@nodesecure/scanner 3.4.1 → 3.7.0

package/README.md

@@ -59,6 +59,7 @@ function verify(packageName?: string | null): Promise<Scanner.VerifyPayload>;
 ```ts
 interface Options {
   readonly maxDepth?: number;
+  readonly registry?: string | URL;
   readonly usePackageLock?: boolean;
   readonly includeDevDeps?: boolean;
   readonly vulnerabilityStrategy: Strategy.Kind;
@@ -70,7 +71,7 @@ interface Options {
 ## Contributors ✨
 
 <!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
-[![All Contributors](https://img.shields.io/badge/all_contributors-5-orange.svg?style=flat-square)](#contributors-)
+[![All Contributors](https://img.shields.io/badge/all_contributors-6-orange.svg?style=flat-square)](#contributors-)
 <!-- ALL-CONTRIBUTORS-BADGE:END -->
 
 Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
@@ -85,6 +86,7 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
     <td align="center"><a href="https://mickaelcroquet.fr"><img src="https://avatars.githubusercontent.com/u/23740372?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Haze</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=CroquetMickael" title="Code">💻</a></td>
     <td align="center"><a href="https://github.com/mbalabash"><img src="https://avatars.githubusercontent.com/u/16868922?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Maksim Balabash</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=mbalabash" title="Code">💻</a></td>
     <td align="center"><a href="https://dev.to/antoinecoulon"><img src="https://avatars.githubusercontent.com/u/43391199?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Antoine Coulon</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=antoine-coulon" title="Code">💻</a> <a href="#security-antoine-coulon" title="Security">🛡️</a></td>
+    <td align="center"><a href="https://www.linkedin.com/in/nicolas-hallaert/"><img src="https://avatars.githubusercontent.com/u/39910164?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Nicolas Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=Rossb0b" title="Code">💻</a></td>
   </tr>
 </table>
 

package/index.js

@@ -19,7 +19,16 @@ import * as tarball from "./src/tarball.js";
 const kDefaultCwdOptions = { forceRootAnalysis: true, usePackageLock: true, includeDevDeps: false };
 
 export async function cwd(location = process.cwd(), options = {}, logger = new Logger()) {
-  const finalizedOptions = Object.assign({ location }, kDefaultCwdOptions, options);
+  const registry = options.registry ? new URL(options.registry).toString() : getLocalRegistryURL();
+
+  const finalizedOptions = Object.assign(
+    { location },
+    kDefaultCwdOptions,
+    {
+      ...options,
+      registry
+    }
+  );
 
   logger.start(ScannerLoggerEvents.manifest.read);
   const packagePath = path.join(location, "package.json");
@@ -30,13 +39,15 @@ export async function cwd(location = process.cwd(), options = {}, logger = new L
 }
 
 export async function from(packageName, options, logger = new Logger()) {
+  const registry = options.registry ? new URL(options.registry).toString() : getLocalRegistryURL();
+
   logger.start(ScannerLoggerEvents.manifest.fetch);
   const manifest = await pacote.manifest(packageName, {
-    ...NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
+    ...NPM_TOKEN, registry, cache: `${os.homedir()}/.npm`
   });
   logger.end(ScannerLoggerEvents.manifest.fetch);
 
-  return depWalker(manifest, options, logger);
+  return depWalker(manifest, Object.assign(options, { registry }), logger);
 }
 
 export async function verify(packageName = null) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nodesecure/scanner",
-  "version": "3.4.1",
+  "version": "3.7.0",
   "description": "A package API to run a static analysis of your module's dependencies.",
   "exports": "./index.js",
   "engines": {
@@ -48,39 +48,39 @@
   },
   "homepage": "https://github.com/NodeSecure/scanner#readme",
   "devDependencies": {
-    "@nodesecure/eslint-config": "^1.3.1",
+    "@nodesecure/eslint-config": "^1.4.1",
