@nodesecure/scanner 2.1.0 → 3.1.1-rc.0

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2019 Communauté JavaScript et Node.js Francophone
+Copyright (c) 2021 NodeSecure
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md

@@ -69,7 +69,7 @@ interface Options {
 ## Contributors ✨
 
 <!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
-[![All Contributors](https://img.shields.io/badge/all_contributors-3-orange.svg?style=flat-square)](#contributors-)
+[![All Contributors](https://img.shields.io/badge/all_contributors-4-orange.svg?style=flat-square)](#contributors-)
 <!-- ALL-CONTRIBUTORS-BADGE:END -->
 
 Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
@@ -82,6 +82,7 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
     <td align="center"><a href="https://www.linkedin.com/in/thomas-gentilhomme/"><img src="https://avatars.githubusercontent.com/u/4438263?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Gentilhomme</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Afraxken" title="Reviewed Pull Requests">👀</a> <a href="#security-fraxken" title="Security">🛡️</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Afraxken" title="Bug reports">🐛</a></td>
     <td align="center"><a href="http://tonygo.dev"><img src="https://avatars.githubusercontent.com/u/22824417?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Tony Gorez</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Atony-go" title="Reviewed Pull Requests">👀</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Atony-go" title="Bug reports">🐛</a></td>
     <td align="center"><a href="https://mickaelcroquet.fr"><img src="https://avatars.githubusercontent.com/u/23740372?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Haze</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=CroquetMickael" title="Code">💻</a></td>
+    <td align="center"><a href="https://github.com/mbalabash"><img src="https://avatars.githubusercontent.com/u/16868922?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Maksim Balabash</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=mbalabash" title="Code">💻</a></td>
   </tr>
 </table>
 

package/index.d.ts

@@ -1,11 +1,11 @@
 import Scanner from "./types/scanner";
-import { cwd, from, verify } from "./types/api";
+import { cwd, from, verify, ScannerLoggerEvents } from "./types/api";
 import { depWalker } from "./types/walker";
 import { Logger, LoggerEventData } from "./types/logger";
 import tarball from "./types/tarball";
 
 export {
-  cwd, from, verify,
+  cwd, from, verify, ScannerLoggerEvents,
   Scanner,
   Logger,
   LoggerEventData,

package/index.js

@@ -10,8 +10,9 @@ import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
 
 // Import Internal Dependencies
 import { depWalker } from "./src/depWalker.js";
-import { constants } from "./src/utils/index.js";
-import Logger from "./src/logger.class.js";
+import { NPM_TOKEN } from "./src/utils/index.js";
+import { ScannerLoggerEvents } from "./src/constants.js";
+import Logger from "./src/class/logger.class.js";
 import * as tarball from "./src/tarball.js";
 
 // CONSTANTS
@@ -20,20 +21,20 @@ const kDefaultCwdOptions = { forceRootAnalysis: true, usePackageLock: true };
 export async function cwd(cwd = process.cwd(), options = {}, logger = new Logger()) {
   const finalizedOptions = Object.assign({}, kDefaultCwdOptions, options);
 
-  logger.start("readManifest");
+  logger.start(ScannerLoggerEvents.manifest.read);
   const packagePath = path.join(cwd, "package.json");
   const str = await fs.readFile(packagePath, "utf-8");
-  logger.end("readManifest");
+  logger.end(ScannerLoggerEvents.manifest.read);
 
   return depWalker(JSON.parse(str), finalizedOptions, logger);
 }
 
 export async function from(packageName, options, logger = new Logger()) {
-  logger.start("fetchManifest");
+  logger.start(ScannerLoggerEvents.manifest.fetch);
   const manifest = await pacote.manifest(packageName, {
-    ...constants.NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
+    ...NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
   });
-  logger.end("fetchManifest");
+  logger.end(ScannerLoggerEvents.manifest.fetch);
 
   return depWalker(manifest, options, logger);
 }
@@ -48,7 +49,7 @@ export async function verify(packageName = null) {
 
   try {
     await pacote.extract(packageName, dest, {
-      ...constants.NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
+      ...NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
     });
 
     return await tarball.scanPackage(dest, packageName);
@@ -59,4 +60,4 @@ export async function verify(packageName = null) {
   }
 }
 
