@nodesecure/scanner 3.2.1 → 3.4.1

package/README.md

@@ -49,9 +49,9 @@ await Promise.allSettled(promises);
 See `types/api.d.ts` for a complete TypeScript definition.
 
 ```ts
-function cwd(path: string, options?: Scanner.Options): Promise<Scanner.Payload>;
-function from(packageName: string, options?: Scanner.Options): Promise<Scanner.Payload>;
-function verify(packageName: string): Promise<Scanner.VerifyPayload>;
+function cwd(location: string, options?: Scanner.Options): Promise<Scanner.Payload>;
+function from(packageName: string, options?: Omit<Scanner.Options, "includeDevDeps">): Promise<Scanner.Payload>;
+function verify(packageName?: string | null): Promise<Scanner.VerifyPayload>;
 ```
 
 `Options` is described with the following TypeScript interface:
@@ -60,6 +60,7 @@ function verify(packageName: string): Promise<Scanner.VerifyPayload>;
 interface Options {
   readonly maxDepth?: number;
   readonly usePackageLock?: boolean;
+  readonly includeDevDeps?: boolean;
   readonly vulnerabilityStrategy: Strategy.Kind;
   readonly forceRootAnalysis?: boolean;
   readonly fullLockMode?: boolean;
@@ -69,7 +70,7 @@ interface Options {
 ## Contributors ✨
 
 <!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
-[![All Contributors](https://img.shields.io/badge/all_contributors-4-orange.svg?style=flat-square)](#contributors-)
+[![All Contributors](https://img.shields.io/badge/all_contributors-5-orange.svg?style=flat-square)](#contributors-)
 <!-- ALL-CONTRIBUTORS-BADGE:END -->
 
 Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
@@ -83,6 +84,7 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
     <td align="center"><a href="http://tonygo.dev"><img src="https://avatars.githubusercontent.com/u/22824417?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Tony Gorez</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Atony-go" title="Reviewed Pull Requests">👀</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Atony-go" title="Bug reports">🐛</a></td>
     <td align="center"><a href="https://mickaelcroquet.fr"><img src="https://avatars.githubusercontent.com/u/23740372?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Haze</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=CroquetMickael" title="Code">💻</a></td>
     <td align="center"><a href="https://github.com/mbalabash"><img src="https://avatars.githubusercontent.com/u/16868922?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Maksim Balabash</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=mbalabash" title="Code">💻</a></td>
+    <td align="center"><a href="https://dev.to/antoinecoulon"><img src="https://avatars.githubusercontent.com/u/43391199?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Antoine Coulon</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=antoine-coulon" title="Code">💻</a> <a href="#security-antoine-coulon" title="Security">🛡️</a></td>
   </tr>
 </table>
 

package/index.js

@@ -1,63 +1,63 @@
-// Import Node.js Dependencies
-import path from "path";
-import fs from "fs/promises";
-import timers from "timers/promises";
-import os from "os";
-
-// Import Third-party Dependencies
-import pacote from "pacote";
-import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
-
-// Import Internal Dependencies
-import { depWalker } from "./src/depWalker.js";
-import { NPM_TOKEN } from "./src/utils/index.js";
-import { ScannerLoggerEvents } from "./src/constants.js";
-import Logger from "./src/class/logger.class.js";
-import * as tarball from "./src/tarball.js";
-
-// CONSTANTS
-const kDefaultCwdOptions = { forceRootAnalysis: true, usePackageLock: true };
-
-export async function cwd(cwd = process.cwd(), options = {}, logger = new Logger()) {
-  const finalizedOptions = Object.assign({}, kDefaultCwdOptions, options);
-
-  logger.start(ScannerLoggerEvents.manifest.read);
-  const packagePath = path.join(cwd, "package.json");
-  const str = await fs.readFile(packagePath, "utf-8");
-  logger.end(ScannerLoggerEvents.manifest.read);
-
-  return depWalker(JSON.parse(str), finalizedOptions, logger);
-}
-
-export async function from(packageName, options, logger = new Logger()) {
-  logger.start(ScannerLoggerEvents.manifest.fetch);
-  const manifest = await pacote.manifest(packageName, {
-    ...NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
-  });
-  logger.end(ScannerLoggerEvents.manifest.fetch);
-
-  return depWalker(manifest, options, logger);
-}
-
-export async function verify(packageName = null) {
-  if (typeof packageName === "undefined" || packageName === null) {
-    return await tarball.scanPackage(process.cwd());
-  }
-
-  const tmpLocation = await fs.mkdtemp(path.join(os.tmpdir(), "/"));
-  const dest = path.join(tmpLocation, packageName);
-
-  try {
-    await pacote.extract(packageName, dest, {
-      ...NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
-    });
-
-    return await tarball.scanPackage(dest, packageName);
-  }
-  finally {
-    await timers.setImmediate();
-    await fs.rm(tmpLocation, { recursive: true, force: true });
-  }
-}
-
-export { depWalker, tarball, Logger, ScannerLoggerEvents };
+// Import Node.js Dependencies
+import path from "path";
+import fs from "fs/promises";
+import timers from "timers/promises";
+import os from "os";
+
+// Import Third-party Dependencies
+import pacote from "pacote";
+import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
+
+// Import Internal Dependencies
+import { depWalker } from "./src/depWalker.js";
+import { NPM_TOKEN } from "./src/utils/index.js";
+import { ScannerLoggerEvents } from "./src/constants.js";
+import Logger from "./src/class/logger.class.js";
+import * as tarball from "./src/tarball.js";
+
+// CONSTANTS
+const kDefaultCwdOptions = { forceRootAnalysis: true, usePackageLock: true, includeDevDeps: false };
+
+export async function cwd(location = process.cwd(), options = {}, logger = new Logger()) {
+  const finalizedOptions = Object.assign({ location }, kDefaultCwdOptions, options);
+
+  logger.start(ScannerLoggerEvents.manifest.read);
+  const packagePath = path.join(location, "package.json");
+  const str = await fs.readFile(packagePath, "utf-8");
+  logger.end(ScannerLoggerEvents.manifest.read);
+
+  return depWalker(JSON.parse(str), finalizedOptions, logger);
+}
+
+export async function from(packageName, options, logger = new Logger()) {
+  logger.start(ScannerLoggerEvents.manifest.fetch);
+  const manifest = await pacote.manifest(packageName, {
+    ...NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
+  });
+  logger.end(ScannerLoggerEvents.manifest.fetch);
+
+  return depWalker(manifest, options, logger);
+}
+
+export async function verify(packageName = null) {
+  if (typeof packageName === "undefined" || packageName === null) {
+    return await tarball.scanPackage(process.cwd());
+  }
+
+  const tmpLocation = await fs.mkdtemp(path.join(os.tmpdir(), "/"));
+  const dest = path.join(tmpLocation, packageName);
+
+  try {
+    await pacote.extract(packageName, dest, {
+      ...NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
+    });
+
+    return await tarball.scanPackage(dest, packageName);
+  }
+  finally {
+    await timers.setImmediate();
+    await fs.rm(tmpLocation, { recursive: true, force: true });
+  }
+}
+
+export { depWalker, tarball, Logger, ScannerLoggerEvents };

