@nodesecure/scanner 3.6.0 → 3.8.0

package/README.md

@@ -1,97 +1,104 @@
-# NodeSecure Scanner
-![version](https://img.shields.io/badge/dynamic/json.svg?url=https://raw.githubusercontent.com/NodeSecure/scanner/master/package.json&query=$.version&label=Version)
-[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/NodeSecure/scanner/commit-activity)
-[![Security Responsible Disclosure](https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg)](https://github.com/nodejs/security-wg/blob/master/processes/responsible_disclosure_template.md
-)
-[![mit](https://img.shields.io/github/license/Naereen/StrapDown.js.svg)](https://github.com/NodeSecure/scanner/blob/master/LICENSE)
-![build](https://img.shields.io/github/workflow/status/NodeSecure/scanner/Node.js%20CI)
-
-⚡️ Run a static analysis of your module's dependencies.
-
-## Requirements
-
-- [Node.js](https://nodejs.org/en/) version 16 or higher
-
-## Getting Started
-
-This package is available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com).
-
-```bash
-$ npm i @nodesecure/scanner
-# or
-$ yarn add @nodesecure/scanner
-```
-
-## Usage example
-
-```js
-import * as scanner from "@nodesecure/scanner";
-import fs from "fs/promises";
-
-// CONSTANTS
-const kPackagesToAnalyze = ["mocha", "cacache", "is-wsl"];
-
-const payloads = await Promise.all(
-  kPackagesToAnalyze.map((name) => scanner.from(name))
-);
-
-const promises = [];
-for (let i = 0; i < kPackagesToAnalyze.length; i++) {
-  const data = JSON.stringify(payloads[i], null, 2);
-
-  promises.push(fs.writeFile(`${kPackagesToAnalyze[i]}.json`, data));
-}
-await Promise.allSettled(promises);
-```
-
-## API
-
-See `types/api.d.ts` for a complete TypeScript definition.
-
-```ts
-function cwd(location: string, options?: Scanner.Options): Promise<Scanner.Payload>;
-function from(packageName: string, options?: Omit<Scanner.Options, "includeDevDeps">): Promise<Scanner.Payload>;
-function verify(packageName?: string | null): Promise<Scanner.VerifyPayload>;
-```
-
-`Options` is described with the following TypeScript interface:
-
-```ts
-interface Options {
-  readonly maxDepth?: number;
-  readonly usePackageLock?: boolean;
-  readonly includeDevDeps?: boolean;
-  readonly vulnerabilityStrategy: Strategy.Kind;
-  readonly forceRootAnalysis?: boolean;
-  readonly fullLockMode?: boolean;
-}
-```
-
-## Contributors ✨
-
-<!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
-[![All Contributors](https://img.shields.io/badge/all_contributors-5-orange.svg?style=flat-square)](#contributors-)
-<!-- ALL-CONTRIBUTORS-BADGE:END -->
-
-Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
-
-<!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
-<!-- prettier-ignore-start -->
-<!-- markdownlint-disable -->
-<table>
-  <tr>
-    <td align="center"><a href="https://www.linkedin.com/in/thomas-gentilhomme/"><img src="https://avatars.githubusercontent.com/u/4438263?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Gentilhomme</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Afraxken" title="Reviewed Pull Requests">👀</a> <a href="#security-fraxken" title="Security">🛡️</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Afraxken" title="Bug reports">🐛</a></td>
-    <td align="center"><a href="http://tonygo.dev"><img src="https://avatars.githubusercontent.com/u/22824417?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Tony Gorez</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Atony-go" title="Reviewed Pull Requests">👀</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Atony-go" title="Bug reports">🐛</a></td>
-    <td align="center"><a href="https://mickaelcroquet.fr"><img src="https://avatars.githubusercontent.com/u/23740372?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Haze</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=CroquetMickael" title="Code">💻</a></td>
-    <td align="center"><a href="https://github.com/mbalabash"><img src="https://avatars.githubusercontent.com/u/16868922?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Maksim Balabash</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=mbalabash" title="Code">💻</a></td>
-    <td align="center"><a href="https://dev.to/antoinecoulon"><img src="https://avatars.githubusercontent.com/u/43391199?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Antoine Coulon</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=antoine-coulon" title="Code">💻</a> <a href="#security-antoine-coulon" title="Security">🛡️</a></td>
-  </tr>
-</table>
-
-<!-- markdownlint-restore -->
-<!-- prettier-ignore-end -->
-
-<!-- ALL-CONTRIBUTORS-LIST:END -->
-
-## License
-MIT
+# NodeSecure Scanner
+![version](https://img.shields.io/badge/dynamic/json.svg?url=https://raw.githubusercontent.com/NodeSecure/scanner/master/package.json&query=$.version&label=Version)
+[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/NodeSecure/scanner/commit-activity)
+[![mit](https://img.shields.io/github/license/Naereen/StrapDown.js.svg)](https://github.com/NodeSecure/scanner/blob/master/LICENSE)
+![build](https://img.shields.io/github/workflow/status/NodeSecure/scanner/Node.js%20CI)