-export { depWalker, tarball, Logger };
+export { depWalker, tarball, Logger, ScannerLoggerEvents };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nodesecure/scanner",
-  "version": "2.1.0",
+  "version": "3.1.1-rc.0",
   "description": "A package API to run a static analysis of your module's dependencies.",
   "exports": "./index.js",
   "engines": {
@@ -10,7 +10,8 @@
     "lint": "eslint src test",
     "prepublishOnly": "pkg-ok",
     "test": "npm run lint && npm run test-only",
-    "test-only": "cross-env NODE_OPTIONS=--experimental-vm-modules jest"
+    "test-only": "cross-env esm-tape-runner 'test/**/*.spec.js' | tap-monkey",
+    "coverage": "c8 -r html npm run test-only"
   },
   "files": [
     "src",
@@ -46,54 +47,36 @@
     "url": "https://github.com/NodeSecure/scanner/issues"
   },
   "homepage": "https://github.com/NodeSecure/scanner#readme",
-  "jest": {
-    "setupFilesAfterEnv": [
-      "./jest.setup.js"
-    ],
-    "collectCoverage": true,
-    "collectCoverageFrom": [
-      "**/src/**/*.js"
-    ],
-    "testEnvironment": "node",
-    "testMatch": [
-      "**/test/**/*.js"
-    ],
-    "testPathIgnorePatterns": [
-      "/test/fixtures/"
-    ],
-    "moduleNameMapper": {
-      "^@nodesecure/npm-registry-sdk$": "@nodesecure/npm-registry-sdk/dist/index.js",
-      "^@nodesecure/sec-literal$": "@nodesecure/sec-literal/src/index.js",
-      "^estree-walker$": "estree-walker/src/index.js"
-    }
-  },
   "devDependencies": {
     "@nodesecure/eslint-config": "^1.3.0",
     "@slimio/is": "^1.5.1",
-    "@types/jest": "^27.0.2",
-    "@types/node": "^16.11.7",
+    "@small-tech/esm-tape-runner": "^1.0.3",
+    "@small-tech/tap-monkey": "^1.3.0",
+    "@types/node": "^16.11.10",
+    "c8": "^7.10.0",
     "cross-env": "^7.0.3",
     "dotenv": "^10.0.0",
-    "eslint": "^8.2.0",
+    "eslint": "^8.3.0",
     "get-folder-size": "^3.1.0",
-    "jest": "^27.3.1",
-    "pkg-ok": "^2.3.1"
+    "pkg-ok": "^2.3.1",
+    "sinon": "^12.0.1",
+    "snap-shot-core": "^10.2.4",
+    "tape": "^5.3.2"
   },
   "dependencies": {
-    "@nodesecure/flags": "^2.0.0",
+    "@nodesecure/flags": "^2.2.0",
     "@nodesecure/fs-walk": "^1.0.0",
-    "@nodesecure/i18n": "^1.2.0",
-    "@nodesecure/js-x-ray": "^4.0.1",
+    "@nodesecure/i18n": "^1.2.1",
+    "@nodesecure/js-x-ray": "^4.2.0",
     "@nodesecure/npm-registry-sdk": "^1.3.0",
-    "@nodesecure/ntlp": "^2.0.0",
+    "@nodesecure/ntlp": "^2.1.0",
     "@nodesecure/utils": "^1.0.0",
-    "@nodesecure/vuln": "^1.4.0",
+    "@nodesecure/vuln": "^1.4.1",
     "@npm/types": "^1.0.1",
-    "@npmcli/arborist": "^4.0.4",
+    "@npmcli/arborist": "^4.1.0",
     "@slimio/lock": "^1.0.0",
     "builtins": "^4.0.0",
     "combine-async-iterators": "^2.0.1",
-    "is-minified-code": "^2.0.0",
     "itertools": "^1.7.1",
     "lodash.difference": "^4.5.0",
     "pacote": "^12.0.2",

package/src/{dependency.class.js → class/dependency.class.js}

@@ -56,28 +56,29 @@ export default class Dependency {
     }
 
     return {
-      [this.version]: {
-        id: typeof customId === "number" ? customId : Dependency.currentId++,
-        usedBy: this.parent,
-        flags: this.flags,
-        description: "",
-        size: 0,
-        author: {},
-        warnings: this.warnings,
-        composition: {
-          extensions: [],
-          files: [],
-          minified: [],
-          unused: [],
-          missing: [],
-          required_files: [],
-          required_nodejs: [],
-          required_thirdparty: []
-        },
-        license: "unkown license",
-        gitUrl: this.gitUrl
+      versions: {
+        [this.version]: {
+          id: typeof customId === "number" ? customId : Dependency.currentId++,
+          usedBy: this.parent,
+          flags: this.flags,
+          description: "",
+          size: 0,
+          author: {},
+          warnings: this.warnings,
+          composition: {
+            extensions: [],
+            files: [],
+            minified: [],
+            unused: [],
+            missing: [],
+            required_files: [],
+            required_nodejs: [],
+            required_thirdparty: []
+          },
+          license: "unkown license",
+          gitUrl: this.gitUrl
+        }
       },
-      versions: [this.version],
       vulnerabilities: [],
       metadata: {
         dependencyCount: this.dependencyCount,

