@nodesecure/scanner 3.4.0 → 3.6.0

package/README.md

@@ -1,96 +1,97 @@
-# NodeSecure Scanner
-![version](https://img.shields.io/badge/dynamic/json.svg?url=https://raw.githubusercontent.com/NodeSecure/scanner/master/package.json&query=$.version&label=Version)
-[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/NodeSecure/scanner/commit-activity)
-[![Security Responsible Disclosure](https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg)](https://github.com/nodejs/security-wg/blob/master/processes/responsible_disclosure_template.md
-)
-[![mit](https://img.shields.io/github/license/Naereen/StrapDown.js.svg)](https://github.com/NodeSecure/scanner/blob/master/LICENSE)
-![build](https://img.shields.io/github/workflow/status/NodeSecure/scanner/Node.js%20CI)
-
-⚡️ Run a static analysis of your module's dependencies.
-
-## Requirements
-
-- [Node.js](https://nodejs.org/en/) version 16 or higher
-
-## Getting Started
-
-This package is available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com).
-
-```bash
-$ npm i @nodesecure/scanner
-# or
-$ yarn add @nodesecure/scanner
-```
-
-## Usage example
-
-```js
-import * as scanner from "@nodesecure/scanner";
-import fs from "fs/promises";
-
-// CONSTANTS
-const kPackagesToAnalyze = ["mocha", "cacache", "is-wsl"];
-
-const payloads = await Promise.all(
-  kPackagesToAnalyze.map((name) => scanner.from(name))
-);
-
-const promises = [];
-for (let i = 0; i < kPackagesToAnalyze.length; i++) {
-  const data = JSON.stringify(payloads[i], null, 2);
-
-  promises.push(fs.writeFile(`${kPackagesToAnalyze[i]}.json`, data));
-}
-await Promise.allSettled(promises);
-```
-
-## API
-
-See `types/api.d.ts` for a complete TypeScript definition.
-
-```ts
-function cwd(location: string, options?: Scanner.Options): Promise<Scanner.Payload>;
-function from(packageName: string, options?: Omit<Scanner.Options, "includeDevDeps">): Promise<Scanner.Payload>;
-function verify(packageName?: string | null): Promise<Scanner.VerifyPayload>;
-```
-
-`Options` is described with the following TypeScript interface:
-
-```ts
-interface Options {
-  readonly maxDepth?: number;
-  readonly usePackageLock?: boolean;
-  readonly includeDevDeps?: boolean;
-  readonly vulnerabilityStrategy: Strategy.Kind;
-  readonly forceRootAnalysis?: boolean;
-  readonly fullLockMode?: boolean;
-}
-```
-
-## Contributors ✨
-
-<!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
-[![All Contributors](https://img.shields.io/badge/all_contributors-4-orange.svg?style=flat-square)](#contributors-)
-<!-- ALL-CONTRIBUTORS-BADGE:END -->
-
-Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
-
-<!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
-<!-- prettier-ignore-start -->
-<!-- markdownlint-disable -->
-<table>
-  <tr>
-    <td align="center"><a href="https://www.linkedin.com/in/thomas-gentilhomme/"><img src="https://avatars.githubusercontent.com/u/4438263?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Gentilhomme</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Afraxken" title="Reviewed Pull Requests">👀</a> <a href="#security-fraxken" title="Security">🛡️</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Afraxken" title="Bug reports">🐛</a></td>
-    <td align="center"><a href="http://tonygo.dev"><img src="https://avatars.githubusercontent.com/u/22824417?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Tony Gorez</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Atony-go" title="Reviewed Pull Requests">👀</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Atony-go" title="Bug reports">🐛</a></td>
-    <td align="center"><a href="https://mickaelcroquet.fr"><img src="https://avatars.githubusercontent.com/u/23740372?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Haze</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=CroquetMickael" title="Code">💻</a></td>
-    <td align="center"><a href="https://github.com/mbalabash"><img src="https://avatars.githubusercontent.com/u/16868922?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Maksim Balabash</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=mbalabash" title="Code">💻</a></td>
-  </tr>
-</table>
-
-<!-- markdownlint-restore -->
-<!-- prettier-ignore-end -->
-
-<!-- ALL-CONTRIBUTORS-LIST:END -->
-
-## License
-MIT
+# NodeSecure Scanner
+![version](https://img.shields.io/badge/dynamic/json.svg?url=https://raw.githubusercontent.com/NodeSecure/scanner/master/package.json&query=$.version&label=Version)