     "@slimio/is": "^1.5.1",
-    "@small-tech/esm-tape-runner": "^1.0.3",
-    "@small-tech/tap-monkey": "^1.3.0",
-    "@types/node": "^17.0.21",
-    "c8": "^7.11.0",
+    "@small-tech/esm-tape-runner": "^2.0.0",
+    "@small-tech/tap-monkey": "^1.4.0",
+    "@types/node": "^18.0.0",
+    "c8": "^7.11.3",
     "cross-env": "^7.0.3",
-    "dotenv": "^16.0.0",
-    "eslint": "^8.11.0",
+    "dotenv": "^16.0.1",
+    "eslint": "^8.18.0",
     "get-folder-size": "^3.1.0",
-    "pkg-ok": "^2.3.1",
-    "sinon": "^13.0.1",
+    "pkg-ok": "^3.0.0",
+    "sinon": "^14.0.0",
     "snap-shot-core": "^10.2.4",
-    "tape": "^5.5.2"
+    "tape": "^5.5.3"
   },
   "dependencies": {
-    "@nodesecure/flags": "^2.2.0",
+    "@nodesecure/flags": "^2.4.0",
     "@nodesecure/fs-walk": "^1.0.0",
-    "@nodesecure/i18n": "^1.2.1",
-    "@nodesecure/js-x-ray": "^4.2.1",
-    "@nodesecure/npm-registry-sdk": "^1.3.0",
+    "@nodesecure/i18n": "^2.0.0",
+    "@nodesecure/js-x-ray": "^5.0.1",
+    "@nodesecure/npm-registry-sdk": "^1.4.0",
     "@nodesecure/ntlp": "^2.1.0",
     "@nodesecure/utils": "^1.0.0",
-    "@nodesecure/vuln": "^1.6.0",
-    "@npm/types": "^1.0.1",
-    "@npmcli/arborist": "^5.0.3",
+    "@nodesecure/vuln": "^1.7.0",
+    "@npm/types": "^1.0.2",
+    "@npmcli/arborist": "^5.2.3",
     "@slimio/lock": "^1.0.0",
-    "builtins": "^4.0.0",
+    "builtins": "^5.0.1",
     "combine-async-iterators": "^2.0.1",
     "itertools": "^1.7.1",
     "lodash.difference": "^4.5.0",
-    "pacote": "^13.0.5",
-    "semver": "^7.3.4"
+    "pacote": "^13.6.1",
+    "semver": "^7.3.7"
   },
   "type": "module"
 }

package/src/class/dependency.class.js

@@ -66,6 +66,9 @@ export default class Dependency {
           description: "",
           size: 0,
           author: {},
+          engines: {},
+          repository: {},
+          scripts: {},
           warnings: this.warnings,
           composition: {
             extensions: [],
@@ -75,7 +78,8 @@ export default class Dependency {
             missing: [],
             required_files: [],
             required_nodejs: [],
-            required_thirdparty: []
+            required_thirdparty: [],
+            required_subpath: []
           },
           license: "unkown license",
           gitUrl: this.gitUrl

package/src/depWalker.js

@@ -11,7 +11,6 @@ import pacote from "pacote";
 import Arborist from "@npmcli/arborist";
 import Lock from "@slimio/lock";
 import * as vuln from "@nodesecure/vuln";
-import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
 import { ScannerLoggerEvents } from "./constants.js";
 
 // Import Internal Dependencies
@@ -31,11 +30,11 @@ const { version: packageVersion } = JSON.parse(
 );
 
 export async function* searchDeepDependencies(packageName, gitURL, options) {
-  const { exclude, currDepth = 0, parent, maxDepth } = options;
+  const { exclude, currDepth = 0, parent, maxDepth, registry } = options;
 
   const { name, version, deprecated, ...pkg } = await pacote.manifest(gitURL ?? packageName, {
     ...NPM_TOKEN,
-    registry: getLocalRegistryURL(),
+    registry,
     cache: `${os.homedir()}/.npm`
   });
   const { dependencies, customResolvers } = mergeDependencies(pkg);
@@ -48,7 +47,7 @@ export async function* searchDeepDependencies(packageName, gitURL, options) {
 
   if (currDepth !== maxDepth) {
     const config = {
-      exclude, currDepth: currDepth + 1, parent: current, maxDepth
+      exclude, currDepth: currDepth + 1, parent: current, maxDepth, registry
     };
 
     const gitDependencies = iter.filter(customResolvers.entries(), ([, valueStr]) => isGitDependency(valueStr));
@@ -76,7 +75,7 @@ export async function* searchDeepDependencies(packageName, gitURL, options) {
 }
 
 export async function* deepReadEdges(currentPackageName, options) {
-  const { to, parent, exclude, fullLockMode, includeDevDeps } = options;
+  const { to, parent, exclude, fullLockMode, includeDevDeps, registry } = options;
   const { version, integrity = to.integrity } = to.package;
 
