@nodesecure/scanner 3.3.0 → 3.5.0

package/src/manifest.js

@@ -1,57 +1,58 @@
-// Import Node.js Dependencies
-import fs from "fs/promises";
-import path from "path";
-
-// Import Third-party Dependencies
-import { parseManifestAuthor } from "@nodesecure/utils";
-
-// CONSTANTS
-// PR welcome to contribute to this list!
-const kNativeNpmPackages = new Set([
-  "node-gyp", "node-pre-gyp", "node-gyp-build", "node-addon-api"
-]);
-
-/**
- * @see https://www.nerdycode.com/prevent-npm-executing-scripts-security/
- */
-const kUnsafeNpmScripts = new Set([
-  "install",
-  "preinstall", "postinstall",
-  "preuninstall", "postuninstall"
-]);
-
-/**
- * @param {!string} location
- * @returns {import("@npm/types").PackageJson}
- */
-export async function read(location) {
-  const packageStr = await fs.readFile(
-    path.join(location, "package.json"),
-    "utf-8"
-  );
-
-  return JSON.parse(packageStr);
-}
-
-// TODO: PR @npm/types to fix dependencies typo
-export async function readAnalyze(location) {
-  const {
-    description = "", author = {}, scripts = {},
-    dependencies = {}, devDependencies = {}, gypfile = false
-  } = await read(location);
-
-  const packageDeps = Object.keys(dependencies);
-  const packageDevDeps = Object.keys(devDependencies);
-  const hasNativePackage = [...packageDevDeps, ...packageDeps]
-    .some((pkg) => kNativeNpmPackages.has(pkg));
-
-  return {
-    author: typeof author === "string" ? parseManifestAuthor(author) : author,
-    description,
-    hasScript: Object.keys(scripts)
-      .some((value) => kUnsafeNpmScripts.has(value.toLowerCase())),
-    packageDeps,
-    packageDevDeps,
-    hasNativeElements: hasNativePackage || gypfile
-  };
-}
+// Import Node.js Dependencies
+import fs from "fs/promises";
+import path from "path";
+
+// Import Third-party Dependencies
+import { parseManifestAuthor } from "@nodesecure/utils";
+
+// CONSTANTS
+// PR welcome to contribute to this list!
+const kNativeNpmPackages = new Set([
+  "node-gyp", "node-pre-gyp", "node-gyp-build", "node-addon-api"
+]);
+
+/**
+ * @see https://www.nerdycode.com/prevent-npm-executing-scripts-security/
+ */
+const kUnsafeNpmScripts = new Set([
+  "install",
+  "preinstall", "postinstall",
+  "preuninstall", "postuninstall"
+]);
+
+/**
+ * @param {!string} location
+ * @returns {import("@npm/types").PackageJson}
+ */
+export async function read(location) {
+  const packageStr = await fs.readFile(
+    path.join(location, "package.json"),
+    "utf-8"
+  );
+
+  return JSON.parse(packageStr);
+}
+
+export async function readAnalyze(location) {
+  const {
+    description = "", author = {}, scripts = {},
+    dependencies = {}, devDependencies = {}, gypfile = false,
+    imports = {}
+  } = await read(location);
+
+  const packageDeps = Object.keys(dependencies);
+  const packageDevDeps = Object.keys(devDependencies);
+  const hasNativePackage = [...packageDevDeps, ...packageDeps]
+    .some((pkg) => kNativeNpmPackages.has(pkg));
+
+  return {
+    author: typeof author === "string" ? parseManifestAuthor(author) : author,
+    description,
+    hasScript: Object.keys(scripts)
+      .some((value) => kUnsafeNpmScripts.has(value.toLowerCase())),
+    packageDeps,
+    packageDevDeps,
+    nodejs: { imports },
+    hasNativeElements: hasNativePackage || gypfile
+  };
+}