+[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/NodeSecure/scanner/commit-activity)
+[![Security Responsible Disclosure](https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg)](https://github.com/nodejs/security-wg/blob/master/processes/responsible_disclosure_template.md
+)
+[![mit](https://img.shields.io/github/license/Naereen/StrapDown.js.svg)](https://github.com/NodeSecure/scanner/blob/master/LICENSE)
+![build](https://img.shields.io/github/workflow/status/NodeSecure/scanner/Node.js%20CI)
+
+⚡️ Run a static analysis of your module's dependencies.
+
+## Requirements
+
+- [Node.js](https://nodejs.org/en/) version 16 or higher
+
+## Getting Started
+
+This package is available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com).
+
+```bash
+$ npm i @nodesecure/scanner
+# or
+$ yarn add @nodesecure/scanner
+```
+
+## Usage example
+
+```js
+import * as scanner from "@nodesecure/scanner";
+import fs from "fs/promises";
+
+// CONSTANTS
+const kPackagesToAnalyze = ["mocha", "cacache", "is-wsl"];
+
+const payloads = await Promise.all(
+  kPackagesToAnalyze.map((name) => scanner.from(name))
+);
+
+const promises = [];
+for (let i = 0; i < kPackagesToAnalyze.length; i++) {
+  const data = JSON.stringify(payloads[i], null, 2);
+
+  promises.push(fs.writeFile(`${kPackagesToAnalyze[i]}.json`, data));
+}
+await Promise.allSettled(promises);
+```
+
+## API
+
+See `types/api.d.ts` for a complete TypeScript definition.
+
+```ts
+function cwd(location: string, options?: Scanner.Options): Promise<Scanner.Payload>;
+function from(packageName: string, options?: Omit<Scanner.Options, "includeDevDeps">): Promise<Scanner.Payload>;
+function verify(packageName?: string | null): Promise<Scanner.VerifyPayload>;
+```
+
+`Options` is described with the following TypeScript interface:
+
+```ts
+interface Options {
+  readonly maxDepth?: number;
+  readonly usePackageLock?: boolean;
+  readonly includeDevDeps?: boolean;
+  readonly vulnerabilityStrategy: Strategy.Kind;
+  readonly forceRootAnalysis?: boolean;
+  readonly fullLockMode?: boolean;
+}
+```
+
+## Contributors ✨
+
+<!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
+[![All Contributors](https://img.shields.io/badge/all_contributors-5-orange.svg?style=flat-square)](#contributors-)
+<!-- ALL-CONTRIBUTORS-BADGE:END -->
+
+Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
+
+<!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable -->
+<table>
+  <tr>
+    <td align="center"><a href="https://www.linkedin.com/in/thomas-gentilhomme/"><img src="https://avatars.githubusercontent.com/u/4438263?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Gentilhomme</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Afraxken" title="Reviewed Pull Requests">👀</a> <a href="#security-fraxken" title="Security">🛡️</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Afraxken" title="Bug reports">🐛</a></td>
+    <td align="center"><a href="http://tonygo.dev"><img src="https://avatars.githubusercontent.com/u/22824417?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Tony Gorez</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Atony-go" title="Reviewed Pull Requests">👀</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Atony-go" title="Bug reports">🐛</a></td>
+    <td align="center"><a href="https://mickaelcroquet.fr"><img src="https://avatars.githubusercontent.com/u/23740372?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Haze</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=CroquetMickael" title="Code">💻</a></td>
+    <td align="center"><a href="https://github.com/mbalabash"><img src="https://avatars.githubusercontent.com/u/16868922?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Maksim Balabash</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=mbalabash" title="Code">💻</a></td>
+    <td align="center"><a href="https://dev.to/antoinecoulon"><img src="https://avatars.githubusercontent.com/u/43391199?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Antoine Coulon</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=antoine-coulon" title="Code">💻</a> <a href="#security-antoine-coulon" title="Security">🛡️</a></td>
+  </tr>
+</table>
+
+<!-- markdownlint-restore -->
+<!-- prettier-ignore-end -->
+
+<!-- ALL-CONTRIBUTORS-LIST:END -->
+
+## License
+MIT