package/src/constants.js

@@ -0,0 +1,13 @@
+
+export const ScannerLoggerEvents = {
+  done: "depWalkerFinished",
+  analysis: {
+    tree: "walkTree",
+    tarball: "tarball",
+    registry: "registry"
+  },
+  manifest: {
+    read: "readManifest",
+    fetch: "fetchManifest"
+  }
+};

package/src/depWalker.js

@@ -8,18 +8,21 @@ import os from "os";
 import combineAsyncIterators from "combine-async-iterators";
 import iter from "itertools";
 import pacote from "pacote";
-import semver from "semver";
 import Arborist from "@npmcli/arborist";
 import Lock from "@slimio/lock";
-import { packument, getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
 import * as vuln from "@nodesecure/vuln";
-import { parseManifestAuthor } from "@nodesecure/utils";
+import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
+import { ScannerLoggerEvents } from "./constants.js";
 
 // Import Internal Dependencies
-import { mergeDependencies, constants, getCleanDependencyName, getDependenciesWarnings } from "./utils/index.js";
+import {
+  mergeDependencies, getCleanDependencyName, getDependenciesWarnings, addMissingVersionFlags, isGitDependency,
+  NPM_TOKEN
+} from "./utils/index.js";
 import { scanDirOrArchive } from "./tarball.js";
-import Dependency from "./dependency.class.js";
-import Logger from "./logger.class.js";
+import { packageMetadata } from "./npmRegistry.js";
+import Dependency from "./class/dependency.class.js";
+import Logger from "./class/logger.class.js";
 
 const { version: packageVersion } = JSON.parse(
   readFileSync(
@@ -27,20 +30,18 @@ const { version: packageVersion } = JSON.parse(
   )
 );
 
-
-async function* searchDeepDependencies(packageName, gitURL, options) {
-  const isGit = typeof gitURL === "string";
+export async function* searchDeepDependencies(packageName, gitURL, options) {
   const { exclude, currDepth = 0, parent, maxDepth } = options;
 
-  const { name, version, deprecated, ...pkg } = await pacote.manifest(isGit ? gitURL : packageName, {
-    ...constants.NPM_TOKEN,
+  const { name, version, deprecated, ...pkg } = await pacote.manifest(gitURL ?? packageName, {
+    ...NPM_TOKEN,
     registry: getLocalRegistryURL(),
     cache: `${os.homedir()}/.npm`
   });
   const { dependencies, customResolvers } = mergeDependencies(pkg);
 
   const current = new Dependency(name, version, parent);
-  isGit && current.isGit(gitURL);
+  gitURL !== null && current.isGit(gitURL);
   current.addFlag("isDeprecated", deprecated === true);
   current.addFlag("hasCustomResolver", customResolvers.size > 0);
   current.addFlag("hasDependencies", dependencies.size > 0);
@@ -50,9 +51,9 @@ async function* searchDeepDependencies(packageName, gitURL, options) {
       exclude, currDepth: currDepth + 1, parent: current, maxDepth
     };
 
-    const gitDependencies = iter.filter(customResolvers.entries(), ([, valueStr]) => valueStr.startsWith("git+"));
+    const gitDependencies = iter.filter(customResolvers.entries(), ([, valueStr]) => isGitDependency(valueStr));
     for (const [depName, valueStr] of gitDependencies) {
-      yield* searchDeepDependencies(depName, valueStr.slice(4), config);
+      yield* searchDeepDependencies(depName, valueStr, config);
     }
 
     const depsNames = await Promise.all(iter.map(dependencies.entries(), getCleanDependencyName));
@@ -66,7 +67,7 @@ async function* searchDeepDependencies(packageName, gitURL, options) {
       }
       else {
         exclude.set(cleanName, new Set([current.fullName]));
-        yield* searchDeepDependencies(fullName, void 0, config);
+        yield* searchDeepDependencies(fullName, null, config);
       }
     }
   }
@@ -74,7 +75,7 @@ async function* searchDeepDependencies(packageName, gitURL, options) {
   yield current;
 }
 