package/package.json

@@ -1,86 +1,86 @@
-{
-  "name": "@nodesecure/scanner",
-  "version": "3.2.1",
-  "description": "A package API to run a static analysis of your module's dependencies.",
-  "exports": "./index.js",
-  "engines": {
-    "node": ">=16"
-  },
-  "scripts": {
-    "lint": "eslint src test",
-    "prepublishOnly": "pkg-ok",
-    "test": "npm run lint && npm run test-only",
-    "test-only": "cross-env esm-tape-runner 'test/**/*.spec.js' | tap-monkey",
-    "coverage": "c8 -r html npm run test-only"
-  },
-  "files": [
-    "src",
-    "types",
-    "index.js",
-    "index.d.ts"
-  ],
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/NodeSecure/scanner.git"
-  },
-  "keywords": [
-    "node",
-    "nodejs",
-    "security",
-    "cli",
-    "sast",
-    "scanner",
-    "static",
-    "code",
-    "analysis",
-    "node_modules",
-    "tree",
-    "npm",
-    "registry",
-    "graph",
-    "visualization",
-    "dependencies"
-  ],
-  "author": "NodeSecure",
-  "license": "MIT",
-  "bugs": {
-    "url": "https://github.com/NodeSecure/scanner/issues"
-  },
-  "homepage": "https://github.com/NodeSecure/scanner#readme",
-  "devDependencies": {
-    "@nodesecure/eslint-config": "^1.3.0",
-    "@slimio/is": "^1.5.1",
-    "@small-tech/esm-tape-runner": "^1.0.3",
-    "@small-tech/tap-monkey": "^1.3.0",
-    "@types/node": "^16.11.10",
-    "c8": "^7.10.0",
-    "cross-env": "^7.0.3",
-    "dotenv": "^10.0.0",
-    "eslint": "^8.3.0",
-    "get-folder-size": "^3.1.0",
-    "pkg-ok": "^2.3.1",
-    "sinon": "^12.0.1",
-    "snap-shot-core": "^10.2.4",
-    "tape": "^5.3.2"
-  },
-  "dependencies": {
-    "@nodesecure/flags": "^2.2.0",
-    "@nodesecure/fs-walk": "^1.0.0",
-    "@nodesecure/i18n": "^1.2.1",
-    "@nodesecure/js-x-ray": "^4.2.0",
-    "@nodesecure/npm-registry-sdk": "^1.3.0",
-    "@nodesecure/ntlp": "^2.1.0",
-    "@nodesecure/utils": "^1.0.0",
-    "@nodesecure/vuln": "^1.4.1",
-    "@npm/types": "^1.0.1",
-    "@npmcli/arborist": "^4.1.0",
-    "@slimio/lock": "^1.0.0",
-    "builtins": "^4.0.0",
-    "combine-async-iterators": "^2.0.1",
-    "itertools": "^1.7.1",
-    "lodash.difference": "^4.5.0",
-    "pacote": "^12.0.2",
-    "semver": "^7.3.4"
-  },
-  "type": "module"
-}
+{
+  "name": "@nodesecure/scanner",
+  "version": "3.4.1",
+  "description": "A package API to run a static analysis of your module's dependencies.",
+  "exports": "./index.js",
+  "engines": {
+    "node": ">=16"
+  },
+  "scripts": {
+    "lint": "eslint src test",
+    "prepublishOnly": "pkg-ok",
+    "test": "npm run lint && npm run test-only",
+    "test-only": "cross-env esm-tape-runner 'test/**/*.spec.js' | tap-monkey",
+    "coverage": "c8 -r html npm run test-only"
+  },
+  "files": [
+    "src",
+    "types",
+    "index.js",
+    "index.d.ts"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/NodeSecure/scanner.git"
+  },
+  "keywords": [
+    "node",
+    "nodejs",
+    "security",
+    "cli",
+    "sast",
+    "scanner",
+    "static",
+    "code",
+    "analysis",
+    "node_modules",
+    "tree",
+    "npm",
+    "registry",
+    "graph",
+    "visualization",
+    "dependencies"
+  ],
+  "author": "NodeSecure",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/NodeSecure/scanner/issues"
+  },
+  "homepage": "https://github.com/NodeSecure/scanner#readme",
+  "devDependencies": {
+    "@nodesecure/eslint-config": "^1.3.1",
+    "@slimio/is": "^1.5.1",
+    "@small-tech/esm-tape-runner": "^1.0.3",
+    "@small-tech/tap-monkey": "^1.3.0",
+    "@types/node": "^17.0.21",
+    "c8": "^7.11.0",
+    "cross-env": "^7.0.3",
+    "dotenv": "^16.0.0",
+    "eslint": "^8.11.0",
+    "get-folder-size": "^3.1.0",
+    "pkg-ok": "^2.3.1",
+    "sinon": "^13.0.1",
+    "snap-shot-core": "^10.2.4",
+    "tape": "^5.5.2"
+  },
+  "dependencies": {
+    "@nodesecure/flags": "^2.2.0",
+    "@nodesecure/fs-walk": "^1.0.0",
+    "@nodesecure/i18n": "^1.2.1",
+    "@nodesecure/js-x-ray": "^4.2.1",
+    "@nodesecure/npm-registry-sdk": "^1.3.0",
+    "@nodesecure/ntlp": "^2.1.0",
+    "@nodesecure/utils": "^1.0.0",
+    "@nodesecure/vuln": "^1.6.0",
+    "@npm/types": "^1.0.1",
+    "@npmcli/arborist": "^5.0.3",
+    "@slimio/lock": "^1.0.0",
+    "builtins": "^4.0.0",
+    "combine-async-iterators": "^2.0.1",
+    "itertools": "^1.7.1",
+    "lodash.difference": "^4.5.0",
+    "pacote": "^13.0.5",
+    "semver": "^7.3.4"
+  },
+  "type": "module"
+}