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nodesecure/scanner",
-  "version": "3.4.0",
+  "version": "3.6.0",
   "description": "A package API to run a static analysis of your module's dependencies.",
   "exports": "./index.js",
   "engines": {
@@ -48,39 +48,39 @@
   },
   "homepage": "https://github.com/NodeSecure/scanner#readme",
   "devDependencies": {
-    "@nodesecure/eslint-config": "^1.3.1",
+    "@nodesecure/eslint-config": "^1.4.0",
     "@slimio/is": "^1.5.1",
-    "@small-tech/esm-tape-runner": "^1.0.3",
-    "@small-tech/tap-monkey": "^1.3.0",
-    "@types/node": "^17.0.21",
-    "c8": "^7.11.0",
+    "@small-tech/esm-tape-runner": "^2.0.0",
+    "@small-tech/tap-monkey": "^1.4.0",
+    "@types/node": "^17.0.39",
+    "c8": "^7.11.3",
     "cross-env": "^7.0.3",
-    "dotenv": "^16.0.0",
-    "eslint": "^8.11.0",
+    "dotenv": "^16.0.1",
+    "eslint": "^8.17.0",
     "get-folder-size": "^3.1.0",
-    "pkg-ok": "^2.3.1",
-    "sinon": "^13.0.1",
+    "pkg-ok": "^3.0.0",
+    "sinon": "^14.0.0",
     "snap-shot-core": "^10.2.4",
-    "tape": "^5.5.2"
+    "tape": "^5.5.3"
   },
   "dependencies": {
-    "@nodesecure/flags": "^2.2.0",
+    "@nodesecure/flags": "^2.3.0",
     "@nodesecure/fs-walk": "^1.0.0",
-    "@nodesecure/i18n": "^1.2.1",
-    "@nodesecure/js-x-ray": "^4.2.1",
+    "@nodesecure/i18n": "^1.3.0",
+    "@nodesecure/js-x-ray": "^4.5.0",
     "@nodesecure/npm-registry-sdk": "^1.3.0",
     "@nodesecure/ntlp": "^2.1.0",
     "@nodesecure/utils": "^1.0.0",
-    "@nodesecure/vuln": "^1.6.0",
-    "@npm/types": "^1.0.1",
-    "@npmcli/arborist": "^5.0.3",
+    "@nodesecure/vuln": "^1.7.0",
+    "@npm/types": "^1.0.2",
+    "@npmcli/arborist": "^5.2.1",
     "@slimio/lock": "^1.0.0",
-    "builtins": "^4.0.0",
+    "builtins": "^5.0.1",
     "combine-async-iterators": "^2.0.1",
     "itertools": "^1.7.1",
     "lodash.difference": "^4.5.0",
-    "pacote": "^13.0.5",
-    "semver": "^7.3.4"
+    "pacote": "^13.6.0",
+    "semver": "^7.3.7"
   },
   "type": "module"
 }

