@nodesecure/scanner 3.3.0 → 3.4.0

package/README.md

@@ -50,7 +50,7 @@ See `types/api.d.ts` for a complete TypeScript definition.
 
 ```ts
 function cwd(location: string, options?: Scanner.Options): Promise<Scanner.Payload>;
-function from(packageName: string, options?: Scanner.Options): Promise<Scanner.Payload>;
+function from(packageName: string, options?: Omit<Scanner.Options, "includeDevDeps">): Promise<Scanner.Payload>;
 function verify(packageName?: string | null): Promise<Scanner.VerifyPayload>;
 ```
 
@@ -60,6 +60,7 @@ function verify(packageName?: string | null): Promise<Scanner.VerifyPayload>;
 interface Options {
   readonly maxDepth?: number;
   readonly usePackageLock?: boolean;
+  readonly includeDevDeps?: boolean;
   readonly vulnerabilityStrategy: Strategy.Kind;
   readonly forceRootAnalysis?: boolean;
   readonly fullLockMode?: boolean;

package/index.js

@@ -16,7 +16,7 @@ import Logger from "./src/class/logger.class.js";
 import * as tarball from "./src/tarball.js";
 
 // CONSTANTS
-const kDefaultCwdOptions = { forceRootAnalysis: true, usePackageLock: true };
+const kDefaultCwdOptions = { forceRootAnalysis: true, usePackageLock: true, includeDevDeps: false };
 
 export async function cwd(location = process.cwd(), options = {}, logger = new Logger()) {
   const finalizedOptions = Object.assign({ location }, kDefaultCwdOptions, options);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nodesecure/scanner",
-  "version": "3.3.0",
+  "version": "3.4.0",
   "description": "A package API to run a static analysis of your module's dependencies.",
   "exports": "./index.js",
   "engines": {
@@ -52,34 +52,34 @@
     "@slimio/is": "^1.5.1",
     "@small-tech/esm-tape-runner": "^1.0.3",
     "@small-tech/tap-monkey": "^1.3.0",
-    "@types/node": "^17.0.13",
+    "@types/node": "^17.0.21",
     "c8": "^7.11.0",
     "cross-env": "^7.0.3",
-    "dotenv": "^14.3.2",
-    "eslint": "^8.7.0",
+    "dotenv": "^16.0.0",
+    "eslint": "^8.11.0",
     "get-folder-size": "^3.1.0",
     "pkg-ok": "^2.3.1",
-    "sinon": "^12.0.1",
+    "sinon": "^13.0.1",
     "snap-shot-core": "^10.2.4",
-    "tape": "^5.5.0"
+    "tape": "^5.5.2"
   },
   "dependencies": {
     "@nodesecure/flags": "^2.2.0",
     "@nodesecure/fs-walk": "^1.0.0",
     "@nodesecure/i18n": "^1.2.1",
-    "@nodesecure/js-x-ray": "^4.2.0",
+    "@nodesecure/js-x-ray": "^4.2.1",
     "@nodesecure/npm-registry-sdk": "^1.3.0",
     "@nodesecure/ntlp": "^2.1.0",
     "@nodesecure/utils": "^1.0.0",
-    "@nodesecure/vuln": "^1.5.0",
+    "@nodesecure/vuln": "^1.6.0",
     "@npm/types": "^1.0.1",
-    "@npmcli/arborist": "^4.3.0",
+    "@npmcli/arborist": "^5.0.3",
     "@slimio/lock": "^1.0.0",
     "builtins": "^4.0.0",
     "combine-async-iterators": "^2.0.1",
     "itertools": "^1.7.1",
     "lodash.difference": "^4.5.0",
-    "pacote": "^12.0.3",
+    "pacote": "^13.0.5",
     "semver": "^7.3.4"
   },
   "type": "module"