   const updatedVersion = version === "*" || typeof version === "undefined" ? "latest" : version;
@@ -86,7 +85,7 @@ export async function* deepReadEdges(currentPackageName, options) {
   if (fullLockMode && !includeDevDeps) {
     const { deprecated, _integrity, ...pkg } = await pacote.manifest(`${currentPackageName}@${updatedVersion}`, {
       ...NPM_TOKEN,
-      registry: getLocalRegistryURL(),
+      registry,
       cache: `${os.homedir()}/.npm`
     });
     const { customResolvers } = mergeDependencies(pkg);
@@ -108,7 +107,7 @@ export async function* deepReadEdges(currentPackageName, options) {
     }
     else {
       exclude.set(cleanName, new Set([current.fullName]));
-      yield* deepReadEdges(packageName, { parent: current, to: toNode, exclude });
+      yield* deepReadEdges(packageName, { parent: current, to: toNode, exclude, registry });
     }
   }
   yield current;
@@ -118,7 +117,8 @@ export async function* getRootDependencies(manifest, options) {
   const {
     maxDepth = 4, exclude,
     usePackageLock, fullLockMode, includeDevDeps,
-    location
+    location,
+    registry
   } = options;
 
   const { dependencies, customResolvers } = mergeDependencies(manifest, void 0);
@@ -131,7 +131,7 @@ export async function* getRootDependencies(manifest, options) {
     const arb = new Arborist({
       ...NPM_TOKEN,
       path: location,
-      registry: getLocalRegistryURL()
+      registry
     });
     let tree;
     try {
@@ -146,11 +146,18 @@ export async function* getRootDependencies(manifest, options) {
       ...iter
         .filter(tree.edgesOut.entries(), ([, { to }]) => to !== null && (includeDevDeps ? true : (!to.dev || to.isWorkspace)))
         .map(([packageName, { to }]) => [packageName, to.isWorkspace ? to.target : to])
-        .map(([packageName, to]) => deepReadEdges(packageName, { to, parent, fullLockMode, includeDevDeps, exclude }))
+        .map(([packageName, to]) => deepReadEdges(packageName, {
+          to,
+          parent,
+          fullLockMode,
+          includeDevDeps,
+          exclude,
+          registry
+        }))
     ];
   }
   else {
-    const configRef = { exclude, maxDepth, parent };
+    const configRef = { exclude, maxDepth, parent, registry };
     iterators = [
       ...iter.filter(customResolvers.entries(), ([, valueStr]) => isGitDependency(valueStr))
         .map(([depName, valueStr]) => searchDeepDependencies(depName, valueStr, configRef)),
@@ -189,7 +196,8 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
     fullLockMode = false,
     maxDepth,
     location,
-    vulnerabilityStrategy = vuln.strategies.NONE
+    vulnerabilityStrategy = vuln.strategies.NONE,
+    registry
   } = options;
 
   // Create TMP directory
@@ -218,7 +226,7 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
     const tarballLocker = new Lock({ maxConcurrent: 5 });
     tarballLocker.on("freeOne", () => logger.tick(ScannerLoggerEvents.analysis.tarball));
 
-    const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode, includeDevDeps, location };
+    const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode, includeDevDeps, location, registry };
     for await (const currentDep of getRootDependencies(manifest, rootDepsOptions)) {
       const { name, version, dev } = currentDep;
       const current = currentDep.exportAsPlainObject(name === manifest.name ? 0 : void 0);
@@ -267,7 +275,8 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
           location,
           tmpLocation: forceRootAnalysis && name === manifest.name ? null : tmpLocation,
           locker: tarballLocker,
-          logger
+          logger,
+          registry
         }));
       }
     }

package/src/manifest.js

@@ -1,57 +1,63 @@
-// Import Node.js Dependencies
-import fs from "fs/promises";
-import path from "path";
-
-// Import Third-party Dependencies
-import { parseManifestAuthor } from "@nodesecure/utils";
-
-// CONSTANTS
-// PR welcome to contribute to this list!