+
+⚡️ Run a static analysis of your module's dependencies.
+
+## Requirements
+
+- [Node.js](https://nodejs.org/en/) version 16 or higher
+
+## Getting Started
+
+This package is available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com).
+
+```bash
+$ npm i @nodesecure/scanner
+# or
+$ yarn add @nodesecure/scanner
+```
+
+## Usage example
+
+```js
+import * as scanner from "@nodesecure/scanner";
+import fs from "fs/promises";
+
+// CONSTANTS
+const kPackagesToAnalyze = ["mocha", "cacache", "is-wsl"];
+
+const payloads = await Promise.all(
+  kPackagesToAnalyze.map((name) => scanner.from(name))
+);
+
+const promises = [];
+for (let i = 0; i < kPackagesToAnalyze.length; i++) {
+  const data = JSON.stringify(payloads[i], null, 2);
+
+  promises.push(fs.writeFile(`${kPackagesToAnalyze[i]}.json`, data));
+}
+await Promise.allSettled(promises);
+```
+
+## API
+
+See `types/api.d.ts` for a complete TypeScript definition.
+
+```ts
+function cwd(location: string, options?: Scanner.Options): Promise<Scanner.Payload>;
+function from(packageName: string, options?: Omit<Scanner.Options, "includeDevDeps">): Promise<Scanner.Payload>;
+function verify(packageName?: string | null): Promise<Scanner.VerifyPayload>;
+```
+
+`Options` is described with the following TypeScript interface:
+
+```ts
+interface Options {
+  readonly maxDepth?: number;
+  readonly registry?: string | URL;
+  readonly usePackageLock?: boolean;
+  readonly includeDevDeps?: boolean;
+  readonly vulnerabilityStrategy: Strategy.Kind;
+  readonly forceRootAnalysis?: boolean;
+  readonly fullLockMode?: boolean;
+}
+```
+
+## Contributors ✨
+
+<!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
+[![All Contributors](https://img.shields.io/badge/all_contributors-9-orange.svg?style=flat-square)](#contributors-)
+<!-- ALL-CONTRIBUTORS-BADGE:END -->
+
+Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
+
+<!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable -->
+<table>
+  <tbody>
+    <tr>
+      <td align="center"><a href="https://www.linkedin.com/in/thomas-gentilhomme/"><img src="https://avatars.githubusercontent.com/u/4438263?v=4?s=100" width="100px;" alt="Gentilhomme"/><br /><sub><b>Gentilhomme</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Afraxken" title="Reviewed Pull Requests">👀</a> <a href="#security-fraxken" title="Security">🛡️</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Afraxken" title="Bug reports">🐛</a></td>
+      <td align="center"><a href="http://tonygo.dev"><img src="https://avatars.githubusercontent.com/u/22824417?v=4?s=100" width="100px;" alt="Tony Gorez"/><br /><sub><b>Tony Gorez</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Atony-go" title="Reviewed Pull Requests">👀</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Atony-go" title="Bug reports">🐛</a></td>
+      <td align="center"><a href="https://mickaelcroquet.fr"><img src="https://avatars.githubusercontent.com/u/23740372?v=4?s=100" width="100px;" alt="Haze"/><br /><sub><b>Haze</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=CroquetMickael" title="Code">💻</a></td>
+      <td align="center"><a href="https://github.com/mbalabash"><img src="https://avatars.githubusercontent.com/u/16868922?v=4?s=100" width="100px;" alt="Maksim Balabash"/><br /><sub><b>Maksim Balabash</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=mbalabash" title="Code">💻</a></td>
+      <td align="center"><a href="https://dev.to/antoinecoulon"><img src="https://avatars.githubusercontent.com/u/43391199?v=4?s=100" width="100px;" alt="Antoine Coulon"/><br /><sub><b>Antoine Coulon</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=antoine-coulon" title="Code">💻</a> <a href="#security-antoine-coulon" title="Security">🛡️</a></td>
+      <td align="center"><a href="https://www.linkedin.com/in/nicolas-hallaert/"><img src="https://avatars.githubusercontent.com/u/39910164?v=4?s=100" width="100px;" alt="Nicolas Hallaert"/><br /><sub><b>Nicolas Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=Rossb0b" title="Code">💻</a></td>
+      <td align="center"><a href="http://sofiand.github.io/portfolio-client/"><img src="https://avatars.githubusercontent.com/u/39944043?v=4?s=100" width="100px;" alt="Yefis"/><br /><sub><b>Yefis</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=SofianD" title="Code">💻</a></td>
+    </tr>
+    <tr>
+      <td align="center"><a href="https://www.linkedin.com/in/franck-hallaert/"><img src="https://avatars.githubusercontent.com/u/110826655?v=4?s=100" width="100px;" alt="Franck Hallaert"/><br /><sub><b>Franck Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=Aekk0" title="Code">💻</a></td>
+      <td align="center"><a href="https://www.linkedin.com/in/ange-tekeu-a155811b4/"><img src="https://avatars.githubusercontent.com/u/35274201?v=4?s=100" width="100px;" alt="Ange TEKEU"/><br /><sub><b>Ange TEKEU</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=tekeuange23" title="Code">💻</a></td>
+    </tr>
+  </tbody>
+</table>
+
+<!-- markdownlint-restore -->
+<!-- prettier-ignore-end -->
+
+<!-- ALL-CONTRIBUTORS-LIST:END -->
+
+## License
+MIT