package/src/class/dependency.class.js

@@ -66,6 +66,9 @@ export default class Dependency {
           description: "",
           size: 0,
           author: {},
+          engines: {},
+          repository: {},
+          scripts: {},
           warnings: this.warnings,
           composition: {
             extensions: [],
@@ -75,7 +78,8 @@ export default class Dependency {
             missing: [],
             required_files: [],
             required_nodejs: [],
-            required_thirdparty: []
+            required_thirdparty: [],
+            required_subpath: []
           },
           license: "unkown license",
           gitUrl: this.gitUrl

package/src/depWalker.js

@@ -283,7 +283,8 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
 
   const { hydratePayloadDependencies, strategy } = await vuln.setStrategy(vulnerabilityStrategy);
   await hydratePayloadDependencies(dependencies, {
-    useStandardFormat: true
+    useStandardFormat: true,
+    path: location
   });
 
   payload.vulnerabilityStrategy = strategy;

package/src/manifest.js

@@ -1,57 +1,63 @@
-// Import Node.js Dependencies
-import fs from "fs/promises";
-import path from "path";
-
-// Import Third-party Dependencies
-import { parseManifestAuthor } from "@nodesecure/utils";
-
-// CONSTANTS
-// PR welcome to contribute to this list!
-const kNativeNpmPackages = new Set([
-  "node-gyp", "node-pre-gyp", "node-gyp-build", "node-addon-api"
-]);
-
-/**
- * @see https://www.nerdycode.com/prevent-npm-executing-scripts-security/
- */
-const kUnsafeNpmScripts = new Set([
-  "install",
-  "preinstall", "postinstall",
-  "preuninstall", "postuninstall"
-]);
-
-/**
- * @param {!string} location
- * @returns {import("@npm/types").PackageJson}
- */
-export async function read(location) {
-  const packageStr = await fs.readFile(
-    path.join(location, "package.json"),
-    "utf-8"
-  );
-
-  return JSON.parse(packageStr);
-}
-
-// TODO: PR @npm/types to fix dependencies typo
-export async function readAnalyze(location) {
-  const {
-    description = "", author = {}, scripts = {},
-    dependencies = {}, devDependencies = {}, gypfile = false
-  } = await read(location);
-
-  const packageDeps = Object.keys(dependencies);
-  const packageDevDeps = Object.keys(devDependencies);
-  const hasNativePackage = [...packageDevDeps, ...packageDeps]
-    .some((pkg) => kNativeNpmPackages.has(pkg));
-
-  return {
-    author: typeof author === "string" ? parseManifestAuthor(author) : author,
-    description,
-    hasScript: Object.keys(scripts)
-      .some((value) => kUnsafeNpmScripts.has(value.toLowerCase())),
-    packageDeps,
-    packageDevDeps,
-    hasNativeElements: hasNativePackage || gypfile
-  };
-}
+// Import Node.js Dependencies
+import fs from "fs/promises";
+import path from "path";
+
+// Import Third-party Dependencies
+import { parseManifestAuthor } from "@nodesecure/utils";
+
+// CONSTANTS
+// PR welcome to contribute to this list!
+const kNativeNpmPackages = new Set([
+  "node-gyp", "node-pre-gyp", "node-gyp-build", "node-addon-api"
+]);
+
+/**
+ * @see https://www.nerdycode.com/prevent-npm-executing-scripts-security/
+ */
+const kUnsafeNpmScripts = new Set([
+  "install",
+  "preinstall", "postinstall",
+  "preuninstall", "postuninstall"
+]);
+
+/**
+ * @param {!string} location
+ * @returns {import("@npm/types").PackageJson}
+ */
+export async function read(location) {
+  const packageStr = await fs.readFile(
+    path.join(location, "package.json"),
+    "utf-8"
+  );
+
+  return JSON.parse(packageStr);
+}
+
+export async function readAnalyze(location) {
+  const {
+    description = "", author = {}, scripts = {},
+    dependencies = {}, devDependencies = {}, gypfile = false,
+    engines = {},
+    repository = {},
+    imports = {}
+  } = await read(location);
+
+  const packageDeps = Object.keys(dependencies);
+  const packageDevDeps = Object.keys(devDependencies);
+  const hasNativePackage = [...packageDevDeps, ...packageDeps]
+    .some((pkg) => kNativeNpmPackages.has(pkg));
+
+  return {
+    author: typeof author === "string" ? parseManifestAuthor(author) : author,
+    description,
+    engines,
+    repository,
+    scripts,
+    hasScript: Object.keys(scripts)
+      .some((value) => kUnsafeNpmScripts.has(value.toLowerCase())),
+    packageDeps,
+    packageDevDeps,
+    nodejs: { imports },
+    hasNativeElements: hasNativePackage || gypfile
+  };
+}