-const kNativeNpmPackages = new Set([
-  "node-gyp", "node-pre-gyp", "node-gyp-build", "node-addon-api"
-]);
-
-/**
- * @see https://www.nerdycode.com/prevent-npm-executing-scripts-security/
- */
-const kUnsafeNpmScripts = new Set([
-  "install",
-  "preinstall", "postinstall",
-  "preuninstall", "postuninstall"
-]);
-
-/**
- * @param {!string} location
- * @returns {import("@npm/types").PackageJson}
- */
-export async function read(location) {
-  const packageStr = await fs.readFile(
-    path.join(location, "package.json"),
-    "utf-8"
-  );
-
-  return JSON.parse(packageStr);
-}
-
-// TODO: PR @npm/types to fix dependencies typo
-export async function readAnalyze(location) {
-  const {
-    description = "", author = {}, scripts = {},
-    dependencies = {}, devDependencies = {}, gypfile = false
-  } = await read(location);
-
-  const packageDeps = Object.keys(dependencies);
-  const packageDevDeps = Object.keys(devDependencies);
-  const hasNativePackage = [...packageDevDeps, ...packageDeps]
-    .some((pkg) => kNativeNpmPackages.has(pkg));
-
-  return {
-    author: typeof author === "string" ? parseManifestAuthor(author) : author,
-    description,
-    hasScript: Object.keys(scripts)
-      .some((value) => kUnsafeNpmScripts.has(value.toLowerCase())),
-    packageDeps,
-    packageDevDeps,
-    hasNativeElements: hasNativePackage || gypfile
-  };
-}
+// Import Node.js Dependencies
+import fs from "fs/promises";
+import path from "path";
+
+// Import Third-party Dependencies
+import { parseManifestAuthor } from "@nodesecure/utils";
+
+// CONSTANTS
+// PR welcome to contribute to this list!
+const kNativeNpmPackages = new Set([
+  "node-gyp", "node-pre-gyp", "node-gyp-build", "node-addon-api"
+]);
+
+/**
+ * @see https://www.nerdycode.com/prevent-npm-executing-scripts-security/
+ */
+const kUnsafeNpmScripts = new Set([
+  "install",
+  "preinstall", "postinstall",
+  "preuninstall", "postuninstall"
+]);
+
+/**
+ * @param {!string} location
+ * @returns {import("@npm/types").PackageJson}
+ */
+export async function read(location) {
+  const packageStr = await fs.readFile(
+    path.join(location, "package.json"),
+    "utf-8"
+  );
+
+  return JSON.parse(packageStr);
+}
+
+export async function readAnalyze(location) {
+  const {
+    description = "", author = {}, scripts = {},
+    dependencies = {}, devDependencies = {}, gypfile = false,
+    engines = {},
+    repository = {},
+    imports = {}
+  } = await read(location);
+
+  const packageDeps = Object.keys(dependencies);
+  const packageDevDeps = Object.keys(devDependencies);
+  const hasNativePackage = [...packageDevDeps, ...packageDeps]
+    .some((pkg) => kNativeNpmPackages.has(pkg));
+
+  return {
+    author: typeof author === "string" ? parseManifestAuthor(author) : author,
+    description,
+    engines,
+    repository,
+    scripts,
+    hasScript: Object.keys(scripts)
+      .some((value) => kUnsafeNpmScripts.has(value.toLowerCase())),
+    packageDeps,
+    packageDevDeps,
+    nodejs: { imports },
+    hasNativeElements: hasNativePackage || gypfile
+  };
+}

package/src/npmRegistry.js

@@ -1,68 +1,74 @@
-// Import Third-party Dependencies
-import semver from "semver";
-import { parseManifestAuthor } from "@nodesecure/utils";
-import { packument } from "@nodesecure/npm-registry-sdk";
-
-export function parseAuthor(author) {
-  return typeof author === "string" ? parseManifestAuthor(author) : author;
-}
-
-export async function packageMetadata(name, version, options) {
-  const { ref, logger } = options;
-
-  try {
-    const pkg = await packument(name);
-
-    const oneYearFromToday = new Date();
-    oneYearFromToday.setFullYear(oneYearFromToday.getFullYear() - 1);
-
-    const lastVersion = pkg["dist-tags"].latest;