package/index.js

@@ -19,7 +19,16 @@ import * as tarball from "./src/tarball.js";
 const kDefaultCwdOptions = { forceRootAnalysis: true, usePackageLock: true, includeDevDeps: false };
 
 export async function cwd(location = process.cwd(), options = {}, logger = new Logger()) {
-  const finalizedOptions = Object.assign({ location }, kDefaultCwdOptions, options);
+  const registry = options.registry ? new URL(options.registry).toString() : getLocalRegistryURL();
+
+  const finalizedOptions = Object.assign(
+    { location },
+    kDefaultCwdOptions,
+    {
+      ...options,
+      registry
+    }
+  );
 
   logger.start(ScannerLoggerEvents.manifest.read);
   const packagePath = path.join(location, "package.json");
@@ -30,13 +39,15 @@ export async function cwd(location = process.cwd(), options = {}, logger = new L
 }
 
 export async function from(packageName, options, logger = new Logger()) {
+  const registry = options.registry ? new URL(options.registry).toString() : getLocalRegistryURL();
+
   logger.start(ScannerLoggerEvents.manifest.fetch);
   const manifest = await pacote.manifest(packageName, {
-    ...NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
+    ...NPM_TOKEN, registry, cache: `${os.homedir()}/.npm`
   });
   logger.end(ScannerLoggerEvents.manifest.fetch);
 