package/src/class/dependency.class.js

@@ -1,99 +1,101 @@
-export default class Dependency {
-  #flags = new Set();
-  #parent = null;
-
-  constructor(name, version, parent = null) {
-    this.gitUrl = null;
-    this.dependencyCount = 0;
-    this.warnings = [];
-    this.name = name;
-    this.version = version;
-
-    if (parent !== null) {
-      parent.dependencyCount++;
-    }
-    this.#parent = parent;
-  }
-
-  get fullName() {
-    return `${this.name} ${this.version}`;
-  }
-
-  get flags() {
-    return [...this.#flags];
-  }
-
-  get parent() {
-    return this.#parent === null ? {} : { [this.#parent.name]: this.#parent.version };
-  }
-
-  addFlag(flagName, predicate = true) {
-    if (typeof flagName !== "string") {
-      throw new TypeError("flagName argument must be typeof string");
-    }
-
-    if (predicate) {
-      if (flagName === "hasDependencies" && this.#parent !== null) {
-        this.#parent.addFlag("hasIndirectDependencies");
-      }
-
-      this.#flags.add(flagName);
-    }
-  }
-
-  isGit(url) {
-    this.#flags.add("isGit");
-    if (typeof url === "string") {
-      this.gitUrl = url;
-    }
-
-    return this;
-  }
-
-  exportAsPlainObject(customId) {
-    if (this.warnings.length > 0) {
-      this.addFlag("hasWarnings");
-    }
-
-    return {
-      versions: {
-        [this.version]: {
-          id: typeof customId === "number" ? customId : Dependency.currentId++,
-          usedBy: this.parent,
-          flags: this.flags,
-          description: "",
-          size: 0,
-          author: {},
-          warnings: this.warnings,
-          composition: {
-            extensions: [],
-            files: [],
-            minified: [],
-            unused: [],
-            missing: [],
-            required_files: [],
-            required_nodejs: [],
-            required_thirdparty: []
-          },
-          license: "unkown license",
-          gitUrl: this.gitUrl
-        }
-      },
-      vulnerabilities: [],
-      metadata: {
-        dependencyCount: this.dependencyCount,
-        publishedCount: 0,
-        lastUpdateAt: null,
-        lastVersion: null,
-        hasManyPublishers: false,
-        hasReceivedUpdateInOneYear: true,
-        homepage: null,
-        author: {},
-        publishers: [],
-        maintainers: []
-      }
-    };
-  }
-}
-
-Dependency.currentId = 1;
+export default class Dependency {
+  #flags = new Set();
+  #parent = null;
+
+  constructor(name, version, parent = null) {
+    this.gitUrl = null;
+    this.dependencyCount = 0;
+    this.warnings = [];
+    this.name = name;
+    this.version = version;
+    this.dev = false;
+
+    if (parent !== null) {
+      parent.dependencyCount++;
+    }
+    this.#parent = parent;
+  }
+
+  get fullName() {
+    return `${this.name} ${this.version}`;
+  }
+
+  get flags() {
+    return [...this.#flags];
+  }
+
+  get parent() {
+    return this.#parent === null ? {} : { [this.#parent.name]: this.#parent.version };
+  }
+
+  addFlag(flagName, predicate = true) {
+    if (typeof flagName !== "string") {
+      throw new TypeError("flagName argument must be typeof string");
+    }
+
+    if (predicate) {
+      if (flagName === "hasDependencies" && this.#parent !== null) {
+        this.#parent.addFlag("hasIndirectDependencies");
+      }
+
+      this.#flags.add(flagName);
+    }
+  }
+
+  isGit(url) {
+    this.#flags.add("isGit");
+    if (typeof url === "string") {
+      this.gitUrl = url;
+    }
+
+    return this;
+  }
+
+  exportAsPlainObject(customId) {
+    if (this.warnings.length > 0) {
+      this.addFlag("hasWarnings");
+    }
+
+    return {
+      versions: {
+        [this.version]: {
+          id: typeof customId === "number" ? customId : Dependency.currentId++,
+          usedBy: this.parent,
+          isDevDependency: this.dev,
+          flags: this.flags,
+          description: "",
+          size: 0,
+          author: {},
+          warnings: this.warnings,
+          composition: {
+            extensions: [],
+            files: [],
+            minified: [],
+            unused: [],
+            missing: [],
+            required_files: [],
+            required_nodejs: [],
+            required_thirdparty: []
+          },
+          license: "unkown license",
+          gitUrl: this.gitUrl
+        }
+      },
+      vulnerabilities: [],
+      metadata: {
+        dependencyCount: this.dependencyCount,
+        publishedCount: 0,
+        lastUpdateAt: null,
+        lastVersion: null,
+        hasManyPublishers: false,
+        hasReceivedUpdateInOneYear: true,
+        homepage: null,
+        author: {},
+        publishers: [],
+        maintainers: []
+      }
+    };
+  }
+}
+
+Dependency.currentId = 1;