package/src/npmRegistry.js

@@ -1,68 +1,74 @@
-// Import Third-party Dependencies
-import semver from "semver";
-import { parseManifestAuthor } from "@nodesecure/utils";
-import { packument } from "@nodesecure/npm-registry-sdk";
-
-export function parseAuthor(author) {
-  return typeof author === "string" ? parseManifestAuthor(author) : author;
-}
-
-export async function packageMetadata(name, version, options) {
-  const { ref, logger } = options;
-
-  try {
-    const pkg = await packument(name);
-
-    const oneYearFromToday = new Date();
-    oneYearFromToday.setFullYear(oneYearFromToday.getFullYear() - 1);
-
-    const lastVersion = pkg["dist-tags"].latest;
-    const lastUpdateAt = new Date(pkg.time[lastVersion]);
-    const metadata = {
-      author: parseAuthor(pkg.author) ?? {},
-      homepage: pkg.homepage || null,
-      publishedCount: Object.values(pkg.versions).length,
-      lastVersion,
-      lastUpdateAt,
-      hasReceivedUpdateInOneYear: !(oneYearFromToday > lastUpdateAt),
-      maintainers: pkg.maintainers,
-      publishers: []
-    };
-
-    const isOutdated = semver.neq(version, lastVersion);
-    if (isOutdated) {
-      ref.versions[version].flags.push("isOutdated");
-    }
-
-    const publishers = new Set();
-    for (const ver of Object.values(pkg.versions).reverse()) {
-      const { _npmUser: npmUser, version } = ver;
-      const isNullOrUndefined = typeof npmUser === "undefined" || npmUser === null;
-      if (isNullOrUndefined || !("name" in npmUser) || typeof npmUser.name !== "string") {
-        continue;
-      }
-
-      const authorName = metadata.author?.name ?? null;
-      if (authorName === null) {
-        metadata.author = npmUser;
-      }
-      else if (npmUser.name !== metadata.author.name) {
-        metadata.hasManyPublishers = true;
-      }
-
-      // TODO: add npmUser.email
-      if (!publishers.has(npmUser.name)) {
-        publishers.add(npmUser.name);
-        metadata.publishers.push({ ...npmUser, version, at: new Date(pkg.time[version]) });
-      }
-    }
-
-    Object.assign(ref.metadata, metadata);
-  }
-  catch {
-    // ignore
-  }
-  finally {
-    logger.tick("registry");
-  }
-}
+// Import Third-party Dependencies
+import semver from "semver";
+import { parseManifestAuthor } from "@nodesecure/utils";
+import { packument } from "@nodesecure/npm-registry-sdk";
+
+export function parseAuthor(author) {
+  return typeof author === "string" ? parseManifestAuthor(author) : author;
+}
+
+export async function packageMetadata(name, version, options) {
+  const { ref, logger } = options;
+
+  try {
+    const pkg = await packument(name);
+
+    const oneYearFromToday = new Date();
+    oneYearFromToday.setFullYear(oneYearFromToday.getFullYear() - 1);
+
+    const lastVersion = pkg["dist-tags"].latest;
+    const lastUpdateAt = new Date(pkg.time[lastVersion]);
+    const metadata = {
+      author: parseAuthor(pkg.author) ?? {},
+      homepage: pkg.homepage || null,
+      publishedCount: Object.values(pkg.versions).length,
+      lastVersion,
+      lastUpdateAt,
+      hasReceivedUpdateInOneYear: !(oneYearFromToday > lastUpdateAt),
+      maintainers: pkg.maintainers ?? [],
+      publishers: []
+    };
+
+    const isOutdated = semver.neq(version, lastVersion);
+    if (isOutdated) {
+      ref.versions[version].flags.push("isOutdated");
+    }
+
+    const publishers = new Set();
+    let searchForMaintainersInVersions = metadata.maintainers.length === 0;
+    for (const ver of Object.values(pkg.versions).reverse()) {
+      const { _npmUser: npmUser, version, maintainers = [] } = ver;
+      const isNullOrUndefined = typeof npmUser === "undefined" || npmUser === null;
+      if (isNullOrUndefined || !("name" in npmUser) || typeof npmUser.name !== "string") {
+        continue;
+      }
+
+      const authorName = metadata.author?.name ?? null;
+      if (authorName === null) {
+        metadata.author = npmUser;
+      }
+      else if (npmUser.name !== metadata.author.name) {
+        metadata.hasManyPublishers = true;
+      }
+
+      // TODO: add npmUser.email
+      if (!publishers.has(npmUser.name)) {
+        publishers.add(npmUser.name);
+        metadata.publishers.push({ ...npmUser, version, at: new Date(pkg.time[version]) });
+      }
+
+      if (searchForMaintainersInVersions) {
+        metadata.maintainers.push(...maintainers);
+        searchForMaintainersInVersions = false;
+      }
+    }
+
+    Object.assign(ref.metadata, metadata);
+  }
+  catch {
+    // ignore
+  }
+  finally {
+    logger.tick("registry");
+  }
+}

