hasNativeElements || files.some((file) => kNativeCodeExtensions.has(path.extname(file)));
 
     // Search for minified and runtime dependencies
     // Run a JS-X-Ray analysis on each JavaScript files of the project!
-    const [dependencies, filesDependencies, inTryDeps] = [new Set(), new Set(), new Set()];
-    const fileAnalysisResults = await Promise.all(
+    const fileAnalysisRaw = await Promise.allSettled(
       files
-        .filter((name) => constants.EXT_JS.has(extname(name)))
-        .map((file) => scanFile(dest, file, { name, ref }))
+        .filter((name) => kJsExtname.has(path.extname(name)))
+        .map((file) => scanJavascriptFile(dest, file, name))
     );
 
-    for (const result of fileAnalysisResults.filter((row) => row !== null)) {
-      result.inTryDeps.forEach((dep) => inTryDeps.add(dep));
-      result.dependencies.forEach((dep) => dependencies.add(dep));
-      result.filesDependencies.forEach((dep) => filesDependencies.add(dep));
-    }
-
-    // Search for native code
-    {
-      const hasNativeFile = files.some((file) => NATIVE_CODE_EXTENSIONS.has(extname(file)));
-      const hasNativePackage = hasNativeFile ? null : [
-        ...new Set([...packageDevDeps, ...(packageDeps || [])])
-      ].some((pkg) => NATIVE_NPM_PACKAGES.has(pkg));
+    const fileAnalysisResults = fileAnalysisRaw
+      .filter((promiseSettledResult) => promiseSettledResult.status === "fulfilled")
+      .map((promiseSettledResult) => promiseSettledResult.value);
 
-      if (hasNativeFile || hasNativePackage || packageGyp) {
-        ref.flags.push("hasNativeCode");
-      }
-    }
+    ref.warnings.push(...fileAnalysisResults.flatMap((row) => row.warnings));
 
-    if (ref.warnings.length > 0 && !ref.flags.includes("hasWarnings")) {
-      ref.flags.push("hasWarnings");
-    }
-    const required = [...dependencies];
+    const dependencies = [...new Set(fileAnalysisResults.flatMap((row) => row.dependencies))];
+    const filesDependencies = [...new Set(fileAnalysisResults.flatMap((row) => row.filesDependencies))];
+    const tryDependencies = new Set(fileAnalysisResults.flatMap((row) => row.tryDependencies));
+    const minifiedFiles = fileAnalysisResults.filter((row) => row.isMinified).flatMap((row) => row.file);
 
-    if (packageDeps !== null) {
-      const thirdPartyDependencies = required
-        .map((name) => (packageDeps.includes(name) ? name : getPackageName(name)))
-        .filter((name) => !name.startsWith("."))
-        .filter((name) => !NODE_CORE_LIBS.has(name))
-        .filter((name) => !packageDevDeps.includes(name))
-        .filter((name) => !inTryDeps.has(name));
-      ref.composition.required_thirdparty = thirdPartyDependencies;
+    const {
+      nodeDependencies, thirdPartyDependencies, missingDependencies, unusedDependencies, flags
+    } = analyzeDependencies(dependencies, { packageDeps, packageDevDeps, tryDependencies });
 
-      const unusedDeps = difference(
-        packageDeps.filter((name) => !name.startsWith("@types")), thirdPartyDependencies);
-      const missingDeps = new Set(difference(thirdPartyDependencies, packageDeps));
-
-      if (unusedDeps.length > 0 || missingDeps.length > 0) {
-        ref.flags.push("hasMissingOrUnusedDependency");
-      }
-      ref.composition.unused.push(...unusedDeps);
-      ref.composition.missing.push(...missingDeps);
-    }
-
-    ref.composition.required_files = [...filesDependencies]
-      .filter((depName) => depName.trim() !== "")
-    // .map((depName) => {
-    //     return files.includes(depName) ? depName : join(depName, "index.js");
-    // })
-      .map((depName) => (extname(depName) === "" ? `${depName}.js` : depName));
-    ref.composition.required_nodejs = required.filter((name) => NODE_CORE_LIBS.has(name));
-
-    if (ref.composition.minified.length > 0) {
-      ref.flags.push("hasMinifiedCode");
-    }
-
-    const hasExternalCapacity = ref.composition.required_nodejs
-      .some((depName) => constants.EXT_DEPS.has(depName));
-    if (hasExternalCapacity) {
-      ref.flags.push("hasExternalCapacity");
-    }
+    ref.composition.required_thirdparty = thirdPartyDependencies;
+    ref.composition.unused.push(...unusedDependencies);
+    ref.composition.missing.push(...missingDependencies);
+    ref.composition.required_files = filesDependencies;
+    ref.composition.required_nodejs = nodeDependencies;
+    ref.composition.minified = minifiedFiles;
 