-    const lastUpdateAt = new Date(pkg.time[lastVersion]);
-    const metadata = {
-      author: parseAuthor(pkg.author) ?? {},
-      homepage: pkg.homepage || null,
-      publishedCount: Object.values(pkg.versions).length,
-      lastVersion,
-      lastUpdateAt,
-      hasReceivedUpdateInOneYear: !(oneYearFromToday > lastUpdateAt),
-      maintainers: pkg.maintainers,
-      publishers: []
-    };
-
-    const isOutdated = semver.neq(version, lastVersion);
-    if (isOutdated) {
-      ref.versions[version].flags.push("isOutdated");
-    }
-
-    const publishers = new Set();
-    for (const ver of Object.values(pkg.versions).reverse()) {
-      const { _npmUser: npmUser, version } = ver;
-      const isNullOrUndefined = typeof npmUser === "undefined" || npmUser === null;
-      if (isNullOrUndefined || !("name" in npmUser) || typeof npmUser.name !== "string") {
-        continue;
-      }
-
-      const authorName = metadata.author?.name ?? null;
-      if (authorName === null) {
-        metadata.author = npmUser;
-      }
-      else if (npmUser.name !== metadata.author.name) {
-        metadata.hasManyPublishers = true;
-      }
-
-      // TODO: add npmUser.email
-      if (!publishers.has(npmUser.name)) {
-        publishers.add(npmUser.name);
-        metadata.publishers.push({ ...npmUser, version, at: new Date(pkg.time[version]) });
-      }
-    }
-
-    Object.assign(ref.metadata, metadata);
-  }
-  catch {
-    // ignore
-  }
-  finally {
-    logger.tick("registry");
-  }
-}
+// Import Third-party Dependencies
+import semver from "semver";
+import { parseManifestAuthor } from "@nodesecure/utils";
+import { packument } from "@nodesecure/npm-registry-sdk";
+
+export function parseAuthor(author) {
+  return typeof author === "string" ? parseManifestAuthor(author) : author;
+}
+
+export async function packageMetadata(name, version, options) {
+  const { ref, logger } = options;
+
+  try {
+    const pkg = await packument(name);
+
+    const oneYearFromToday = new Date();
+    oneYearFromToday.setFullYear(oneYearFromToday.getFullYear() - 1);
+
+    const lastVersion = pkg["dist-tags"].latest;
+    const lastUpdateAt = new Date(pkg.time[lastVersion]);
+    const metadata = {
+      author: parseAuthor(pkg.author) ?? {},
+      homepage: pkg.homepage || null,
+      publishedCount: Object.values(pkg.versions).length,
+      lastVersion,
+      lastUpdateAt,
+      hasReceivedUpdateInOneYear: !(oneYearFromToday > lastUpdateAt),
+      maintainers: pkg.maintainers ?? [],
+      publishers: []
+    };
+
+    const isOutdated = semver.neq(version, lastVersion);
+    if (isOutdated) {
+      ref.versions[version].flags.push("isOutdated");
+    }
+
+    const publishers = new Set();
+    let searchForMaintainersInVersions = metadata.maintainers.length === 0;
+    for (const ver of Object.values(pkg.versions).reverse()) {
+      const { _npmUser: npmUser, version, maintainers = [] } = ver;
+      const isNullOrUndefined = typeof npmUser === "undefined" || npmUser === null;
+      if (isNullOrUndefined || !("name" in npmUser) || typeof npmUser.name !== "string") {
+        continue;
+      }
+
+      const authorName = metadata.author?.name ?? null;
+      if (authorName === null) {
+        metadata.author = npmUser;
+      }
+      else if (npmUser.name !== metadata.author.name) {
+        metadata.hasManyPublishers = true;
+      }
+
+      // TODO: add npmUser.email
+      if (!publishers.has(npmUser.name)) {
+        publishers.add(npmUser.name);
+        metadata.publishers.push({ ...npmUser, version, at: new Date(pkg.time[version]) });
+      }
+
+      if (searchForMaintainersInVersions) {
+        metadata.maintainers.push(...maintainers);