package/src/class/dependency.class.js

@@ -1,99 +1,101 @@
-export default class Dependency {
-  #flags = new Set();
-  #parent = null;
-
-  constructor(name, version, parent = null) {
-    this.gitUrl = null;
-    this.dependencyCount = 0;
-    this.warnings = [];
-    this.name = name;
-    this.version = version;
-
-    if (parent !== null) {
-      parent.dependencyCount++;
-    }
-    this.#parent = parent;
-  }
-
-  get fullName() {
-    return `${this.name} ${this.version}`;
-  }
-
-  get flags() {
-    return [...this.#flags];
-  }
-
-  get parent() {
-    return this.#parent === null ? {} : { [this.#parent.name]: this.#parent.version };
-  }
-
-  addFlag(flagName, predicate = true) {
-    if (typeof flagName !== "string") {
-      throw new TypeError("flagName argument must be typeof string");
-    }
-
-    if (predicate) {
-      if (flagName === "hasDependencies" && this.#parent !== null) {
-        this.#parent.addFlag("hasIndirectDependencies");
-      }
-
-      this.#flags.add(flagName);
-    }
-  }
-
-  isGit(url) {
-    this.#flags.add("isGit");
-    if (typeof url === "string") {
-      this.gitUrl = url;
-    }
-
-    return this;
-  }
-
-  exportAsPlainObject(customId) {
-    if (this.warnings.length > 0) {
-      this.addFlag("hasWarnings");
-    }
-
-    return {
-      versions: {
-        [this.version]: {
-          id: typeof customId === "number" ? customId : Dependency.currentId++,
-          usedBy: this.parent,
-          flags: this.flags,
-          description: "",
-          size: 0,
-          author: {},
-          warnings: this.warnings,
-          composition: {
-            extensions: [],
-            files: [],
-            minified: [],
-            unused: [],
-            missing: [],
-            required_files: [],
-            required_nodejs: [],
-            required_thirdparty: []
-          },
-          license: "unkown license",
-          gitUrl: this.gitUrl
-        }
-      },
-      vulnerabilities: [],
-      metadata: {
-        dependencyCount: this.dependencyCount,
-        publishedCount: 0,
-        lastUpdateAt: null,
-        lastVersion: null,
-        hasManyPublishers: false,
-        hasReceivedUpdateInOneYear: true,
-        homepage: null,
-        author: {},
-        publishers: [],
-        maintainers: []
-      }
-    };
-  }
-}
-
-Dependency.currentId = 1;
+export default class Dependency {
+  #flags = new Set();
+  #parent = null;
+
+  constructor(name, version, parent = null) {
+    this.gitUrl = null;
+    this.dependencyCount = 0;
+    this.warnings = [];
+    this.name = name;
+    this.version = version;
+    this.dev = false;
+
+    if (parent !== null) {
+      parent.dependencyCount++;
+    }
+    this.#parent = parent;
+  }
+
+  get fullName() {
+    return `${this.name} ${this.version}`;
+  }
+
+  get flags() {
+    return [...this.#flags];
+  }
+
+  get parent() {
+    return this.#parent === null ? {} : { [this.#parent.name]: this.#parent.version };
+  }
+
+  addFlag(flagName, predicate = true) {
+    if (typeof flagName !== "string") {
+      throw new TypeError("flagName argument must be typeof string");
+    }
+
+    if (predicate) {
+      if (flagName === "hasDependencies" && this.#parent !== null) {
+        this.#parent.addFlag("hasIndirectDependencies");
+      }
+
+      this.#flags.add(flagName);
+    }
+  }
+
+  isGit(url) {
+    this.#flags.add("isGit");
+    if (typeof url === "string") {
+      this.gitUrl = url;
+    }
+
+    return this;
+  }
+
+  exportAsPlainObject(customId) {
+    if (this.warnings.length > 0) {
+      this.addFlag("hasWarnings");
+    }
+
+    return {
+      versions: {
+        [this.version]: {
+          id: typeof customId === "number" ? customId : Dependency.currentId++,
+          usedBy: this.parent,
+          isDevDependency: this.dev,
+          flags: this.flags,
+          description: "",
+          size: 0,
+          author: {},
+          warnings: this.warnings,
+          composition: {
+            extensions: [],
+            files: [],
+            minified: [],
+            unused: [],
+            missing: [],
+            required_files: [],
+            required_nodejs: [],
+            required_thirdparty: []
+          },
+          license: "unkown license",
+          gitUrl: this.gitUrl
+        }
+      },
+      vulnerabilities: [],
+      metadata: {
+        dependencyCount: this.dependencyCount,
+        publishedCount: 0,
+        lastUpdateAt: null,
+        lastVersion: null,
+        hasManyPublishers: false,
+        hasReceivedUpdateInOneYear: true,
+        homepage: null,
+        author: {},
+        publishers: [],
+        maintainers: []
+      }
+    };
+  }
+}
+
+Dependency.currentId = 1;

package/src/depWalker.js

@@ -75,13 +75,15 @@ export async function* searchDeepDependencies(packageName, gitURL, options) {
   yield current;
 }
 
-export async function* deepReadEdges(currentPackageName, { to, parent, exclude, fullLockMode }) {
+export async function* deepReadEdges(currentPackageName, options) {
+  const { to, parent, exclude, fullLockMode, includeDevDeps } = options;
   const { version, integrity = to.integrity } = to.package;
 
   const updatedVersion = version === "*" || typeof version === "undefined" ? "latest" : version;
   const current = new Dependency(currentPackageName, updatedVersion, parent);
+  current.dev = to.dev;
 
-  if (fullLockMode) {
+  if (fullLockMode && !includeDevDeps) {
     const { deprecated, _integrity, ...pkg } = await pacote.manifest(`${currentPackageName}@${updatedVersion}`, {
       ...NPM_TOKEN,
       registry: getLocalRegistryURL(),
@@ -96,7 +98,7 @@ export async function* deepReadEdges(currentPackageName, { to, parent, exclude,
   current.addFlag("hasDependencies", to.edgesOut.size > 0);
 
   for (const [packageName, { to: toNode }] of to.edgesOut) {
-    if (toNode === null || toNode.dev) {
+    if (toNode === null || (!includeDevDeps && toNode.dev)) {
       continue;
     }
     const cleanName = `${packageName}@${toNode.package.version}`;
@@ -113,7 +115,11 @@ export async function* deepReadEdges(currentPackageName, { to, parent, exclude,
 }
 
 export async function* getRootDependencies(manifest, options) {
-  const { maxDepth = 4, exclude, usePackageLock, fullLockMode } = options;
+  const {
+    maxDepth = 4, exclude,
+    usePackageLock, fullLockMode, includeDevDeps,
+    location
+  } = options;
 
   const { dependencies, customResolvers } = mergeDependencies(manifest, void 0);
   const parent = new Dependency(manifest.name, manifest.version);
@@ -124,19 +130,24 @@ export async function* getRootDependencies(manifest, options) {
   if (usePackageLock) {
     const arb = new Arborist({
       ...NPM_TOKEN,
+      path: location,
       registry: getLocalRegistryURL()
     });
     let tree;
     try {
-      await fs.access(path.join(process.cwd(), "node_modules"));
+      await fs.access(path.join(location, "node_modules"));
       tree = await arb.loadActual();
     }
     catch {
       tree = await arb.loadVirtual();
     }
 