-async function* deepReadEdges(currentPackageName, { to, parent, exclude, fullLockMode }) {
+export async function* deepReadEdges(currentPackageName, { to, parent, exclude, fullLockMode }) {
   const { version, integrity = to.integrity } = to.package;
 
   const updatedVersion = version === "*" || typeof version === "undefined" ? "latest" : version;
@@ -82,7 +83,7 @@ async function* deepReadEdges(currentPackageName, { to, parent, exclude, fullLoc
 
   if (fullLockMode) {
     const { deprecated, _integrity, ...pkg } = await pacote.manifest(`${currentPackageName}@${updatedVersion}`, {
-      ...constants.NPM_TOKEN,
+      ...NPM_TOKEN,
       registry: getLocalRegistryURL(),
       cache: `${os.homedir()}/.npm`
     });
@@ -111,64 +112,7 @@ async function* deepReadEdges(currentPackageName, { to, parent, exclude, fullLoc
   yield current;
 }
 
-async function fetchPackageMetadata(name, version, options) {
-  const { ref, locker } = options;
-  const free = await locker.acquireOne();
-
-  try {
-    const pkg = await packument(name);
-
-    const publishers = new Set();
-    const oneYearFromToday = new Date();
-    oneYearFromToday.setFullYear(oneYearFromToday.getFullYear() - 1);
-
-    ref.metadata.lastVersion = pkg["dist-tags"].latest;
-    if (semver.neq(version, ref.metadata.lastVersion)) {
-      ref[version].flags.push("isOutdated");
-    }
-    ref.metadata.publishedCount = Object.values(pkg.versions).length;
-    ref.metadata.lastUpdateAt = new Date(pkg.time[ref.metadata.lastVersion]);
-    ref.metadata.hasReceivedUpdateInOneYear = !(oneYearFromToday > ref.metadata.lastUpdateAt);
-    ref.metadata.homepage = pkg.homepage || null;
-    ref.metadata.maintainers = pkg.maintainers;
-    if (typeof pkg.author === "string") {
-      ref.metadata.author = parseManifestAuthor(pkg.author);
-    }
-    else {
-      ref.metadata.author = pkg.author;
-    }
-    const authorName = ref.metadata.author?.name ?? null;
-
-    for (const ver of Object.values(pkg.versions)) {
-      const { _npmUser: npmUser, version } = ver;
-
-      const isNullOrUndefined = typeof npmUser === "undefined" || npmUser === null;
-      if (isNullOrUndefined || !("name" in npmUser) || typeof npmUser.name !== "string") {
-        continue;
-      }
-
-      if (authorName === null) {
-        ref.metadata.author.name = npmUser.name;
-      }
-      else if (npmUser.name !== ref.metadata.author.name) {
-        ref.metadata.hasManyPublishers = true;
-      }
-
-      if (!publishers.has(npmUser.name)) {
-        publishers.add(npmUser.name);
-        ref.metadata.publishers.push({ name: npmUser.name, version, at: new Date(pkg.time[version]) });
-      }
-    }
-  }
-  catch (err) {
-    // Ignore
-  }
-  finally {
-    free();
-  }
-}
-
-async function* getRootDependencies(manifest, options) {
+export async function* getRootDependencies(manifest, options) {
   const { maxDepth = 4, exclude, usePackageLock, fullLockMode } = options;
 
   const { dependencies, customResolvers } = mergeDependencies(manifest, void 0);
@@ -179,7 +123,7 @@ async function* getRootDependencies(manifest, options) {
   let iterators;
   if (usePackageLock) {
     const arb = new Arborist({
-      ...constants.NPM_TOKEN,
+      ...NPM_TOKEN,
       registry: getLocalRegistryURL()
     });
     let tree;
@@ -191,15 +135,15 @@ async function* getRootDependencies(manifest, options) {
       tree = await arb.loadVirtual();
     }
 