package/src/npmRegistry.js

@@ -1,68 +1,74 @@
-// Import Third-party Dependencies
-import semver from "semver";
-import { parseManifestAuthor } from "@nodesecure/utils";
-import { packument } from "@nodesecure/npm-registry-sdk";
-
-export function parseAuthor(author) {
-  return typeof author === "string" ? parseManifestAuthor(author) : author;
-}
-
-export async function packageMetadata(name, version, options) {
-  const { ref, logger } = options;
-
-  try {
-    const pkg = await packument(name);
-
-    const oneYearFromToday = new Date();
-    oneYearFromToday.setFullYear(oneYearFromToday.getFullYear() - 1);
-
-    const lastVersion = pkg["dist-tags"].latest;
-    const lastUpdateAt = new Date(pkg.time[lastVersion]);
-    const metadata = {
-      author: parseAuthor(pkg.author) ?? {},
-      homepage: pkg.homepage || null,
-      publishedCount: Object.values(pkg.versions).length,
-      lastVersion,
-      lastUpdateAt,
-      hasReceivedUpdateInOneYear: !(oneYearFromToday > lastUpdateAt),
-      maintainers: pkg.maintainers,
-      publishers: []
-    };
-
-    const isOutdated = semver.neq(version, lastVersion);
-    if (isOutdated) {
-      ref.versions[version].flags.push("isOutdated");
-    }
-
-    const publishers = new Set();
-    for (const ver of Object.values(pkg.versions).reverse()) {
-      const { _npmUser: npmUser, version } = ver;
-      const isNullOrUndefined = typeof npmUser === "undefined" || npmUser === null;
-      if (isNullOrUndefined || !("name" in npmUser) || typeof npmUser.name !== "string") {
-        continue;
-      }
-
-      const authorName = metadata.author?.name ?? null;
-      if (authorName === null) {
-        metadata.author = npmUser;
-      }
-      else if (npmUser.name !== metadata.author.name) {
-        metadata.hasManyPublishers = true;
-      }
-
-      // TODO: add npmUser.email
-      if (!publishers.has(npmUser.name)) {
-        publishers.add(npmUser.name);
-        metadata.publishers.push({ ...npmUser, version, at: new Date(pkg.time[version]) });
-      }
-    }
-
-    Object.assign(ref.metadata, metadata);
-  }
-  catch {
-    // ignore
-  }
-  finally {
-    logger.tick("registry");
-  }
-}
+// Import Third-party Dependencies
+import semver from "semver";
+import { parseManifestAuthor } from "@nodesecure/utils";
+import { packument } from "@nodesecure/npm-registry-sdk";
+
+export function parseAuthor(author) {
+  return typeof author === "string" ? parseManifestAuthor(author) : author;
+}
+
+export async function packageMetadata(name, version, options) {
+  const { ref, logger } = options;
+
+  try {
+    const pkg = await packument(name);
+
+    const oneYearFromToday = new Date();
+    oneYearFromToday.setFullYear(oneYearFromToday.getFullYear() - 1);
+
+    const lastVersion = pkg["dist-tags"].latest;
+    const lastUpdateAt = new Date(pkg.time[lastVersion]);
+    const metadata = {
+      author: parseAuthor(pkg.author) ?? {},
+      homepage: pkg.homepage || null,
+      publishedCount: Object.values(pkg.versions).length,
+      lastVersion,
+      lastUpdateAt,
+      hasReceivedUpdateInOneYear: !(oneYearFromToday > lastUpdateAt),
+      maintainers: pkg.maintainers ?? [],
+      publishers: []
+    };
+
+    const isOutdated = semver.neq(version, lastVersion);
+    if (isOutdated) {
+      ref.versions[version].flags.push("isOutdated");
+    }
+
+    const publishers = new Set();
+    let searchForMaintainersInVersions = metadata.maintainers.length === 0;
+    for (const ver of Object.values(pkg.versions).reverse()) {
+      const { _npmUser: npmUser, version, maintainers = [] } = ver;
+      const isNullOrUndefined = typeof npmUser === "undefined" || npmUser === null;
+      if (isNullOrUndefined || !("name" in npmUser) || typeof npmUser.name !== "string") {
+        continue;
+      }
+
+      const authorName = metadata.author?.name ?? null;
+      if (authorName === null) {
+        metadata.author = npmUser;
+      }
+      else if (npmUser.name !== metadata.author.name) {
+        metadata.hasManyPublishers = true;
+      }
+
+      // TODO: add npmUser.email
+      if (!publishers.has(npmUser.name)) {
+        publishers.add(npmUser.name);
+        metadata.publishers.push({ ...npmUser, version, at: new Date(pkg.time[version]) });
+      }
+
+      if (searchForMaintainersInVersions) {
+        metadata.maintainers.push(...maintainers);
+        searchForMaintainersInVersions = false;
+      }
+    }
+
+    Object.assign(ref.metadata, metadata);
+  }
+  catch {
+    // ignore
+  }
+  finally {
+    logger.tick("registry");
+  }
+}