-    iterators = iter.filter(tree.edgesOut.entries(), ([, { to }]) => to !== null && !to.dev)
-      .map(([packageName, { to }]) => deepReadEdges(packageName, { to, parent, fullLockMode, exclude }));
+    iterators = [
+      ...iter
+        .filter(tree.edgesOut.entries(), ([, { to }]) => to !== null && (includeDevDeps ? true : (!to.dev || to.isWorkspace)))
+        .map(([packageName, { to }]) => [packageName, to.isWorkspace ? to.target : to])
+        .map(([packageName, to]) => deepReadEdges(packageName, { to, parent, fullLockMode, includeDevDeps, exclude }))
+    ];
   }
   else {
     const configRef = { exclude, maxDepth, parent };
@@ -174,8 +185,10 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
   const {
     forceRootAnalysis = false,
     usePackageLock = false,
+    includeDevDeps = false,
     fullLockMode = false,
     maxDepth,
+    location,
     vulnerabilityStrategy = vuln.strategies.NONE
   } = options;
 
@@ -205,9 +218,9 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
     const tarballLocker = new Lock({ maxConcurrent: 5 });
     tarballLocker.on("freeOne", () => logger.tick(ScannerLoggerEvents.analysis.tarball));
 
-    const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode };
+    const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode, includeDevDeps, location };
     for await (const currentDep of getRootDependencies(manifest, rootDepsOptions)) {
-      const { name, version } = currentDep;
+      const { name, version, dev } = currentDep;
       const current = currentDep.exportAsPlainObject(name === manifest.name ? 0 : void 0);
       let proceedDependencyAnalysis = true;
 
@@ -229,6 +242,11 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
         dependencies.set(name, current);
       }
 
+      // If the dependency is a DevDependencies we ignore it.
+      if (dev) {
+        continue;
+      }
+
       if (proceedDependencyAnalysis) {
         logger.tick(ScannerLoggerEvents.analysis.tree);
 
@@ -246,6 +264,7 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
 
         promisesToWait.push(scanDirOrArchive(name, version, {
           ref: current.versions[version],
+          location,
           tmpLocation: forceRootAnalysis && name === manifest.name ? null : tmpLocation,
           locker: tarballLocker,
           logger
@@ -264,7 +283,8 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
 
   const { hydratePayloadDependencies, strategy } = await vuln.setStrategy(vulnerabilityStrategy);
   await hydratePayloadDependencies(dependencies, {
-    useStandardFormat: true
+    useStandardFormat: true,
+    path: location
   });
 
   payload.vulnerabilityStrategy = strategy;