+        searchForMaintainersInVersions = false;
+      }
+    }
+
+    Object.assign(ref.metadata, metadata);
+  }
+  catch {
+    // ignore
+  }
+  finally {
+    logger.tick("registry");
+  }
+}

package/src/tarball.js

@@ -14,7 +14,6 @@ import {
   NPM_TOKEN
 } from "./utils/index.js";
 import * as manifest from "./manifest.js";
-import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
 
 // CONSTANTS
 const kNativeCodeExtensions = new Set([".gyp", ".c", ".cpp", ".node", ".so", ".h"]);
@@ -47,7 +46,7 @@ export async function scanJavascriptFile(dest, file, packageName) {
 }
 
 export async function scanDirOrArchive(name, version, options) {
-  const { ref, location = process.cwd(), tmpLocation, locker } = options;
+  const { ref, location = process.cwd(), tmpLocation, locker, registry } = options;
 
   const isNpmTarball = !(tmpLocation === null);
   const dest = isNpmTarball ? path.join(tmpLocation, `${name}@${version}`) : location;
@@ -58,16 +57,20 @@ export async function scanDirOrArchive(name, version, options) {
     if (isNpmTarball) {
       await pacote.extract(ref.flags.includes("isGit") ? ref.gitUrl : `${name}@${version}`, dest, {
         ...NPM_TOKEN,
-        registry: getLocalRegistryURL(),
+        registry,
         cache: `${os.homedir()}/.npm`
       });
       await timers.setImmediate();
     }
 
     // Read the package.json at the root of the directory or archive.
-    const { packageDeps, packageDevDeps, author, description, hasScript, hasNativeElements } = await manifest.readAnalyze(dest);
-    ref.author = author;
-    ref.description = description;
+    const {
+      packageDeps,
+      packageDevDeps,
+      author, description, hasScript, hasNativeElements, nodejs,
+      engines, repository, scripts
+    } = await manifest.readAnalyze(dest);
+    Object.assign(ref, { author, description, engines, repository, scripts });
 
     // Get the composition of the (extracted) directory
     const { ext, files, size } = await getTarballComposition(dest);
@@ -97,10 +100,11 @@ export async function scanDirOrArchive(name, version, options) {
     const minifiedFiles = fileAnalysisResults.filter((row) => row.isMinified).flatMap((row) => row.file);
 
     const {
-      nodeDependencies, thirdPartyDependencies, missingDependencies, unusedDependencies, flags
-    } = analyzeDependencies(dependencies, { packageDeps, packageDevDeps, tryDependencies });
+      nodeDependencies, thirdPartyDependencies, subpathImportsDependencies, missingDependencies, unusedDependencies, flags
+    } = analyzeDependencies(dependencies, { packageDeps, packageDevDeps, tryDependencies, nodeImports: nodejs.imports });
 
     ref.composition.required_thirdparty = thirdPartyDependencies;
+    ref.composition.required_subpath = Object.fromEntries(subpathImportsDependencies);
     ref.composition.unused.push(...unusedDependencies);
     ref.composition.missing.push(...missingDependencies);
     ref.composition.required_files = filesDependencies;

package/src/utils/analyzeDependencies.js

@@ -1,40 +1,71 @@
-// Import Third-party Dependencies
-import difference from "lodash.difference";
-import builtins from "builtins";
-
-// Import Internal Dependencies
-import { getPackageName } from "./getPackageName.js";
-
-// CONSTANTS
-const kNodeModules = new Set(builtins({ experimental: true }));
-const kExternalModules = new Set(["http", "https", "net", "http2", "dgram", "child_process"]);
-
-export function analyzeDependencies(dependencies, deps = {}) {
-  const { packageDeps, packageDevDeps, tryDependencies } = deps;
-
-  const thirdPartyDependencies = dependencies
-    .map((name) => (packageDeps.includes(name) ? name : getPackageName(name)))
-    .filter((name) => !name.startsWith("."))