     // License
     await timers.setImmediate();
     const licenses = await ntlp(dest);
-
     const uniqueLicenseIds = Array.isArray(licenses.uniqueLicenseIds) ? licenses.uniqueLicenseIds : [];
-    if (uniqueLicenseIds.length === 0) {
-      ref.flags.push("hasNoLicense");
-    }
-    if (licenses.hasMultipleLicenses) {
-      ref.flags.push("hasMultipleLicenses");
-    }
-
     ref.license = licenses;
     ref.license.uniqueLicenseIds = uniqueLicenseIds;
+
+    ref.flags.push(...booleanToFlags({
+      ...flags,
+      hasNoLicense: uniqueLicenseIds.length === 0,
+      hasMultipleLicenses: licenses.hasMultipleLicenses,
+      hasMinifiedCode: minifiedFiles.length > 0,
+      hasWarnings: ref.warnings.length > 0 && !ref.flags.includes("hasWarnings"),
+      hasBannedFile,
+      hasNativeCode,
+      hasScript
+    }));
   }
-  catch (err) {
+  catch {
     // Ignore
   }
   finally {
@@ -206,66 +133,35 @@ export async function scanDirOrArchive(name, version, options) {
   }
 }
 
-async function readJSFile(dest, file) {
-  const str = await fs.readFile(join(dest, file), "utf-8");
-
-  return [file, str];
-}
-
 export async function scanPackage(dest, packageName) {
-  // Read the package.json file inside the extracted directory.
-  let isProjectUsingESM = false;
-  let localPackageName = packageName;
-  {
-    const packageStr = await fs.readFile(join(dest, "package.json"), "utf-8");
-    const { type = "script", name } = JSON.parse(packageStr);
-    isProjectUsingESM = type === "module";
-    if (localPackageName === null) {
-      localPackageName = name;
-    }
-  }
+  const { type = "script", name } = await manifest.read(dest);
 
-  // Get the tarball composition
   await timers.setImmediate();
   const { ext, files, size } = await getTarballComposition(dest);
+  ext.delete("");
 
   // Search for runtime dependencies
   const dependencies = Object.create(null);
-  const minified = [];
-  const warnings = [];
+  const [minified, warnings] = [[], []];
 
-  const JSFiles = files.filter((name) => constants.EXT_JS.has(extname(name)));
-  const allFilesContent = (await Promise.allSettled(JSFiles.map((file) => readJSFile(dest, file))))
-    .filter((_p) => _p.status === "fulfilled").map((_p) => _p.value);
+  const JSFiles = files.filter((name) => kJsExtname.has(path.extname(name)));
+  for (const file of JSFiles) {
+    const result = await runASTAnalysisOnFile(path.join(dest, file), {
+      packageName: packageName ?? name,
+      module: type === "module"
+    });
 