package/src/tarball.js

@@ -1,173 +1,173 @@
-// Import Node.js Dependencies
-import path from "path";
-import os from "os";
-import timers from "timers/promises";
-
-// Import Third-party Dependencies
-import { runASTAnalysisOnFile } from "@nodesecure/js-x-ray";
-import pacote from "pacote";
-import ntlp from "@nodesecure/ntlp";
-
-// Import Internal Dependencies
-import {
-  getTarballComposition, isSensitiveFile, filterDependencyKind, analyzeDependencies, booleanToFlags,
-  NPM_TOKEN
-} from "./utils/index.js";
-import * as manifest from "./manifest.js";
-import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
-
-// CONSTANTS
-const kNativeCodeExtensions = new Set([".gyp", ".c", ".cpp", ".node", ".so", ".h"]);
-const kJsExtname = new Set([".js", ".mjs", ".cjs"]);
-
-export async function scanJavascriptFile(dest, file, packageName) {
-  const result = await runASTAnalysisOnFile(path.join(dest, file), { packageName });
-
-  const warnings = result.warnings.map((curr) => Object.assign({}, curr, { file }));
-  if (!result.ok) {
-    return {
-      file,
-      warnings,
-      isMinified: false,
-      tryDependencies: [],
-      dependencies: [],
-      filesDependencies: []
-    };
-  }
-  const { packages, files } = filterDependencyKind(result.dependencies, path.dirname(file));
-
-  return {
-    file,
-    warnings,
-    isMinified: result.isMinified,
-    tryDependencies: [...result.dependencies.getDependenciesInTryStatement()],
-    dependencies: packages,
-    filesDependencies: files
-  };
-}
-
-export async function scanDirOrArchive(name, version, options) {
-  const { ref, tmpLocation, locker } = options;
-
-  const isNpmTarball = !(tmpLocation === null);
-  const dest = isNpmTarball ? path.join(tmpLocation, `${name}@${version}`) : process.cwd();
-  const free = await locker.acquireOne();
-
-  try {
-    // If this is an NPM tarball then we extract it on the disk with pacote.
-    if (isNpmTarball) {
-      await pacote.extract(ref.flags.includes("isGit") ? ref.gitUrl : `${name}@${version}`, dest, {
-        ...NPM_TOKEN,
-        registry: getLocalRegistryURL(),
-        cache: `${os.homedir()}/.npm`
-      });
-      await timers.setImmediate();
-    }
-
-    // Read the package.json at the root of the directory or archive.
-    const { packageDeps, packageDevDeps, author, description, hasScript, hasNativeElements } = await manifest.readAnalyze(dest);
-    ref.author = author;
-    ref.description = description;
-
-    // Get the composition of the (extracted) directory
-    const { ext, files, size } = await getTarballComposition(dest);
-    ref.size = size;
-    ref.composition.extensions.push(...ext);
-    ref.composition.files.push(...files);
-    const hasBannedFile = files.some((path) => isSensitiveFile(path));
-    const hasNativeCode = hasNativeElements || files.some((file) => kNativeCodeExtensions.has(path.extname(file)));
-
-    // Search for minified and runtime dependencies
-    // Run a JS-X-Ray analysis on each JavaScript files of the project!
-    const fileAnalysisRaw = await Promise.allSettled(
-      files
-        .filter((name) => kJsExtname.has(path.extname(name)))
-        .map((file) => scanJavascriptFile(dest, file, name))
-    );
-
-    const fileAnalysisResults = fileAnalysisRaw
-      .filter((promiseSettledResult) => promiseSettledResult.status === "fulfilled")
-      .map((promiseSettledResult) => promiseSettledResult.value);
-
-    ref.warnings.push(...fileAnalysisResults.flatMap((row) => row.warnings));
-
-    const dependencies = [...new Set(fileAnalysisResults.flatMap((row) => row.dependencies))];
-    const filesDependencies = [...new Set(fileAnalysisResults.flatMap((row) => row.filesDependencies))];
-    const tryDependencies = new Set(fileAnalysisResults.flatMap((row) => row.tryDependencies));
-    const minifiedFiles = fileAnalysisResults.filter((row) => row.isMinified).flatMap((row) => row.file);
-
-    const {
-      nodeDependencies, thirdPartyDependencies, missingDependencies, unusedDependencies, flags
-    } = analyzeDependencies(dependencies, { packageDeps, packageDevDeps, tryDependencies });
-
-    ref.composition.required_thirdparty = thirdPartyDependencies;
-    ref.composition.unused.push(...unusedDependencies);