-    .filter((name) => !kNodeModules.has(name))
-    .filter((name) => !packageDevDeps.includes(name))
-    .filter((name) => !tryDependencies.has(name));
-
-  const unusedDependencies = difference(
-    packageDeps.filter((name) => !name.startsWith("@types")),
-    thirdPartyDependencies
-  );
-  const missingDependencies = [...new Set(difference(thirdPartyDependencies, packageDeps))];
-  const nodeDependencies = dependencies.filter((name) => kNodeModules.has(name));
-
-  return {
-    nodeDependencies,
-    thirdPartyDependencies: [...new Set(thirdPartyDependencies)],
-    unusedDependencies,
-    missingDependencies,
-
-    flags: {
-      hasExternalCapacity: nodeDependencies.some((depName) => kExternalModules.has(depName)),
-      hasMissingOrUnusedDependency: unusedDependencies.length > 0 || missingDependencies.length > 0
-    }
-  };
-}
+// Import Third-party Dependencies
+import difference from "lodash.difference";
+import builtins from "builtins";
+
+// Import Internal Dependencies
+import { getPackageName } from "./getPackageName.js";
+
+// CONSTANTS
+const kNodeModules = new Set(builtins({ experimental: true }));
+const kExternalModules = new Set(["http", "https", "net", "http2", "dgram", "child_process"]);
+
+export function analyzeDependencies(dependencies, deps = {}) {
+  const { packageDeps, packageDevDeps, tryDependencies, nodeImports = {} } = deps;
+
+  // See: https://nodejs.org/api/packages.html#subpath-imports
+  const subpathImportsDependencies = dependencies
+    .filter((name) => isAliasDependency(name) && name in nodeImports)
+    .map((name) => buildSubpathDependency(name, nodeImports));
+  const thirdPartyDependenciesAliased = new Set(
+    subpathImportsDependencies.flat().filter((name) => !isAliasDependency(name))
+  );
+
+  const thirdPartyDependencies = dependencies
+    .map((name) => (packageDeps.includes(name) ? name : getPackageName(name)))
+    .filter((name) => !name.startsWith("."))
+    .filter((name) => !isNodeCoreModule(name))
+    .filter((name) => !packageDevDeps.includes(name))
+    .filter((name) => !tryDependencies.has(name));
+
+  const unusedDependencies = difference(
+    packageDeps.filter((name) => !name.startsWith("@types")),
+    [...thirdPartyDependencies, ...thirdPartyDependenciesAliased]
+  );
+  const missingDependencies = [...new Set(difference(thirdPartyDependencies, packageDeps))]
+    .filter((name) => !(name in nodeImports));
+  const nodeDependencies = dependencies.filter((name) => isNodeCoreModule(name));
+
+  return {
+    nodeDependencies,
+    thirdPartyDependencies: [...new Set(thirdPartyDependencies)],
+    subpathImportsDependencies,
+    unusedDependencies,
+    missingDependencies,
+
+    flags: {
+      hasExternalCapacity: nodeDependencies.some((depName) => kExternalModules.has(depName)),
+      hasMissingOrUnusedDependency: unusedDependencies.length > 0 || missingDependencies.length > 0
+    }
+  };
+}
+
+/**
+ * @param {!string} moduleName
+ * @returns {boolean}
+ */
+function isNodeCoreModule(moduleName) {
+  const cleanModuleName = moduleName.startsWith("node:") ? moduleName.slice(5) : moduleName;
+
+  // Note: We need to also check moduleName because builtins package only return true for 'node:test'.