-  // TODO: 2) handle dependency by file to not loose data.
-  for (const [file, str] of allFilesContent) {
-    try {
-      const ASTAnalysis = runASTAnalysis(str, {
-        module: extname(file) === ".mjs" ? true : isProjectUsingESM
-      });
-      ASTAnalysis.dependencies.removeByName(localPackageName);
-      dependencies[file] = ASTAnalysis.dependencies.dependencies;
-      warnings.push(...ASTAnalysis.warnings.map((warn) => {
-        warn.file = file;
-
-        return warn;
-      }));
-
-      if (!ASTAnalysis.isOneLineRequire && !file.includes(".min") && isMinified(str)) {
-        minified.push(file);
-      }
-    }
-    catch (err) {
-      if (!Reflect.has(err, "code")) {
-        warnings.push({ file, kind: "parsing-error", value: err.message, location: [[0, 0], [0, 0]] });
-      }
+    warnings.push(...result.warnings.map((curr) => Object.assign({}, curr, { file })));
+    if (!result.ok) {
+      continue;
     }
+
+    dependencies[file] = result.dependencies.dependencies;
+    result.isMinified && minified.push(file);
   }
 
   await timers.setImmediate();
   const { uniqueLicenseIds, licenses } = await ntlp(dest);
-  ext.delete("");
 
   return {
     files: { list: files, extensions: [...ext], minified },

package/src/utils/addMissingVersionFlags.js

@@ -0,0 +1,24 @@
+/**
+ * @param {Set<string>} flags
+ * @param {import("../../types/scanner").Dependency} descriptor
+ */
+export function* addMissingVersionFlags(flags, descriptor) {
+  const { metadata, vulnerabilities = [], versions } = descriptor;
+  const semverVersions = Object.keys(versions);
+
+  if (!metadata.hasReceivedUpdateInOneYear && flags.has("hasOutdatedDependency") && !flags.has("isDead")) {
+    yield "isDead";
+  }
+  if (metadata.hasManyPublishers && !flags.has("hasManyPublishers")) {
+    yield "hasManyPublishers";
+  }
+  if (metadata.hasChangedAuthor && !flags.has("hasChangedAuthor")) {
+    yield "hasChangedAuthor";
+  }
+  if (vulnerabilities.length > 0 && !flags.has("hasVulnerabilities")) {
+    yield "hasVulnerabilities";
+  }
+  if (semverVersions.length > 1 && !flags.has("hasDuplicate")) {
+    yield "hasDuplicate";
+  }
+}

package/src/utils/analyzeDependencies.js

@@ -0,0 +1,40 @@
+// Import Third-party Dependencies
+import difference from "lodash.difference";
+import builtins from "builtins";
+
+// Import Internal Dependencies
+import { getPackageName } from "./getPackageName.js";
+
+// CONSTANTS
+const kNodeModules = new Set(builtins({ experimental: true }));
+const kExternalModules = new Set(["http", "https", "net", "http2", "dgram", "child_process"]);
+
+export function analyzeDependencies(dependencies, deps = {}) {
+  const { packageDeps, packageDevDeps, tryDependencies } = deps;
+
+  const thirdPartyDependencies = dependencies
+    .map((name) => (packageDeps.includes(name) ? name : getPackageName(name)))
+    .filter((name) => !name.startsWith("."))
+    .filter((name) => !kNodeModules.has(name))
+    .filter((name) => !packageDevDeps.includes(name))
+    .filter((name) => !tryDependencies.has(name));
+
+  const unusedDependencies = difference(
+    packageDeps.filter((name) => !name.startsWith("@types")),
+    thirdPartyDependencies
+  );
+  const missingDependencies = [...new Set(difference(thirdPartyDependencies, packageDeps))];
+  const nodeDependencies = dependencies.filter((name) => kNodeModules.has(name));
+
+  return {
+    nodeDependencies,
+    thirdPartyDependencies: [...new Set(thirdPartyDependencies)],
+    unusedDependencies,
+    missingDependencies,
+
+    flags: {
+      hasExternalCapacity: nodeDependencies.some((depName) => kExternalModules.has(depName)),
+      hasMissingOrUnusedDependency: unusedDependencies.length > 0 || missingDependencies.length > 0
+    }
+  };
+}