-    ref.composition.missing.push(...missingDependencies);
-    ref.composition.required_files = filesDependencies;
-    ref.composition.required_nodejs = nodeDependencies;
-    ref.composition.minified = minifiedFiles;
-
-    // License
-    await timers.setImmediate();
-    const licenses = await ntlp(dest);
-    const uniqueLicenseIds = Array.isArray(licenses.uniqueLicenseIds) ? licenses.uniqueLicenseIds : [];
-    ref.license = licenses;
-    ref.license.uniqueLicenseIds = uniqueLicenseIds;
-
-    ref.flags.push(...booleanToFlags({
-      ...flags,
-      hasNoLicense: uniqueLicenseIds.length === 0,
-      hasMultipleLicenses: licenses.hasMultipleLicenses,
-      hasMinifiedCode: minifiedFiles.length > 0,
-      hasWarnings: ref.warnings.length > 0 && !ref.flags.includes("hasWarnings"),
-      hasBannedFile,
-      hasNativeCode,
-      hasScript
-    }));
-  }
-  catch {
-    // Ignore
-  }
-  finally {
-    free();
-  }
-}
-
-export async function scanPackage(dest, packageName) {
-  const { type = "script", name } = await manifest.read(dest);
-
-  await timers.setImmediate();
-  const { ext, files, size } = await getTarballComposition(dest);
-  ext.delete("");
-
-  // Search for runtime dependencies
-  const dependencies = Object.create(null);
-  const [minified, warnings] = [[], []];
-
-  const JSFiles = files.filter((name) => kJsExtname.has(path.extname(name)));
-  for (const file of JSFiles) {
-    const result = await runASTAnalysisOnFile(path.join(dest, file), {
-      packageName: packageName ?? name,
-      module: type === "module"
-    });
-
-    warnings.push(...result.warnings.map((curr) => Object.assign({}, curr, { file })));
-    if (!result.ok) {
-      continue;
-    }
-
-    dependencies[file] = result.dependencies.dependencies;
-    result.isMinified && minified.push(file);
-  }
-
-  await timers.setImmediate();
-  const { uniqueLicenseIds, licenses } = await ntlp(dest);
-
-  return {
-    files: { list: files, extensions: [...ext], minified },
-    directorySize: size,
-    uniqueLicenseIds,
-    licenses,
-    ast: { dependencies, warnings }
-  };
-}
+// Import Node.js Dependencies
+import path from "path";
+import os from "os";
+import timers from "timers/promises";
+
+// Import Third-party Dependencies
+import { runASTAnalysisOnFile } from "@nodesecure/js-x-ray";
+import pacote from "pacote";
+import ntlp from "@nodesecure/ntlp";
+
+// Import Internal Dependencies
+import {
+  getTarballComposition, isSensitiveFile, filterDependencyKind, analyzeDependencies, booleanToFlags,
+  NPM_TOKEN
+} from "./utils/index.js";
+import * as manifest from "./manifest.js";
+import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
+
+// CONSTANTS
+const kNativeCodeExtensions = new Set([".gyp", ".c", ".cpp", ".node", ".so", ".h"]);
+const kJsExtname = new Set([".js", ".mjs", ".cjs"]);
+
+export async function scanJavascriptFile(dest, file, packageName) {
+  const result = await runASTAnalysisOnFile(path.join(dest, file), { packageName });
+
+  const warnings = result.warnings.map((curr) => Object.assign({}, curr, { file }));
+  if (!result.ok) {
+    return {
+      file,
+      warnings,
+      isMinified: false,
+      tryDependencies: [],
+      dependencies: [],
+      filesDependencies: []
+    };
+  }
+  const { packages, files } = filterDependencyKind(result.dependencies, path.dirname(file));
+
+  return {
+    file,
+    warnings,
+    isMinified: result.isMinified,
+    tryDependencies: [...result.dependencies.getDependenciesInTryStatement()],
+    dependencies: packages,
+    filesDependencies: files
+  };
+}
+
+export async function scanDirOrArchive(name, version, options) {
+  const { ref, location = process.cwd(), tmpLocation, locker } = options;
+
+  const isNpmTarball = !(tmpLocation === null);
+  const dest = isNpmTarball ? path.join(tmpLocation, `${name}@${version}`) : location;
+  const free = await locker.acquireOne();
+
+  try {
+    // If this is an NPM tarball then we extract it on the disk with pacote.
+    if (isNpmTarball) {
+      await pacote.extract(ref.flags.includes("isGit") ? ref.gitUrl : `${name}@${version}`, dest, {
+        ...NPM_TOKEN,
+        registry: getLocalRegistryURL(),