package/src/tarball.js

@@ -65,9 +65,13 @@ export async function scanDirOrArchive(name, version, options) {
     }
 
     // Read the package.json at the root of the directory or archive.
-    const { packageDeps, packageDevDeps, author, description, hasScript, hasNativeElements } = await manifest.readAnalyze(dest);
-    ref.author = author;
-    ref.description = description;
+    const {
+      packageDeps,
+      packageDevDeps,
+      author, description, hasScript, hasNativeElements, nodejs,
+      engines, repository, scripts
+    } = await manifest.readAnalyze(dest);
+    Object.assign(ref, { author, description, engines, repository, scripts });
 
     // Get the composition of the (extracted) directory
     const { ext, files, size } = await getTarballComposition(dest);
@@ -97,10 +101,11 @@ export async function scanDirOrArchive(name, version, options) {
     const minifiedFiles = fileAnalysisResults.filter((row) => row.isMinified).flatMap((row) => row.file);
 
     const {
-      nodeDependencies, thirdPartyDependencies, missingDependencies, unusedDependencies, flags
-    } = analyzeDependencies(dependencies, { packageDeps, packageDevDeps, tryDependencies });
+      nodeDependencies, thirdPartyDependencies, subpathImportsDependencies, missingDependencies, unusedDependencies, flags
+    } = analyzeDependencies(dependencies, { packageDeps, packageDevDeps, tryDependencies, nodeImports: nodejs.imports });
 
     ref.composition.required_thirdparty = thirdPartyDependencies;
+    ref.composition.required_subpath = Object.fromEntries(subpathImportsDependencies);
     ref.composition.unused.push(...unusedDependencies);
     ref.composition.missing.push(...missingDependencies);
     ref.composition.required_files = filesDependencies;