-  return depWalker(manifest, options, logger);
+  return depWalker(manifest, Object.assign(options, { registry }), logger);
 }
 
 export async function verify(packageName = null) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nodesecure/scanner",
-  "version": "3.6.0",
+  "version": "3.8.0",
   "description": "A package API to run a static analysis of your module's dependencies.",
   "exports": "./index.js",
   "engines": {
@@ -48,39 +48,39 @@
   },
   "homepage": "https://github.com/NodeSecure/scanner#readme",
   "devDependencies": {
-    "@nodesecure/eslint-config": "^1.4.0",
+    "@nodesecure/eslint-config": "^1.5.0",
     "@slimio/is": "^1.5.1",
     "@small-tech/esm-tape-runner": "^2.0.0",
     "@small-tech/tap-monkey": "^1.4.0",
-    "@types/node": "^17.0.39",
-    "c8": "^7.11.3",
+    "@types/node": "^18.11.9",
+    "c8": "^7.12.0",
     "cross-env": "^7.0.3",
-    "dotenv": "^16.0.1",
-    "eslint": "^8.17.0",
-    "get-folder-size": "^3.1.0",
+    "dotenv": "^16.0.3",
+    "eslint": "^8.27.0",
+    "get-folder-size": "^4.0.0",
     "pkg-ok": "^3.0.0",
-    "sinon": "^14.0.0",
+    "sinon": "^14.0.1",
     "snap-shot-core": "^10.2.4",
-    "tape": "^5.5.3"
+    "tape": "^5.6.1"
   },
   "dependencies": {
-    "@nodesecure/flags": "^2.3.0",
+    "@nodesecure/flags": "^2.4.0",
     "@nodesecure/fs-walk": "^1.0.0",
-    "@nodesecure/i18n": "^1.3.0",
-    "@nodesecure/js-x-ray": "^4.5.0",
-    "@nodesecure/npm-registry-sdk": "^1.3.0",
+    "@nodesecure/i18n": "^2.0.0",
+    "@nodesecure/js-x-ray": "^5.1.0",
+    "@nodesecure/npm-registry-sdk": "^1.4.1",
     "@nodesecure/ntlp": "^2.1.0",
     "@nodesecure/utils": "^1.0.0",
     "@nodesecure/vuln": "^1.7.0",
     "@npm/types": "^1.0.2",
-    "@npmcli/arborist": "^5.2.1",
+    "@npmcli/arborist": "^6.1.1",
     "@slimio/lock": "^1.0.0",
     "builtins": "^5.0.1",
     "combine-async-iterators": "^2.0.1",
     "itertools": "^1.7.1",
     "lodash.difference": "^4.5.0",
-    "pacote": "^13.6.0",
-    "semver": "^7.3.7"
+    "pacote": "^15.0.6",
+    "semver": "^7.3.8"
   },
   "type": "module"
 }

package/src/class/dependency.class.js

@@ -9,6 +9,8 @@ export default class Dependency {
     this.name = name;
     this.version = version;
     this.dev = false;
+    this.existOnRemoteRegistry = true;
+    this.alias = {};
 
     if (parent !== null) {
       parent.dependencyCount++;
@@ -62,6 +64,7 @@ export default class Dependency {
           id: typeof customId === "number" ? customId : Dependency.currentId++,
           usedBy: this.parent,
           isDevDependency: this.dev,
+          existOnRemoteRegistry: this.existOnRemoteRegistry,
           flags: this.flags,
           description: "",
           size: 0,
@@ -76,6 +79,7 @@ export default class Dependency {
             minified: [],
             unused: [],
             missing: [],
+            alias: this.alias,
             required_files: [],
             required_nodejs: [],
             required_thirdparty: [],

package/src/depWalker.js

@@ -11,7 +11,6 @@ import pacote from "pacote";
 import Arborist from "@npmcli/arborist";
 import Lock from "@slimio/lock";
 import * as vuln from "@nodesecure/vuln";
-import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
 import { ScannerLoggerEvents } from "./constants.js";
 