package/src/depWalker.js

@@ -75,13 +75,15 @@ export async function* searchDeepDependencies(packageName, gitURL, options) {
   yield current;
 }
 
-export async function* deepReadEdges(currentPackageName, { to, parent, exclude, fullLockMode }) {
+export async function* deepReadEdges(currentPackageName, options) {
+  const { to, parent, exclude, fullLockMode, includeDevDeps } = options;
   const { version, integrity = to.integrity } = to.package;
 
   const updatedVersion = version === "*" || typeof version === "undefined" ? "latest" : version;
   const current = new Dependency(currentPackageName, updatedVersion, parent);
+  current.dev = to.dev;
 
-  if (fullLockMode) {
+  if (fullLockMode && !includeDevDeps) {
     const { deprecated, _integrity, ...pkg } = await pacote.manifest(`${currentPackageName}@${updatedVersion}`, {
       ...NPM_TOKEN,
       registry: getLocalRegistryURL(),
@@ -96,7 +98,7 @@ export async function* deepReadEdges(currentPackageName, { to, parent, exclude,
   current.addFlag("hasDependencies", to.edgesOut.size > 0);
 
   for (const [packageName, { to: toNode }] of to.edgesOut) {
-    if (toNode === null || toNode.dev) {
+    if (toNode === null || (!includeDevDeps && toNode.dev)) {
       continue;
     }
     const cleanName = `${packageName}@${toNode.package.version}`;
@@ -113,7 +115,11 @@ export async function* deepReadEdges(currentPackageName, { to, parent, exclude,
 }
 
 export async function* getRootDependencies(manifest, options) {
-  const { maxDepth = 4, exclude, usePackageLock, fullLockMode, location } = options;
+  const {
+    maxDepth = 4, exclude,
+    usePackageLock, fullLockMode, includeDevDeps,
+    location
+  } = options;
 
   const { dependencies, customResolvers } = mergeDependencies(manifest, void 0);
   const parent = new Dependency(manifest.name, manifest.version);
@@ -137,9 +143,10 @@ export async function* getRootDependencies(manifest, options) {
     }
 
     iterators = [
-      ...iter.filter(tree.edgesOut.entries(), ([, { to }]) => to !== null && (!to.dev || to.isWorkspace))
+      ...iter
+        .filter(tree.edgesOut.entries(), ([, { to }]) => to !== null && (includeDevDeps ? true : (!to.dev || to.isWorkspace)))
         .map(([packageName, { to }]) => [packageName, to.isWorkspace ? to.target : to])
-        .map(([packageName, to]) => deepReadEdges(packageName, { to, parent, fullLockMode, exclude }))
+        .map(([packageName, to]) => deepReadEdges(packageName, { to, parent, fullLockMode, includeDevDeps, exclude }))
     ];
   }
   else {
@@ -178,6 +185,7 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
   const {
     forceRootAnalysis = false,
     usePackageLock = false,
+    includeDevDeps = false,
     fullLockMode = false,
     maxDepth,
     location,
@@ -210,9 +218,9 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
     const tarballLocker = new Lock({ maxConcurrent: 5 });
     tarballLocker.on("freeOne", () => logger.tick(ScannerLoggerEvents.analysis.tarball));
 