package/src/tarball.js

@@ -65,7 +65,9 @@ export async function scanDirOrArchive(name, version, options) {
     }
 
     // Read the package.json at the root of the directory or archive.
-    const { packageDeps, packageDevDeps, author, description, hasScript, hasNativeElements } = await manifest.readAnalyze(dest);
+    const {
+      packageDeps, packageDevDeps, author, description, hasScript, hasNativeElements, nodejs
+    } = await manifest.readAnalyze(dest);
     ref.author = author;
     ref.description = description;
 
@@ -97,10 +99,11 @@ export async function scanDirOrArchive(name, version, options) {
     const minifiedFiles = fileAnalysisResults.filter((row) => row.isMinified).flatMap((row) => row.file);
 
     const {
-      nodeDependencies, thirdPartyDependencies, missingDependencies, unusedDependencies, flags
-    } = analyzeDependencies(dependencies, { packageDeps, packageDevDeps, tryDependencies });
+      nodeDependencies, thirdPartyDependencies, subpathImportsDependencies, missingDependencies, unusedDependencies, flags
+    } = analyzeDependencies(dependencies, { packageDeps, packageDevDeps, tryDependencies, nodeImports: nodejs.imports });
 
     ref.composition.required_thirdparty = thirdPartyDependencies;
+    ref.composition.required_subpath = Object.fromEntries(subpathImportsDependencies);
     ref.composition.unused.push(...unusedDependencies);
     ref.composition.missing.push(...missingDependencies);
     ref.composition.required_files = filesDependencies;