 // Import Internal Dependencies
@@ -31,24 +30,38 @@ const { version: packageVersion } = JSON.parse(
 );
 
 export async function* searchDeepDependencies(packageName, gitURL, options) {
-  const { exclude, currDepth = 0, parent, maxDepth } = options;
+  const { exclude, currDepth = 0, parent, maxDepth, registry } = options;
 
   const { name, version, deprecated, ...pkg } = await pacote.manifest(gitURL ?? packageName, {
     ...NPM_TOKEN,
-    registry: getLocalRegistryURL(),
+    registry,
     cache: `${os.homedir()}/.npm`
   });
-  const { dependencies, customResolvers } = mergeDependencies(pkg);
+  const { dependencies, customResolvers, alias } = mergeDependencies(pkg);
 
   const current = new Dependency(name, version, parent);
-  gitURL !== null && current.isGit(gitURL);
+  current.alias = Object.fromEntries(alias);
+
+  if (gitURL !== null) {
+    current.isGit(gitURL);
+    try {
+      await pacote.manifest(`${name}@${version}`, {
+        ...NPM_TOKEN,
+        registry,
+        cache: `${os.homedir()}/.npm`
+      });
+    }
+    catch {
+      current.existOnRemoteRegistry = false;
+    }
+  }
   current.addFlag("isDeprecated", deprecated === true);
   current.addFlag("hasCustomResolver", customResolvers.size > 0);
   current.addFlag("hasDependencies", dependencies.size > 0);
 
   if (currDepth !== maxDepth) {
     const config = {
-      exclude, currDepth: currDepth + 1, parent: current, maxDepth
+      exclude, currDepth: currDepth + 1, parent: current, maxDepth, registry
     };
 
     const gitDependencies = iter.filter(customResolvers.entries(), ([, valueStr]) => isGitDependency(valueStr));
@@ -76,7 +89,7 @@ export async function* searchDeepDependencies(packageName, gitURL, options) {
 }
 
 export async function* deepReadEdges(currentPackageName, options) {
-  const { to, parent, exclude, fullLockMode, includeDevDeps } = options;
+  const { to, parent, exclude, fullLockMode, includeDevDeps, registry } = options;
   const { version, integrity = to.integrity } = to.package;
 
   const updatedVersion = version === "*" || typeof version === "undefined" ? "latest" : version;
@@ -86,14 +99,19 @@ export async function* deepReadEdges(currentPackageName, options) {
   if (fullLockMode && !includeDevDeps) {
     const { deprecated, _integrity, ...pkg } = await pacote.manifest(`${currentPackageName}@${updatedVersion}`, {
       ...NPM_TOKEN,
-      registry: getLocalRegistryURL(),
+      registry,
       cache: `${os.homedir()}/.npm`
     });
-    const { customResolvers } = mergeDependencies(pkg);
+    const { customResolvers, alias } = mergeDependencies(pkg);
 
+    current.alias = Object.fromEntries(alias);
     current.addFlag("hasValidIntegrity", _integrity === integrity);
     current.addFlag("isDeprecated");
     current.addFlag("hasCustomResolver", customResolvers.size > 0);
+
+    if (isGitDependency(to.resolved)) {
+      current.isGit(to.resolved);
+    }
   }
   current.addFlag("hasDependencies", to.edgesOut.size > 0);
 
@@ -108,7 +126,7 @@ export async function* deepReadEdges(currentPackageName, options) {
     }
     else {
       exclude.set(cleanName, new Set([current.fullName]));
-      yield* deepReadEdges(packageName, { parent: current, to: toNode, exclude });
+      yield* deepReadEdges(packageName, { parent: current, to: toNode, exclude, registry });
     }
   }
   yield current;
@@ -118,11 +136,24 @@ export async function* getRootDependencies(manifest, options) {
   const {
     maxDepth = 4, exclude,
     usePackageLock, fullLockMode, includeDevDeps,
-    location
+    location,
+    registry
   } = options;
 