package/src/utils/analyzeDependencies.js

@@ -1,40 +1,71 @@
-// Import Third-party Dependencies
-import difference from "lodash.difference";
-import builtins from "builtins";
-
-// Import Internal Dependencies
-import { getPackageName } from "./getPackageName.js";
-
-// CONSTANTS
-const kNodeModules = new Set(builtins({ experimental: true }));
-const kExternalModules = new Set(["http", "https", "net", "http2", "dgram", "child_process"]);
-
-export function analyzeDependencies(dependencies, deps = {}) {
-  const { packageDeps, packageDevDeps, tryDependencies } = deps;
-
-  const thirdPartyDependencies = dependencies
-    .map((name) => (packageDeps.includes(name) ? name : getPackageName(name)))
-    .filter((name) => !name.startsWith("."))
-    .filter((name) => !kNodeModules.has(name))
-    .filter((name) => !packageDevDeps.includes(name))
-    .filter((name) => !tryDependencies.has(name));
-
-  const unusedDependencies = difference(
-    packageDeps.filter((name) => !name.startsWith("@types")),
-    thirdPartyDependencies
-  );
-  const missingDependencies = [...new Set(difference(thirdPartyDependencies, packageDeps))];
-  const nodeDependencies = dependencies.filter((name) => kNodeModules.has(name));
-
-  return {
-    nodeDependencies,
-    thirdPartyDependencies: [...new Set(thirdPartyDependencies)],
-    unusedDependencies,
-    missingDependencies,
-
-    flags: {
-      hasExternalCapacity: nodeDependencies.some((depName) => kExternalModules.has(depName)),
-      hasMissingOrUnusedDependency: unusedDependencies.length > 0 || missingDependencies.length > 0
-    }
-  };
-}
+// Import Third-party Dependencies
+import difference from "lodash.difference";
+import builtins from "builtins";
+
+// Import Internal Dependencies
+import { getPackageName } from "./getPackageName.js";
+
+// CONSTANTS
+const kNodeModules = new Set(builtins({ experimental: true }));
+const kExternalModules = new Set(["http", "https", "net", "http2", "dgram", "child_process"]);
+
+export function analyzeDependencies(dependencies, deps = {}) {
+  const { packageDeps, packageDevDeps, tryDependencies, nodeImports = {} } = deps;
+
+  // See: https://nodejs.org/api/packages.html#subpath-imports
+  const subpathImportsDependencies = dependencies
+    .filter((name) => isAliasDependency(name) && name in nodeImports)
+    .map((name) => buildSubpathDependency(name, nodeImports));
+  const thirdPartyDependenciesAliased = new Set(
+    subpathImportsDependencies.flat().filter((name) => !isAliasDependency(name))
+  );
+
+  const thirdPartyDependencies = dependencies
+    .map((name) => (packageDeps.includes(name) ? name : getPackageName(name)))
+    .filter((name) => !name.startsWith("."))
+    .filter((name) => !isNodeCoreModule(name))
+    .filter((name) => !packageDevDeps.includes(name))
+    .filter((name) => !tryDependencies.has(name));
+
+  const unusedDependencies = difference(
+    packageDeps.filter((name) => !name.startsWith("@types")),
+    [...thirdPartyDependencies, ...thirdPartyDependenciesAliased]
+  );
+  const missingDependencies = [...new Set(difference(thirdPartyDependencies, packageDeps))]
+    .filter((name) => !(name in nodeImports));
+  const nodeDependencies = dependencies.filter((name) => isNodeCoreModule(name));
+
+  return {
+    nodeDependencies,
+    thirdPartyDependencies: [...new Set(thirdPartyDependencies)],
+    subpathImportsDependencies,
+    unusedDependencies,
+    missingDependencies,
+
+    flags: {
+      hasExternalCapacity: nodeDependencies.some((depName) => kExternalModules.has(depName)),
+      hasMissingOrUnusedDependency: unusedDependencies.length > 0 || missingDependencies.length > 0
+    }
+  };
+}
+
+/**
+ * @param {!string} moduleName
+ * @returns {boolean}
+ */
+function isNodeCoreModule(moduleName) {
+  const cleanModuleName = moduleName.startsWith("node:") ? moduleName.slice(5) : moduleName;
+
+  // Note: We need to also check moduleName because builtins package only return true for 'node:test'.
+  return kNodeModules.has(cleanModuleName) || kNodeModules.has(moduleName);
+}
+
+function isAliasDependency(moduleName) {
+  return moduleName.charAt(0) === "#";
+}
+
+function buildSubpathDependency(alias, nodeImports) {
+  const importedDependency = nodeImports[alias].node ?? nodeImports[alias].default;
+
+  return [alias, importedDependency];
+}