-    const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode, location };
+    const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode, includeDevDeps, location };
     for await (const currentDep of getRootDependencies(manifest, rootDepsOptions)) {
-      const { name, version } = currentDep;
+      const { name, version, dev } = currentDep;
       const current = currentDep.exportAsPlainObject(name === manifest.name ? 0 : void 0);
       let proceedDependencyAnalysis = true;
 
@@ -234,6 +242,11 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
         dependencies.set(name, current);
       }
 
+      // If the dependency is a DevDependencies we ignore it.
+      if (dev) {
+        continue;
+      }
+
       if (proceedDependencyAnalysis) {
         logger.tick(ScannerLoggerEvents.analysis.tree);
 

package/src/utils/warnings.js

@@ -1,36 +1,36 @@
-// Import Third-party Dependencies
-import { getToken, taggedString } from "@nodesecure/i18n";
-
-// CONSTANTS
-const kDetectedDep = taggedString`The dependency '${0}' has been detected in the dependency Tree.`;
-const kWarningsMessages = Object.freeze({
-  "@scarf/scarf": getToken("warnings.disable_scarf"),
-  iohook: getToken("warnings.keylogging")
-});
-const kPackages = new Set(Object.keys(kWarningsMessages));
-const kAuthors = new Set(["marak", "marak.squires@gmail.com"]);
-
-function getWarning(depName) {
-  return `${kDetectedDep(depName)} ${kWarningsMessages[depName]}`;
-}
-
-export function getDependenciesWarnings(dependencies) {
-  const warnings = [];
-  for (const depName of kPackages) {
-    if (dependencies.has(depName)) {
-      warnings.push(getWarning(depName));
-    }
-  }
-
-  // TODO: optimize with @nodesecure/author later
-  for (const [packageName, dependency] of dependencies) {
-    for (const { name, email } of dependency.metadata.maintainers) {
-      if (kAuthors.has(name) || kAuthors.has(email)) {
-        warnings.push(`'Marak Squires' package '${packageName}' has been detected in the dependency tree`);
-      }
-    }
-  }
-
-  return warnings;
-}
-
+// Import Third-party Dependencies
+import { getToken, taggedString } from "@nodesecure/i18n";
+
+// CONSTANTS
+const kDetectedDep = taggedString`The dependency '${0}' has been detected in the dependency Tree.`;
+const kWarningsMessages = Object.freeze({
+  "@scarf/scarf": getToken("warnings.disable_scarf"),
+  iohook: getToken("warnings.keylogging")
+});
+const kPackages = new Set(Object.keys(kWarningsMessages));
+const kAuthors = new Set(["marak", "marak.squires@gmail.com"]);
+
+function getWarning(depName) {
+  return `${kDetectedDep(depName)} ${kWarningsMessages[depName]}`;
+}
+
+export function getDependenciesWarnings(dependencies) {
+  const warnings = [];
+  for (const depName of kPackages) {
+    if (dependencies.has(depName)) {
+      warnings.push(getWarning(depName));
+    }
+  }
+
+  // TODO: optimize with @nodesecure/author later
+  for (const [packageName, dependency] of dependencies) {
+    for (const { name, email } of dependency.metadata.maintainers) {
+      if (kAuthors.has(name) || kAuthors.has(email)) {
+        warnings.push(`'Marak Squires' package '${packageName}' has been detected in the dependency tree`);
+      }
+    }
+  }
+
+  return warnings;
+}
+

package/types/api.d.ts

@@ -11,5 +11,5 @@ export {
 declare const ScannerLoggerEvents: LoggerEvents;
 