+  return kNodeModules.has(cleanModuleName) || kNodeModules.has(moduleName);
+}
+
+function isAliasDependency(moduleName) {
+  return moduleName.charAt(0) === "#";
+}
+
+function buildSubpathDependency(alias, nodeImports) {
+  const importedDependency = nodeImports[alias].node ?? nodeImports[alias].default;
+
+  return [alias, importedDependency];
+}

package/src/utils/warnings.js

@@ -1,36 +1,36 @@
-// Import Third-party Dependencies
-import { getToken, taggedString } from "@nodesecure/i18n";
-
-// CONSTANTS
-const kDetectedDep = taggedString`The dependency '${0}' has been detected in the dependency Tree.`;
-const kWarningsMessages = Object.freeze({
-  "@scarf/scarf": getToken("warnings.disable_scarf"),
-  iohook: getToken("warnings.keylogging")
-});
-const kPackages = new Set(Object.keys(kWarningsMessages));
-const kAuthors = new Set(["marak", "marak.squires@gmail.com"]);
-
-function getWarning(depName) {
-  return `${kDetectedDep(depName)} ${kWarningsMessages[depName]}`;
-}
-
-export function getDependenciesWarnings(dependencies) {
-  const warnings = [];
-  for (const depName of kPackages) {
-    if (dependencies.has(depName)) {
-      warnings.push(getWarning(depName));
-    }
-  }
-
-  // TODO: optimize with @nodesecure/author later
-  for (const [packageName, dependency] of dependencies) {
-    for (const { name, email } of dependency.metadata.maintainers) {
-      if (kAuthors.has(name) || kAuthors.has(email)) {
-        warnings.push(`'Marak Squires' package '${packageName}' has been detected in the dependency tree`);
-      }
-    }
-  }
-
-  return warnings;
-}
-
+// Import Third-party Dependencies
+import { getToken, taggedString } from "@nodesecure/i18n";
+
+// CONSTANTS
+const kDetectedDep = taggedString`The dependency '${0}' has been detected in the dependency Tree.`;
+const kWarningsMessages = Object.freeze({
+  "@scarf/scarf": getToken("warnings.disable_scarf"),
+  iohook: getToken("warnings.keylogging")
+});
+const kPackages = new Set(Object.keys(kWarningsMessages));
+const kAuthors = new Set(["marak", "marak.squires@gmail.com"]);
+
+function getWarning(depName) {
+  return `${kDetectedDep(depName)} ${kWarningsMessages[depName]}`;
+}
+
+export function getDependenciesWarnings(dependencies) {
+  const warnings = [];
+  for (const depName of kPackages) {
+    if (dependencies.has(depName)) {
+      warnings.push(getWarning(depName));
+    }
+  }
+
+  // TODO: optimize with @nodesecure/author later
+  for (const [packageName, dependency] of dependencies) {
+    for (const { name, email } of dependency.metadata.maintainers) {
+      if (kAuthors.has(name) || kAuthors.has(email)) {
+        warnings.push(`'Marak Squires' package '${packageName}' has been detected in the dependency tree`);
+      }
+    }
+  }
+
+  return warnings;
+}
+

package/types/scanner.d.ts

@@ -42,6 +42,15 @@ declare namespace Scanner {
     description: string;
     /** Author of the package. This information is not trustable and can be empty. */
     author: Maintainer;
+    engines: {
+      node?: string;
+      npm?: string;
+    };
+    repository: {
+      type: string;
+      url: string;
+    };
+    scripts: Record<string, string>;
     /**
      * JS-X-Ray warnings
      *
@@ -58,6 +67,7 @@ declare namespace Scanner {
       required_files: string[];
       required_thirdparty: string[];
       required_nodejs: string[];
+      required_subpath: string[];
       unused: string[];
       missing: string[];
     };
@@ -156,6 +166,7 @@ declare namespace Scanner {
      * @default 4
      */
     readonly maxDepth?: number;
+    readonly registry?: string | URL;
     /**
      * Use root package-lock.json. This will have the effect of triggering the Arborist package.
      *