-    iterators = iter.filter(tree.edgesOut.entries(), ([, { to }]) => !to.dev)
+    iterators = iter.filter(tree.edgesOut.entries(), ([, { to }]) => to !== null && !to.dev)
       .map(([packageName, { to }]) => deepReadEdges(packageName, { to, parent, fullLockMode, exclude }));
   }
   else {
     const configRef = { exclude, maxDepth, parent };
     iterators = [
-      ...iter.filter(customResolvers.entries(), ([, valueStr]) => valueStr.startsWith("git+"))
-        .map(([depName, valueStr]) => searchDeepDependencies(depName, valueStr.slice(4), configRef)),
-      ...iter.map(dependencies.entries(), ([name, ver]) => searchDeepDependencies(`${name}@${ver}`, void 0, configRef))
+      ...iter.filter(customResolvers.entries(), ([, valueStr]) => isGitDependency(valueStr))
+        .map(([depName, valueStr]) => searchDeepDependencies(depName, valueStr, configRef)),
+      ...iter.map(dependencies.entries(), ([name, ver]) => searchDeepDependencies(`${name}@${ver}`, null, configRef))
     ];
   }
   for await (const dep of combineAsyncIterators({}, ...iterators)) {
@@ -221,26 +165,6 @@ async function* getRootDependencies(manifest, options) {
   yield parent;
 }
 
-function* addMissingVersionFlags(flags, descriptor) {
-  const { metadata, vulnerabilities = [], versions } = descriptor;
-
-  if (!metadata.hasReceivedUpdateInOneYear && flags.has("hasOutdatedDependency") && !flags.has("isDead")) {
-    yield "isDead";
-  }
-  if (metadata.hasManyPublishers && !flags.has("hasManyPublishers")) {
-    yield "hasManyPublishers";
-  }
-  if (metadata.hasChangedAuthor && !flags.has("hasChangedAuthor")) {
-    yield "hasChangedAuthor";
-  }
-  if (vulnerabilities.length > 0 && !flags.has("hasVulnerabilities")) {
-    yield "hasVulnerabilities";
-  }
-  if (versions.length > 1 && !flags.has("hasDuplicate")) {
-    yield "hasDuplicate";
-  }
-}
-
 /**
  * @param {*} manifest
  * @param {*} options
@@ -260,59 +184,68 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
 
   const payload = {
     id: tmpLocation.slice(-6),
-    rootDepencyName: manifest.name,
-    warnings: [],
-    dependencies: new Map(),
-    version: packageVersion
+    rootDependencyName: manifest.name,
+    scannerVersion: packageVersion,
+    vulnerabilityStrategy,
+    warnings: []
   };
 
   // We are dealing with an exclude Map to avoid checking a package more than one time in searchDeepDependencies
   const exclude = new Map();
+  const dependencies = new Map();
 
   {
-    logger.start("walkTree").start("tarball").start("registry");
+    logger
+      .start(ScannerLoggerEvents.analysis.tree)
+      .start(ScannerLoggerEvents.analysis.tarball)
+      .start(ScannerLoggerEvents.analysis.registry);
+    const fetchedMetadataPackages = new Set();
     const promisesToWait = [];
-    const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode };
 
     const tarballLocker = new Lock({ maxConcurrent: 5 });
-    const metadataLocker = new Lock({ maxConcurrent: 10 });
-    metadataLocker.on("freeOne", () => logger.tick("registry"));
-    tarballLocker.on("freeOne", () => logger.tick("tarball"));
+    tarballLocker.on("freeOne", () => logger.tick(ScannerLoggerEvents.analysis.tarball));
 
+    const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode };
     for await (const currentDep of getRootDependencies(manifest, rootDepsOptions)) {
       const { name, version } = currentDep;
       const current = currentDep.exportAsPlainObject(name === manifest.name ? 0 : void 0);
       let proceedDependencyAnalysis = true;
 
-      if (payload.dependencies.has(name)) {
+      if (dependencies.has(name)) {
         // TODO: how to handle different metadata ?
-        const dep = payload.dependencies.get(name);
+        const dep = dependencies.get(name);
 
-        const currVersion = current.versions[0];
-        if (currVersion in dep) {
+        const currVersion = Object.keys(current.versions)[0];
+        if (currVersion in dep.versions) {
           // The dependency has already entered the analysis
           // This happens if the package is used by multiple packages in the tree
           proceedDependencyAnalysis = false;
         }
         else {
-          dep[currVersion] = current[currVersion];
-          dep.versions.push(currVersion);
+          dep.versions[currVersion] = current.versions[currVersion];
         }
       }
       else {
-        payload.dependencies.set(name, current);
+        dependencies.set(name, current);
       }
 
       if (proceedDependencyAnalysis) {
-        logger.tick("walkTree");
+        logger.tick(ScannerLoggerEvents.analysis.tree);
+
+        // There is no need to fetch 'N' times the npm metadata for the same package.
+        if (fetchedMetadataPackages.has(name)) {
+          logger.tick(ScannerLoggerEvents.analysis.registry);
+        }
+        else {
+          fetchedMetadataPackages.add(name);
+          promisesToWait.push(packageMetadata(name, version, {
+            ref: current,
+            logger
+          }));
+        }
 