 declare function cwd(location: string, options?: Scanner.Options, logger?: Logger): Promise<Scanner.Payload>;
-declare function from(packageName: string, options?: Scanner.Options, logger?: Logger): Promise<Scanner.Payload>;
+declare function from(packageName: string, options?: Omit<Scanner.Options, "includeDevDeps">, logger?: Logger): Promise<Scanner.Payload>;
 declare function verify(packageName?: string | null): Promise<Scanner.VerifyPayload>;

package/types/scanner.d.ts

@@ -1,185 +1,192 @@
-// Import NodeSecure Dependencies
-import * as JSXRay from "@nodesecure/js-x-ray";
-import { license as License } from "@nodesecure/ntlp";
-import * as Vuln from "@nodesecure/vuln";
-import { Flags } from "@nodesecure/flags";
-
-// Import Third-party Dependencies
-import { Maintainer } from "@npm/types";
-
-export = Scanner;
-
-declare namespace Scanner {
-  export interface Publisher {
-    /**
-     * Publisher npm user name.
-     */
-    name: string;
-    /**
-     * Publisher npm user email.
-     */
-    email: string;
-    /**
-     * First version published.
-     */
-    version: string;
-    /**
-     * Date of the first publication
-     * @example 2021-08-10T20:45:08.342Z
-     */
-    at: string;
-  }
-
-  export interface DependencyVersion {
-    /** Id of the package (useful for usedBy relation) */
-    id: number;
-    /** By whom (id) is used the package */
-    usedBy: Record<string, string>;
-    /** Size on disk of the extracted tarball (in bytes) */
-    size: number;
-    /** Package description */
-    description: string;
-    /** Author of the package. This information is not trustable and can be empty. */
-    author: Maintainer;
-    /**
-     * JS-X-Ray warnings
-     *
-     * @see https://github.com/NodeSecure/js-x-ray/blob/master/WARNINGS.md
-     */
-    warnings: JSXRay.Warning<JSXRay.BaseWarning>[];
-    /** Tarball composition (files and dependencies) */
-    composition: {
-      /** Files extensions (.js, .md, .exe etc..) */
-      extensions: string[];
-      files: string[];
-      /** Minified files (foo.min.js etc..) */
-      minified: string[];
-      required_files: string[];
-      required_thirdparty: string[];
-      required_nodejs: string[];
-      unused: string[];
-      missing: string[];
-    };
-    /**
-     * Package licenses with SPDX expression.
-     *
-     * @see https://github.com/NodeSecure/licenses-conformance
-     * @see https://github.com/NodeSecure/npm-tarball-license-parser
-     */
-    license: License[];
-    /**
-     * Flags (Array of string)
-     *
-     * @see https://github.com/NodeSecure/flags/blob/main/FLAGS.md
-     */
-    flags: Flags[];
-    /**
-     * If the dependency is a GIT repository
-     */
-    gitUrl: null | string;
-  }
-
-  export interface Dependency {
-    /** NPM Registry metadata */
-    metadata: {
-      /** Count of dependencies */
-      dependencyCount: number;
-      /** Number of releases published on npm */
-      publishedCount: number;
-      lastUpdateAt: number;
-      /** Last version SemVer */
-      lastVersion: number;
-      hasChangedAuthor: boolean;
-      hasManyPublishers: boolean;
-      hasReceivedUpdateInOneYear: boolean;
-      /** Author of the package. This information is not trustable and can be empty. */
-      author: Maintainer;
-      /** Package home page */
-      homepage: string | null;
-      /**
-       * List of maintainers (list of people in the organization related to the package)
-       */
-      maintainers: { name: string, email: string }[];
-      /**
-       * List of people who published this package
-       */
-      publishers: Publisher[];
-    }
-    /** List of versions of this package available in the dependency tree (In the payload) */
-    versions: Record<string, DependencyVersion>;