package/src/utils/warnings.js

@@ -1,36 +1,36 @@
-// Import Third-party Dependencies
-import { getToken, taggedString } from "@nodesecure/i18n";
-
-// CONSTANTS
-const kDetectedDep = taggedString`The dependency '${0}' has been detected in the dependency Tree.`;
-const kWarningsMessages = Object.freeze({
-  "@scarf/scarf": getToken("warnings.disable_scarf"),
-  iohook: getToken("warnings.keylogging")
-});
-const kPackages = new Set(Object.keys(kWarningsMessages));
-const kAuthors = new Set(["marak", "marak.squires@gmail.com"]);
-
-function getWarning(depName) {
-  return `${kDetectedDep(depName)} ${kWarningsMessages[depName]}`;
-}
-
-export function getDependenciesWarnings(dependencies) {
-  const warnings = [];
-  for (const depName of kPackages) {
-    if (dependencies.has(depName)) {
-      warnings.push(getWarning(depName));
-    }
-  }
-
-  // TODO: optimize with @nodesecure/author later
-  for (const [packageName, dependency] of dependencies) {
-    for (const { name, email } of dependency.metadata.maintainers) {
-      if (kAuthors.has(name) || kAuthors.has(email)) {
-        warnings.push(`'Marak Squires' package '${packageName}' has been detected in the dependency tree`);
-      }
-    }
-  }
-
-  return warnings;
-}
-
+// Import Third-party Dependencies
+import { getToken, taggedString } from "@nodesecure/i18n";
+
+// CONSTANTS
+const kDetectedDep = taggedString`The dependency '${0}' has been detected in the dependency Tree.`;
+const kWarningsMessages = Object.freeze({
+  "@scarf/scarf": getToken("warnings.disable_scarf"),
+  iohook: getToken("warnings.keylogging")
+});
+const kPackages = new Set(Object.keys(kWarningsMessages));
+const kAuthors = new Set(["marak", "marak.squires@gmail.com"]);
+
+function getWarning(depName) {
+  return `${kDetectedDep(depName)} ${kWarningsMessages[depName]}`;
+}
+
+export function getDependenciesWarnings(dependencies) {
+  const warnings = [];
+  for (const depName of kPackages) {
+    if (dependencies.has(depName)) {
+      warnings.push(getWarning(depName));
+    }
+  }
+
+  // TODO: optimize with @nodesecure/author later
+  for (const [packageName, dependency] of dependencies) {
+    for (const { name, email } of dependency.metadata.maintainers) {
+      if (kAuthors.has(name) || kAuthors.has(email)) {
+        warnings.push(`'Marak Squires' package '${packageName}' has been detected in the dependency tree`);
+      }
+    }
+  }
+
+  return warnings;
+}
+

package/types/scanner.d.ts

@@ -42,6 +42,15 @@ declare namespace Scanner {
     description: string;
     /** Author of the package. This information is not trustable and can be empty. */
     author: Maintainer;
+    engines: {
+      node?: string;
+      npm?: string;
+    };
+    repository: {
+      type: string;
+      url: string;
+    };
+    scripts: Record<string, string>;
     /**
      * JS-X-Ray warnings
      *
@@ -58,6 +67,7 @@ declare namespace Scanner {
       required_files: string[];
       required_thirdparty: string[];
       required_nodejs: string[];
+      required_subpath: string[];
       unused: string[];
       missing: string[];
     };