-        promisesToWait.push(fetchPackageMetadata(name, version, {
-          ref: current,
-          locker: metadataLocker,
-          logger
-        }));
         promisesToWait.push(scanDirOrArchive(name, version, {
-          ref: current[version],
+          ref: current.versions[version],
           tmpLocation: forceRootAnalysis && name === manifest.name ? null : tmpLocation,
           locker: tarballLocker,
           logger
@@ -320,17 +253,17 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
       }
     }
 
-    logger.end("walkTree");
+    logger.end(ScannerLoggerEvents.analysis.tree);
 
     // Wait for all extraction to be done!
     await Promise.allSettled(promisesToWait);
     await timers.setImmediate();
 
-    logger.end("tarball").end("registry");
+    logger.end(ScannerLoggerEvents.analysis.tarball).end(ScannerLoggerEvents.analysis.registry);
   }
 
   const { hydratePayloadDependencies, strategy } = await vuln.setStrategy(vulnerabilityStrategy);
-  await hydratePayloadDependencies(payload.dependencies, {
+  await hydratePayloadDependencies(dependencies, {
     useStandardFormat: true
   });
 
@@ -338,10 +271,9 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
 
   // We do this because it "seem" impossible to link all dependencies in the first walk.
   // Because we are dealing with package only one time it may happen sometimes.
-  for (const [packageName, descriptor] of payload.dependencies) {
-    for (const verStr of descriptor.versions) {
-      const verDescriptor = descriptor[verStr];
-      verDescriptor.flags.push(...addMissingVersionFlags(new Set(verDescriptor.flags), descriptor));
+  for (const [packageName, dependency] of dependencies) {
+    for (const [verStr, verDescriptor] of Object.entries(dependency.versions)) {
+      verDescriptor.flags.push(...addMissingVersionFlags(new Set(verDescriptor.flags), dependency));
 
       const fullName = `${packageName}@${verStr}`;
       const usedDeps = exclude.get(fullName) || new Set();
@@ -358,13 +290,15 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
   }
 
   try {
-    payload.warnings = getDependenciesWarnings(payload.dependencies);
-    payload.dependencies = Object.fromEntries(payload.dependencies);
+    payload.warnings = getDependenciesWarnings(dependencies);
+    payload.dependencies = Object.fromEntries(dependencies);
 
     return payload;
   }
   finally {
     await timers.setImmediate();
     await fs.rm(tmpLocation, { recursive: true, force: true });
+
+    logger.emit(ScannerLoggerEvents.done);
   }
 }

package/src/manifest.js

@@ -0,0 +1,57 @@
+// Import Node.js Dependencies
+import fs from "fs/promises";
+import path from "path";
+
+// Import Third-party Dependencies
+import { parseManifestAuthor } from "@nodesecure/utils";
+
+// CONSTANTS
+// PR welcome to contribute to this list!
+const kNativeNpmPackages = new Set([
+  "node-gyp", "node-pre-gyp", "node-gyp-build", "node-addon-api"
+]);
+
+/**
+ * @see https://www.nerdycode.com/prevent-npm-executing-scripts-security/
+ */
+const kUnsafeNpmScripts = new Set([
+  "install",
+  "preinstall", "postinstall",
+  "preuninstall", "postuninstall"
+]);
+
+/**
+ * @param {!string} location
+ * @returns {import("@npm/types").PackageJson}
+ */
+export async function read(location) {
+  const packageStr = await fs.readFile(
+    path.join(location, "package.json"),
+    "utf-8"
+  );
+
+  return JSON.parse(packageStr);
+}
+
+// TODO: PR @npm/types to fix dependencies typo
+export async function readAnalyze(location) {
+  const {
+    description = "", author = {}, scripts = {},
+    dependencies = {}, devDependencies = {}, gypfile = false
+  } = await read(location);
+
+  const packageDeps = Object.keys(dependencies);
+  const packageDevDeps = Object.keys(devDependencies);
+  const hasNativePackage = [...packageDevDeps, ...packageDeps]
+    .some((pkg) => kNativeNpmPackages.has(pkg));
+
+  return {
+    author: typeof author === "string" ? parseManifestAuthor(author) : author,
+    description,
+    hasScript: Object.keys(scripts)
+      .some((value) => kUnsafeNpmScripts.has(value.toLowerCase())),
+    packageDeps,
+    packageDevDeps,
+    hasNativeElements: hasNativePackage || gypfile
+  };
+}