-    /**
-     * Vulnerabilities fetched dependending on the selected vulnerabilityStrategy
-     *
-     * @see https://github.com/NodeSecure/vuln
-     */
-    vulnerabilities: Vuln.Strategy.StandardVulnerability[];
-  }
-
-  export type GlobalWarning = string[];
-  export type Dependencies = Record<string, Dependency>;
-
-  export interface Payload {
-    /** Payload unique id */
-    id: string;
-    /** Name of the analyzed package */
-    rootDependencyName: string;
-    /** Global warnings list */
-    warnings: GlobalWarning[];
-    /** All the dependencies of the package (flattened) */
-    dependencies: Dependencies;
-    /** Version of the scanner used to generate the result */
-    scannerVersion: string;
-    /** Vulnerability strategy name (npm, snyk, node) */
-    vulnerabilityStrategy: Vuln.Strategy.Kind;
-  }
-
-  export interface VerifyPayload {
-    files: {
-      list: string[];
-      extensions: string[];
-      minified: string[];
-    };
-    directorySize: number;
-    uniqueLicenseIds: string[];
-    licenses: License[];
-    ast: {
-      dependencies: Record<string, JSXRay.Dependency>;
-      warnings: JSXRay.Warning<JSXRay.BaseWarning>[];
-    };
-  }
-
-  export interface Options {
-    /**
-     * Maximum tree depth
-     *
-     * @default 4
-     */
-    readonly maxDepth?: number;
-    /**
-     * Use root package-lock.json. This will have the effect of triggering the Arborist package.
-     *
-     * @default false for from() API
-     * @default true  for cwd()  API
-     */
-    readonly usePackageLock?: boolean;
-    /**
-     * Vulnerability strategy name (npm, snyk, node)
-     *
-     * @default NONE
-     */
-    readonly vulnerabilityStrategy: Vuln.Strategy.Kind;
-    /**
-     * Analyze root package.
-     *
-     * @default false for from() API
-     * @default true  for cwd()  API
-     */
-    readonly forceRootAnalysis?: boolean;
-    /**
-     * Deeper dependencies analysis with cwd() API.
-     *
-     * @default false
-     */
-    readonly fullLockMode?: boolean;
-  }
-}
+// Import NodeSecure Dependencies
+import * as JSXRay from "@nodesecure/js-x-ray";
+import { license as License } from "@nodesecure/ntlp";
+import * as Vuln from "@nodesecure/vuln";
+import { Flags } from "@nodesecure/flags";
+
+// Import Third-party Dependencies
+import { Maintainer } from "@npm/types";
+
+export = Scanner;
+
+declare namespace Scanner {
+  export interface Publisher {
+    /**
+     * Publisher npm user name.
+     */
+    name: string;
+    /**
+     * Publisher npm user email.
+     */
+    email: string;
+    /**
+     * First version published.
+     */
+    version: string;
+    /**
+     * Date of the first publication
+     * @example 2021-08-10T20:45:08.342Z
+     */
+    at: string;
+  }
+
+  export interface DependencyVersion {
+    /** Id of the package (useful for usedBy relation) */
+    id: number;
+    isDevDependency: boolean;
+    /** By whom (id) is used the package */
+    usedBy: Record<string, string>;
+    /** Size on disk of the extracted tarball (in bytes) */
+    size: number;
+    /** Package description */
+    description: string;
+    /** Author of the package. This information is not trustable and can be empty. */
+    author: Maintainer;
+    /**
+     * JS-X-Ray warnings
+     *
+     * @see https://github.com/NodeSecure/js-x-ray/blob/master/WARNINGS.md
+     */
+    warnings: JSXRay.Warning<JSXRay.BaseWarning>[];
+    /** Tarball composition (files and dependencies) */
+    composition: {
+      /** Files extensions (.js, .md, .exe etc..) */
+      extensions: string[];
+      files: string[];
+      /** Minified files (foo.min.js etc..) */
+      minified: string[];
+      required_files: string[];
+      required_thirdparty: string[];
+      required_nodejs: string[];