package/src/utils/booleanToFlags.js

@@ -0,0 +1,12 @@
+/**
+ * @param {Record<string, boolean>} flagsRecord
+ * @example
+ * console.log(...booleanToFlags({ hasScript: true })); // "hasScript"
+ */
+export function* booleanToFlags(flagsRecord) {
+  for (const [flagName, boolValue] of Object.entries(flagsRecord)) {
+    if (boolValue) {
+      yield flagName;
+    }
+  }
+}

package/src/utils/filterDependencyKind.js

@@ -0,0 +1,44 @@
+// Import Node.js Dependencies
+import path from "path";
+
+// CONSTANTS
+const kRelativeImportPath = new Set([".", "..", "./", "../"]);
+
+/**
+ * @see https://nodejs.org/docs/latest/api/modules.html#file-modules
+ *
+ * @param {IterableIterator<string>} dependencies
+ * @param {!string} relativeFileLocation
+ */
+export function filterDependencyKind(dependencies, relativeFileLocation) {
+  const packages = [];
+  const files = [];
+
+  for (const moduleNameOrPath of dependencies) {
+    const firstChar = moduleNameOrPath.charAt(0);
+
+    /**
+     * @example
+     * require("..");
+     * require("/home/marco/foo.js");
+     */
+    if (firstChar === "." || firstChar === "/") {
+      // Note: condition only possible for CJS
+      if (kRelativeImportPath.has(moduleNameOrPath)) {
+        files.push(path.join(moduleNameOrPath, "index.js"));
+      }
+      else {
+        // Note: we are speculating that the extension is .js (but it could be .json or .node)
+        const fixedFileName = path.extname(moduleNameOrPath) === "" ?
+          `${moduleNameOrPath}.js` : moduleNameOrPath;
+
+        files.push(path.join(relativeFileLocation, fixedFileName));
+      }
+    }
+    else {
+      packages.push(moduleNameOrPath);
+    }
+  }
+
+  return { packages, files };
+}

package/src/utils/getPackageName.js

@@ -1,5 +1,21 @@
+// CONSTANTS
+const kPackageSeparator = "/";
+const kPackageOrgSymbol = "@";
+
+/**
+ * @see https://github.com/npm/validate-npm-package-name#naming-rules
+ *
+ * @param {!string} name full package name
+ * @returns {string}
+ *
+ * @example
+ * getPackageName("foo"); // foo
+ * getPackageName("foo/bar"); // foo
+ * getPackageName("@org/bar"); // @org/bar
+ */
 export function getPackageName(name) {
-  const parts = name.split("/");
+  const parts = name.split(kPackageSeparator);
 
-  return name.startsWith("@") ? `${parts[0]}/${parts[1]}` : parts[0];
+  // Note: only scoped package are allowed to start with @
+  return name.startsWith(kPackageOrgSymbol) ? `${parts[0]}/${parts[1]}` : parts[0];
 }

package/src/utils/getTarballComposition.js

@@ -21,16 +21,14 @@ export async function getTarballComposition(tarballDir) {
     }
   }
 
-  try {
-    const sizeAll = await Promise.all([
-      ...files.map((file) => fs.stat(file)),
-      ...dirs.map((file) => fs.stat(file))
-    ]);
-    size += sizeAll.reduce((prev, curr) => prev + curr.size, 0);
-  }
-  catch (err) {
-    // ignore
-  }
+  const sizeUnfilteredResult = await Promise.allSettled([
+    ...files.map((file) => fs.stat(file)),
+    ...dirs.map((file) => fs.stat(file))
+  ]);
+  const sizeAll = sizeUnfilteredResult
+    .filter((promiseSettledResult) => promiseSettledResult.status === "fulfilled")
+    .map((promiseSettledResult) => promiseSettledResult.value);
+  size += sizeAll.reduce((prev, curr) => prev + curr.size, 0);
 