-  const { dependencies, customResolvers } = mergeDependencies(manifest, void 0);
+  const { dependencies, customResolvers, alias } = mergeDependencies(manifest, void 0);
   const parent = new Dependency(manifest.name, manifest.version);
+  parent.alias = Object.fromEntries(alias);
+
+  try {
+    await pacote.manifest(`${manifest.name}@${manifest.version}`, {
+      ...NPM_TOKEN,
+      registry,
+      cache: `${os.homedir()}/.npm`
+    });
+  }
+  catch {
+    parent.existOnRemoteRegistry = false;
+  }
   parent.addFlag("hasCustomResolver", customResolvers.size > 0);
   parent.addFlag("hasDependencies", dependencies.size > 0);
 
@@ -131,7 +162,7 @@ export async function* getRootDependencies(manifest, options) {
     const arb = new Arborist({
       ...NPM_TOKEN,
       path: location,
-      registry: getLocalRegistryURL()
+      registry
     });
     let tree;
     try {
@@ -146,11 +177,18 @@ export async function* getRootDependencies(manifest, options) {
       ...iter
         .filter(tree.edgesOut.entries(), ([, { to }]) => to !== null && (includeDevDeps ? true : (!to.dev || to.isWorkspace)))
         .map(([packageName, { to }]) => [packageName, to.isWorkspace ? to.target : to])
-        .map(([packageName, to]) => deepReadEdges(packageName, { to, parent, fullLockMode, includeDevDeps, exclude }))
+        .map(([packageName, to]) => deepReadEdges(packageName, {
+          to,
+          parent,
+          fullLockMode,
+          includeDevDeps,
+          exclude,
+          registry
+        }))
     ];
   }
   else {
-    const configRef = { exclude, maxDepth, parent };
+    const configRef = { exclude, maxDepth, parent, registry };
     iterators = [
       ...iter.filter(customResolvers.entries(), ([, valueStr]) => isGitDependency(valueStr))
         .map(([depName, valueStr]) => searchDeepDependencies(depName, valueStr, configRef)),
@@ -189,7 +227,8 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
     fullLockMode = false,
     maxDepth,
     location,
-    vulnerabilityStrategy = vuln.strategies.NONE
+    vulnerabilityStrategy = vuln.strategies.NONE,
+    registry
   } = options;
 
   // Create TMP directory
@@ -218,7 +257,7 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
     const tarballLocker = new Lock({ maxConcurrent: 5 });
     tarballLocker.on("freeOne", () => logger.tick(ScannerLoggerEvents.analysis.tarball));
 
-    const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode, includeDevDeps, location };
+    const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode, includeDevDeps, location, registry };
     for await (const currentDep of getRootDependencies(manifest, rootDepsOptions)) {
       const { name, version, dev } = currentDep;
       const current = currentDep.exportAsPlainObject(name === manifest.name ? 0 : void 0);
@@ -267,7 +306,8 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
           location,
           tmpLocation: forceRootAnalysis && name === manifest.name ? null : tmpLocation,
           locker: tarballLocker,
-          logger
+          logger,
+          registry
         }));
       }
     }

package/src/tarball.js

@@ -14,7 +14,6 @@ import {
   NPM_TOKEN
 } from "./utils/index.js";
 import * as manifest from "./manifest.js";
-import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
 
 // CONSTANTS
 const kNativeCodeExtensions = new Set([".gyp", ".c", ".cpp", ".node", ".so", ".h"]);
@@ -47,7 +46,7 @@ export async function scanJavascriptFile(dest, file, packageName) {
 }
 
 export async function scanDirOrArchive(name, version, options) {
-  const { ref, location = process.cwd(), tmpLocation, locker } = options;
+  const { ref, location = process.cwd(), tmpLocation, locker, registry } = options;
 