+      unused: string[];
+      missing: string[];
+    };
+    /**
+     * Package licenses with SPDX expression.
+     *
+     * @see https://github.com/NodeSecure/licenses-conformance
+     * @see https://github.com/NodeSecure/npm-tarball-license-parser
+     */
+    license: License[];
+    /**
+     * Flags (Array of string)
+     *
+     * @see https://github.com/NodeSecure/flags/blob/main/FLAGS.md
+     */
+    flags: Flags[];
+    /**
+     * If the dependency is a GIT repository
+     */
+    gitUrl: null | string;
+  }
+
+  export interface Dependency {
+    /** NPM Registry metadata */
+    metadata: {
+      /** Count of dependencies */
+      dependencyCount: number;
+      /** Number of releases published on npm */
+      publishedCount: number;
+      lastUpdateAt: number;
+      /** Last version SemVer */
+      lastVersion: number;
+      hasChangedAuthor: boolean;
+      hasManyPublishers: boolean;
+      hasReceivedUpdateInOneYear: boolean;
+      /** Author of the package. This information is not trustable and can be empty. */
+      author: Maintainer;
+      /** Package home page */
+      homepage: string | null;
+      /**
+       * List of maintainers (list of people in the organization related to the package)
+       */
+      maintainers: { name: string, email: string }[];
+      /**
+       * List of people who published this package
+       */
+      publishers: Publisher[];
+    }
+    /** List of versions of this package available in the dependency tree (In the payload) */
+    versions: Record<string, DependencyVersion>;
+    /**
+     * Vulnerabilities fetched dependending on the selected vulnerabilityStrategy
+     *
+     * @see https://github.com/NodeSecure/vuln
+     */
+    vulnerabilities: Vuln.Strategy.StandardVulnerability[];
+  }
+
+  export type GlobalWarning = string[];
+  export type Dependencies = Record<string, Dependency>;
+
+  export interface Payload {
+    /** Payload unique id */
+    id: string;
+    /** Name of the analyzed package */
+    rootDependencyName: string;
+    /** Global warnings list */
+    warnings: GlobalWarning[];
+    /** All the dependencies of the package (flattened) */
+    dependencies: Dependencies;
+    /** Version of the scanner used to generate the result */
+    scannerVersion: string;
+    /** Vulnerability strategy name (npm, snyk, node) */
+    vulnerabilityStrategy: Vuln.Strategy.Kind;
+  }
+
+  export interface VerifyPayload {
+    files: {
+      list: string[];
+      extensions: string[];
+      minified: string[];
+    };
+    directorySize: number;
+    uniqueLicenseIds: string[];
+    licenses: License[];
+    ast: {
+      dependencies: Record<string, JSXRay.Dependency>;
+      warnings: JSXRay.Warning<JSXRay.BaseWarning>[];
+    };
+  }
+
+  export interface Options {
+    /**
+     * Maximum tree depth
+     *
+     * @default 4
+     */
+    readonly maxDepth?: number;
+    /**
+     * Use root package-lock.json. This will have the effect of triggering the Arborist package.
+     *
+     * @default false for from() API
+     * @default true  for cwd()  API
+     */
+    readonly usePackageLock?: boolean;
+    /**
+     * Include project devDependencies (only available for cwd command)
+     *
+     * @default false
+     */
+    readonly includeDevDeps?: boolean;
+    /**
+     * Vulnerability strategy name (npm, snyk, node)
+     *
+     * @default NONE
+     */
+    readonly vulnerabilityStrategy: Vuln.Strategy.Kind;
+    /**
+     * Analyze root package.
+     *
+     * @default false for from() API
+     * @default true  for cwd()  API
+     */
+    readonly forceRootAnalysis?: boolean;
+    /**
+     * Deeper dependencies analysis with cwd() API.
+     *
+     * @default false
+     */
+    readonly fullLockMode?: boolean;
+  }
+}