+        cache: `${os.homedir()}/.npm`
+      });
+      await timers.setImmediate();
+    }
+
+    // Read the package.json at the root of the directory or archive.
+    const { packageDeps, packageDevDeps, author, description, hasScript, hasNativeElements } = await manifest.readAnalyze(dest);
+    ref.author = author;
+    ref.description = description;
+
+    // Get the composition of the (extracted) directory
+    const { ext, files, size } = await getTarballComposition(dest);
+    ref.size = size;
+    ref.composition.extensions.push(...ext);
+    ref.composition.files.push(...files);
+    const hasBannedFile = files.some((path) => isSensitiveFile(path));
+    const hasNativeCode = hasNativeElements || files.some((file) => kNativeCodeExtensions.has(path.extname(file)));
+
+    // Search for minified and runtime dependencies
+    // Run a JS-X-Ray analysis on each JavaScript files of the project!
+    const fileAnalysisRaw = await Promise.allSettled(
+      files
+        .filter((name) => kJsExtname.has(path.extname(name)))
+        .map((file) => scanJavascriptFile(dest, file, name))
+    );
+
+    const fileAnalysisResults = fileAnalysisRaw
+      .filter((promiseSettledResult) => promiseSettledResult.status === "fulfilled")
+      .map((promiseSettledResult) => promiseSettledResult.value);
+
+    ref.warnings.push(...fileAnalysisResults.flatMap((row) => row.warnings));
+
+    const dependencies = [...new Set(fileAnalysisResults.flatMap((row) => row.dependencies))];
+    const filesDependencies = [...new Set(fileAnalysisResults.flatMap((row) => row.filesDependencies))];
+    const tryDependencies = new Set(fileAnalysisResults.flatMap((row) => row.tryDependencies));
+    const minifiedFiles = fileAnalysisResults.filter((row) => row.isMinified).flatMap((row) => row.file);
+
+    const {
+      nodeDependencies, thirdPartyDependencies, missingDependencies, unusedDependencies, flags
+    } = analyzeDependencies(dependencies, { packageDeps, packageDevDeps, tryDependencies });
+
+    ref.composition.required_thirdparty = thirdPartyDependencies;
+    ref.composition.unused.push(...unusedDependencies);
+    ref.composition.missing.push(...missingDependencies);
+    ref.composition.required_files = filesDependencies;
+    ref.composition.required_nodejs = nodeDependencies;
+    ref.composition.minified = minifiedFiles;
+
+    // License
+    await timers.setImmediate();
+    const licenses = await ntlp(dest);
+    const uniqueLicenseIds = Array.isArray(licenses.uniqueLicenseIds) ? licenses.uniqueLicenseIds : [];
+    ref.license = licenses;
+    ref.license.uniqueLicenseIds = uniqueLicenseIds;
+
+    ref.flags.push(...booleanToFlags({
+      ...flags,
+      hasNoLicense: uniqueLicenseIds.length === 0,
+      hasMultipleLicenses: licenses.hasMultipleLicenses,
+      hasMinifiedCode: minifiedFiles.length > 0,
+      hasWarnings: ref.warnings.length > 0 && !ref.flags.includes("hasWarnings"),
+      hasBannedFile,
+      hasNativeCode,
+      hasScript
+    }));
+  }
+  catch {
+    // Ignore
+  }
+  finally {
+    free();
+  }
+}
+
+export async function scanPackage(dest, packageName) {
+  const { type = "script", name } = await manifest.read(dest);
+
+  await timers.setImmediate();
+  const { ext, files, size } = await getTarballComposition(dest);
+  ext.delete("");
+
+  // Search for runtime dependencies
+  const dependencies = Object.create(null);
+  const [minified, warnings] = [[], []];
+
+  const JSFiles = files.filter((name) => kJsExtname.has(path.extname(name)));
+  for (const file of JSFiles) {
+    const result = await runASTAnalysisOnFile(path.join(dest, file), {
+      packageName: packageName ?? name,
+      module: type === "module"
+    });
+
+    warnings.push(...result.warnings.map((curr) => Object.assign({}, curr, { file })));
+    if (!result.ok) {
+      continue;
+    }
+
+    dependencies[file] = result.dependencies.dependencies;
+    result.isMinified && minified.push(file);
+  }
+
+  await timers.setImmediate();
+  const { uniqueLicenseIds, licenses } = await ntlp(dest);
+
+  return {
+    files: { list: files, extensions: [...ext], minified },
+    directorySize: size,
+    uniqueLicenseIds,
+    licenses,
+    ast: { dependencies, warnings }
+  };
+}