   const isNpmTarball = !(tmpLocation === null);
   const dest = isNpmTarball ? path.join(tmpLocation, `${name}@${version}`) : location;
@@ -58,7 +57,7 @@ export async function scanDirOrArchive(name, version, options) {
     if (isNpmTarball) {
       await pacote.extract(ref.flags.includes("isGit") ? ref.gitUrl : `${name}@${version}`, dest, {
         ...NPM_TOKEN,
-        registry: getLocalRegistryURL(),
+        registry,
         cache: `${os.homedir()}/.npm`
       });
       await timers.setImmediate();

package/src/utils/isGitDependency.js

@@ -1,5 +1,3 @@
-const kGitVersionVariants = ["git:", "git+", "github:"];
-
 /**
  * @example isGitDependency("github:NodeSecure/scanner") // => true
  * @example isGitDependency("git+ssh://git@github.com:npm/cli#semver:^5.0") // => true
@@ -9,12 +7,5 @@ const kGitVersionVariants = ["git:", "git+", "github:"];
  * @returns {boolean}
  */
 export function isGitDependency(version) {
-  for (const variant of kGitVersionVariants) {
-    if (version.startsWith(variant)) {
-      return true;
-    }
-  }
-
-  return false;
+  return /^git(:|\+|hub:)/.test(version);
 }
-

package/src/utils/mergeDependencies.js

@@ -1,6 +1,7 @@
 export function mergeDependencies(manifest, types = ["dependencies"]) {
   const dependencies = new Map();
   const customResolvers = new Map();
+  const alias = new Map();
 
   for (const fieldName of types) {
     if (!Reflect.has(manifest, fieldName)) {
@@ -15,12 +16,15 @@ export function mergeDependencies(manifest, types = ["dependencies"]) {
        */
       if (/^([a-zA-Z]+:|git\+|\.\\)/.test(version)) {
         customResolvers.set(name, version);
-        continue;
+        if (!version.startsWith("npm:")) {
+          continue;
+        }
+        alias.set(name, version.slice(4));
       }
 
       dependencies.set(name, version);
     }
   }
 
-  return { dependencies, customResolvers };
+  return { dependencies, customResolvers, alias };
 }

package/types/scanner.d.ts

@@ -34,6 +34,11 @@ declare namespace Scanner {
     /** Id of the package (useful for usedBy relation) */
     id: number;
     isDevDependency: boolean;
+    /**
+     * Tell if the given package exist on the configured remote registry (npm by default)
+     * @default true
+     */
+    existOnRemoteRegistry: boolean;
     /** By whom (id) is used the package */
     usedBy: Record<string, string>;
     /** Size on disk of the extracted tarball (in bytes) */
@@ -56,7 +61,7 @@ declare namespace Scanner {
      *
      * @see https://github.com/NodeSecure/js-x-ray/blob/master/WARNINGS.md
      */
-    warnings: JSXRay.Warning<JSXRay.BaseWarning>[];
+    warnings: JSXRay.Warning<JSXRay.WarningDefault>[];
     /** Tarball composition (files and dependencies) */
     composition: {
       /** Files extensions (.js, .md, .exe etc..) */
@@ -64,6 +69,7 @@ declare namespace Scanner {
       files: string[];
       /** Minified files (foo.min.js etc..) */
       minified: string[];
+      alias: Record<string, string>;
       required_files: string[];
       required_thirdparty: string[];
       required_nodejs: string[];
@@ -155,7 +161,7 @@ declare namespace Scanner {
     licenses: License[];
     ast: {
       dependencies: Record<string, JSXRay.Dependency>;
-      warnings: JSXRay.Warning<JSXRay.BaseWarning>[];
+      warnings: JSXRay.Warning<JSXRay.WarningDefault>[];
     };
   }
 