   return {
     ext,

package/src/utils/index.js

@@ -1,14 +1,16 @@
-export * from "./getTarballComposition.js";
-export * from "./isSensitiveFile.js";
-export * from "./getPackageName.js";
-export * from "./mergeDependencies.js";
-export * from "./semver.js";
-export * from "./dirname.js";
-export * from "./warnings.js";
-
-export const constants = {
-  NPM_TOKEN: typeof process.env.NODE_SECURE_TOKEN === "string" ? { token: process.env.NODE_SECURE_TOKEN } : {},
-  NPM_SCRIPTS: new Set(["preinstall", "postinstall", "preuninstall", "postuninstall"]),
-  EXT_DEPS: new Set(["http", "https", "net", "http2", "dgram", "child_process"]),
-  EXT_JS: new Set([".js", ".mjs", ".cjs"])
-};
+export * from "./getTarballComposition.js";
+export * from "./isSensitiveFile.js";
+export * from "./isGitDependency.js";
+export * from "./getPackageName.js";
+export * from "./mergeDependencies.js";
+export * from "./semver.js";
+export * from "./dirname.js";
+export * from "./warnings.js";
+export * from "./filterDependencyKind.js";
+export * from "./analyzeDependencies.js";
+export * from "./booleanToFlags.js";
+export * from "./addMissingVersionFlags.js";
+
+export const NPM_TOKEN = typeof process.env.NODE_SECURE_TOKEN === "string" ?
+  { token: process.env.NODE_SECURE_TOKEN } :
+  {};

package/src/utils/isGitDependency.js

@@ -0,0 +1,20 @@
+const kGitVersionVariants = ["git:", "git+", "github:"];
+
+/**
+ * @example isGitDependency("github:NodeSecure/scanner") // => true
+ * @example isGitDependency("git+ssh://git@github.com:npm/cli#semver:^5.0") // => true
+ * @example isGitDependency(">=1.0.2 <2.1.2") // => false
+ * @example isGitDependency("http://asdf.com/asdf.tar.gz") // => false
+ * @param {string} version
+ * @returns {boolean}
+ */
+export function isGitDependency(version) {
+  for (const variant of kGitVersionVariants) {
+    if (version.startsWith(variant)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+

package/src/utils/isSensitiveFile.js

@@ -5,6 +5,12 @@ import path from "path";
 const kSensitiveFileName = new Set([".npmrc", ".env"]);
 const kSensitiveFileExtension = new Set([".key", ".pem"]);
 
+/**
+ * @see https://github.com/jandre/safe-commit-hook/blob/master/git-deny-patterns.json
+ *
+ * @param {!string} fileName
+ * @returns {boolean}
+ */
 export function isSensitiveFile(fileName) {
   return kSensitiveFileName.has(path.basename(fileName)) ||
     kSensitiveFileExtension.has(path.extname(fileName));

package/src/utils/mergeDependencies.js

@@ -1,23 +1,26 @@
-export function mergeDependencies(manifest, types = ["dependencies"]) {
-  const dependencies = new Map();
-  const customResolvers = new Map();
-
-  for (const fieldName of types) {
-    if (!Reflect.has(manifest, fieldName)) {
-      continue;
-    }
-    const dep = manifest[fieldName];
-
-    for (const [name, version] of Object.entries(dep)) {
-      // Version can be file:, github:, git+, ./...
-      if (/^([a-zA-Z]+:|git\+|\.\\)/.test(version)) {
-        customResolvers.set(name, version);
-        continue;
-      }
-
-      dependencies.set(name, version);
-    }
-  }
-
-  return { dependencies, customResolvers };
-}
+export function mergeDependencies(manifest, types = ["dependencies"]) {
+  const dependencies = new Map();
+  const customResolvers = new Map();
+
+  for (const fieldName of types) {
+    if (!Reflect.has(manifest, fieldName)) {
+      continue;
+    }
+    const dep = manifest[fieldName];
+
+    for (const [name, version] of Object.entries(dep)) {
+      /**
+       * Version can be file:, github:, git:, git+, ./...
+       * @see https://docs.npmjs.com/cli/v7/configuring-npm/package-json#dependencies
+       */
+      if (/^([a-zA-Z]+:|git\+|\.\\)/.test(version)) {
+        customResolvers.set(name, version);
+        continue;
+      }
+
+      dependencies.set(name, version);
+    }
+  }
+
+  return { dependencies, customResolvers };
+}