package/src/utils/warnings.js

@@ -1,36 +1,36 @@
-// Import Third-party Dependencies
-import { getToken, taggedString } from "@nodesecure/i18n";
-
-// CONSTANTS
-const kDetectedDep = taggedString`The dependency '${0}' has been detected in the dependency Tree.`;
-const kWarningsMessages = Object.freeze({
-  "@scarf/scarf": getToken("warnings.disable_scarf"),
-  iohook: getToken("warnings.keylogging")
-});
-const kPackages = new Set(Object.keys(kWarningsMessages));
-const kAuthors = new Set(["marak", "marak.squires@gmail.com"]);
-
-function getWarning(depName) {
-  return `${kDetectedDep(depName)} ${kWarningsMessages[depName]}`;
-}
-
-export function getDependenciesWarnings(dependencies) {
-  const warnings = [];
-  for (const depName of kPackages) {
-    if (dependencies.has(depName)) {
-      warnings.push(getWarning(depName));
-    }
-  }
-
-  // TODO: optimize with @nodesecure/author later
-  for (const [packageName, dependency] of dependencies) {
-    for (const { name, email } of dependency.metadata.maintainers) {
-      if (kAuthors.has(name) || kAuthors.has(email)) {
-        warnings.push(`'Marak Squires' package '${packageName}' has been detected in the dependency tree`);
-      }
-    }
-  }
-
-  return warnings;
-}
-
+// Import Third-party Dependencies
+import { getToken, taggedString } from "@nodesecure/i18n";
+
+// CONSTANTS
+const kDetectedDep = taggedString`The dependency '${0}' has been detected in the dependency Tree.`;
+const kWarningsMessages = Object.freeze({
+  "@scarf/scarf": getToken("warnings.disable_scarf"),
+  iohook: getToken("warnings.keylogging")
+});
+const kPackages = new Set(Object.keys(kWarningsMessages));
+const kAuthors = new Set(["marak", "marak.squires@gmail.com"]);
+
+function getWarning(depName) {
+  return `${kDetectedDep(depName)} ${kWarningsMessages[depName]}`;
+}
+
+export function getDependenciesWarnings(dependencies) {
+  const warnings = [];
+  for (const depName of kPackages) {
+    if (dependencies.has(depName)) {
+      warnings.push(getWarning(depName));
+    }
+  }
+
+  // TODO: optimize with @nodesecure/author later
+  for (const [packageName, dependency] of dependencies) {
+    for (const { name, email } of dependency.metadata.maintainers) {
+      if (kAuthors.has(name) || kAuthors.has(email)) {
+        warnings.push(`'Marak Squires' package '${packageName}' has been detected in the dependency tree`);
+      }
+    }
+  }
+
+  return warnings;
+}
+

package/types/api.d.ts

@@ -1,15 +1,15 @@
-import Scanner from "./scanner";
-import { Logger, LoggerEvents } from "./logger";
-
-export {
-  cwd,
-  from,
-  verify,
-  ScannerLoggerEvents
-}
-
-declare const ScannerLoggerEvents: LoggerEvents;
-
-declare function cwd(path: string, options?: Scanner.Options, logger?: Logger): Promise<Scanner.Payload>;
-declare function from(packageName: string, options?: Scanner.Options, logger?: Logger): Promise<Scanner.Payload>;
-declare function verify(packageName: string): Promise<Scanner.VerifyPayload>;
+import Scanner from "./scanner";
+import { Logger, LoggerEvents } from "./logger";
+
+export {
+  cwd,
+  from,
+  verify,
+  ScannerLoggerEvents
+}
+
+declare const ScannerLoggerEvents: LoggerEvents;
+
+declare function cwd(location: string, options?: Scanner.Options, logger?: Logger): Promise<Scanner.Payload>;
+declare function from(packageName: string, options?: Omit<Scanner.Options, "includeDevDeps">, logger?: Logger): Promise<Scanner.Payload>;
+declare function verify(packageName?: string | null): Promise<Scanner.VerifyPayload>;

package/types/scanner.d.ts

@@ -33,6 +33,7 @@ declare namespace Scanner {
   export interface DependencyVersion {
     /** Id of the package (useful for usedBy relation) */
     id: number;
+    isDevDependency: boolean;
     /** By whom (id) is used the package */
     usedBy: Record<string, string>;
     /** Size on disk of the extracted tarball (in bytes) */
@@ -162,6 +163,12 @@ declare namespace Scanner {
      * @default true  for cwd()  API
      */
     readonly usePackageLock?: boolean;
+    /**
+     * Include project devDependencies (only available for cwd command)
+     *
+     * @default false
+     */
+    readonly includeDevDeps?: boolean;
     /**
      * Vulnerability strategy name (npm, snyk, node)
      *