@@ -166,6 +172,7 @@ declare namespace Scanner {
      * @default 4
      */
     readonly maxDepth?: number;
+    readonly registry?: string | URL;
     /**
      * Use root package-lock.json. This will have the effect of triggering the Arborist package.
      *

package/types/tarball.d.ts

@@ -1,63 +1,63 @@
-import ntlp from "@nodesecure/ntlp";
-import Locker from "@slimio/lock";
-import Logger from "../src/logger.class";
-
-export = tarball;
-
-declare namespace tarball {
-  export interface ManifestData {
-    /** Dependencies in package.json */
-    packageDeps: string[];
-    /** DevDependencies in package.json */
-    packageDevDeps: string[];
-    /** Does package.json contain a 'gypfile' property ? */
-    packageGyp: boolean;
-  }
-
-  export interface ScannedFileResult {
-    /** Dependencies in try/catch block (probably optional dependencies) */
-    inTryDeps: string[];
-    /** Dependencies required or imported */
-    dependencies: string[];
-    /** Required or imported javascript files */
-    filesDependencies: string[];
-  }
-
-  export interface ScannedPackageResult {
-    files: {
-      /** Complete list of files for the given package */
-      list: string[];
-      /** Complete list of extensions (.js, .md etc.) */
-      extensions: string[];
-      /** List of minified javascript files */
-      minified: string[];
-    };
-    /** Size of the directory in bytes */
-    directorySize: number;
-    /** Unique license contained in the tarball (MIT, ISC ..) */
-    uniqueLicenseIds: string[];
-    /** All licenses with their SPDX */
-    licenses: ntlp.license[];
-    ast: {
-      dependencies: any;
-      warnings: any[];
-    };
-  }
-
-  export interface ScanDirOrArchiveOptions {
-    ref: any;
-    locker: Locker;
-    tmpLocation: string;
-    logger: Logger;
-  }
-
-  export interface ScanFileOptions {
-    name: string;
-    ref: any;
-  }
-
-  export function readManifest(dest: string, ref: any): Promise<ManifestData>;
-  export function scanFile(dest: string, file: string, options: ScanFileOptions): Promise<ScannedFileResult | null>;
-  export function scanPackage(dest: string, packageName: string): Promise<ScannedPackageResult>;
-  export function scanDirOrArchive(name: string, version: string, options: ScanDirOrArchiveOptions): Promise<void>;
-}
+import ntlp from "@nodesecure/ntlp";
+import Locker from "@slimio/lock";
+import Logger from "../src/logger.class";
+
+export = tarball;
+
+declare namespace tarball {
+  export interface ManifestData {
+    /** Dependencies in package.json */
+    packageDeps: string[];
+    /** DevDependencies in package.json */
+    packageDevDeps: string[];
+    /** Does package.json contain a 'gypfile' property ? */
+    packageGyp: boolean;
+  }
+
+  export interface ScannedFileResult {
+    /** Dependencies in try/catch block (probably optional dependencies) */
+    inTryDeps: string[];
+    /** Dependencies required or imported */
+    dependencies: string[];
+    /** Required or imported javascript files */
+    filesDependencies: string[];
+  }
+
+  export interface ScannedPackageResult {
+    files: {
+      /** Complete list of files for the given package */
+      list: string[];
+      /** Complete list of extensions (.js, .md etc.) */
+      extensions: string[];
+      /** List of minified javascript files */
+      minified: string[];
+    };
+    /** Size of the directory in bytes */
+    directorySize: number;
+    /** Unique license contained in the tarball (MIT, ISC ..) */
+    uniqueLicenseIds: string[];
+    /** All licenses with their SPDX */
+    licenses: ntlp.license[];
+    ast: {
+      dependencies: any;
+      warnings: any[];
+    };
+  }
+
+  export interface ScanDirOrArchiveOptions {
+    ref: any;
+    locker: Locker;
+    tmpLocation: string;
+    logger: Logger;
+  }
+
+  export interface ScanFileOptions {
+    name: string;
+    ref: any;
+  }
+
+  export function readManifest(dest: string, ref: any): Promise<ManifestData>;
+  export function scanFile(dest: string, file: string, options: ScanFileOptions): Promise<ScannedFileResult | null>;
+  export function scanPackage(dest: string, packageName?: string): Promise<ScannedPackageResult>;
+  export function scanDirOrArchive(name: string, version: string, options: ScanDirOrArchiveOptions): Promise<void>;
+}