package/src/utils/analyzeDependencies.js

@@ -1,40 +1,71 @@
-// Import Third-party Dependencies
-import difference from "lodash.difference";
-import builtins from "builtins";
-
-// Import Internal Dependencies
-import { getPackageName } from "./getPackageName.js";
-
-// CONSTANTS
-const kNodeModules = new Set(builtins({ experimental: true }));
-const kExternalModules = new Set(["http", "https", "net", "http2", "dgram", "child_process"]);
-
-export function analyzeDependencies(dependencies, deps = {}) {
-  const { packageDeps, packageDevDeps, tryDependencies } = deps;
-
-  const thirdPartyDependencies = dependencies
-    .map((name) => (packageDeps.includes(name) ? name : getPackageName(name)))
-    .filter((name) => !name.startsWith("."))
-    .filter((name) => !kNodeModules.has(name))
-    .filter((name) => !packageDevDeps.includes(name))
-    .filter((name) => !tryDependencies.has(name));
-
-  const unusedDependencies = difference(
-    packageDeps.filter((name) => !name.startsWith("@types")),
-    thirdPartyDependencies
-  );
-  const missingDependencies = [...new Set(difference(thirdPartyDependencies, packageDeps))];
-  const nodeDependencies = dependencies.filter((name) => kNodeModules.has(name));
-
-  return {
-    nodeDependencies,
-    thirdPartyDependencies: [...new Set(thirdPartyDependencies)],
-    unusedDependencies,
-    missingDependencies,
-
-    flags: {
-      hasExternalCapacity: nodeDependencies.some((depName) => kExternalModules.has(depName)),
-      hasMissingOrUnusedDependency: unusedDependencies.length > 0 || missingDependencies.length > 0
-    }
-  };
-}
+// Import Third-party Dependencies
+import difference from "lodash.difference";
+import builtins from "builtins";
+
+// Import Internal Dependencies
+import { getPackageName } from "./getPackageName.js";
+
+// CONSTANTS
+const kNodeModules = new Set(builtins({ experimental: true }));
+const kExternalModules = new Set(["http", "https", "net", "http2", "dgram", "child_process"]);
+
+export function analyzeDependencies(dependencies, deps = {}) {
+  const { packageDeps, packageDevDeps, tryDependencies, nodeImports = {} } = deps;
+
+  // See: https://nodejs.org/api/packages.html#subpath-imports
+  const subpathImportsDependencies = dependencies
+    .filter((name) => isAliasDependency(name) && name in nodeImports)
+    .map((name) => buildSubpathDependency(name, nodeImports));
+  const thirdPartyDependenciesAliased = new Set(
+    subpathImportsDependencies.flat().filter((name) => !isAliasDependency(name))
+  );
+
+  const thirdPartyDependencies = dependencies
+    .map((name) => (packageDeps.includes(name) ? name : getPackageName(name)))
+    .filter((name) => !name.startsWith("."))
+    .filter((name) => !isNodeCoreModule(name))
+    .filter((name) => !packageDevDeps.includes(name))
+    .filter((name) => !tryDependencies.has(name));
+
+  const unusedDependencies = difference(
+    packageDeps.filter((name) => !name.startsWith("@types")),
+    [...thirdPartyDependencies, ...thirdPartyDependenciesAliased]
+  );
+  const missingDependencies = [...new Set(difference(thirdPartyDependencies, packageDeps))]
+    .filter((name) => !(name in nodeImports));
+  const nodeDependencies = dependencies.filter((name) => isNodeCoreModule(name));
+
+  return {
+    nodeDependencies,
+    thirdPartyDependencies: [...new Set(thirdPartyDependencies)],
+    subpathImportsDependencies,
+    unusedDependencies,
+    missingDependencies,
+
+    flags: {
+      hasExternalCapacity: nodeDependencies.some((depName) => kExternalModules.has(depName)),
+      hasMissingOrUnusedDependency: unusedDependencies.length > 0 || missingDependencies.length > 0
+    }
+  };
+}
+
+/**
+ * @param {!string} moduleName
+ * @returns {boolean}
+ */
+function isNodeCoreModule(moduleName) {
+  const cleanModuleName = moduleName.startsWith("node:") ? moduleName.slice(5) : moduleName;
+
+  // Note: We need to also check moduleName because builtins package only return true for 'node:test'.
+  return kNodeModules.has(cleanModuleName) || kNodeModules.has(moduleName);
+}
+
+function isAliasDependency(moduleName) {
+  return moduleName.charAt(0) === "#";
+}
+
+function buildSubpathDependency(alias, nodeImports) {
+  const importedDependency = nodeImports[alias].node ?? nodeImports[alias].default;
+
+  return [alias, importedDependency];
+}

package/types/api.d.ts

@@ -11,5 +11,5 @@ export {
 declare const ScannerLoggerEvents: LoggerEvents;
 
 declare function cwd(location: string, options?: Scanner.Options, logger?: Logger): Promise<Scanner.Payload>;
-declare function from(packageName: string, options?: Scanner.Options, logger?: Logger): Promise<Scanner.Payload>;
+declare function from(packageName: string, options?: Omit<Scanner.Options, "includeDevDeps">, logger?: Logger): Promise<Scanner.Payload>;
 declare function verify(packageName?: string | null): Promise<Scanner.VerifyPayload>;