@nodesecure/scanner 3.7.0 → 3.8.1

package/LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2021 NodeSecure
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2021 NodeSecure
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,10 +1,10 @@
 # NodeSecure Scanner
 ![version](https://img.shields.io/badge/dynamic/json.svg?url=https://raw.githubusercontent.com/NodeSecure/scanner/master/package.json&query=$.version&label=Version)
 [![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/NodeSecure/scanner/commit-activity)
-[![Security Responsible Disclosure](https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg)](https://github.com/nodejs/security-wg/blob/master/processes/responsible_disclosure_template.md
-)
+[![OpenSSF
+Scorecard](https://api.securityscorecards.dev/projects/github.com/NodeSecure/scanner/badge)](https://api.securityscorecards.dev/projects/github.com/NodeSecure/scanner)
 [![mit](https://img.shields.io/github/license/Naereen/StrapDown.js.svg)](https://github.com/NodeSecure/scanner/blob/master/LICENSE)
-![build](https://img.shields.io/github/workflow/status/NodeSecure/scanner/Node.js%20CI)
+![build](https://img.shields.io/github/actions/workflow/status/NodeSecure/scanner/node.js.yml)
 
 ⚡️ Run a static analysis of your module's dependencies.
 
@@ -71,7 +71,7 @@ interface Options {
 ## Contributors ✨
 
 <!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
-[![All Contributors](https://img.shields.io/badge/all_contributors-6-orange.svg?style=flat-square)](#contributors-)
+[![All Contributors](https://img.shields.io/badge/all_contributors-9-orange.svg?style=flat-square)](#contributors-)
 <!-- ALL-CONTRIBUTORS-BADGE:END -->
 
 Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
@@ -80,14 +80,21 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
 <!-- prettier-ignore-start -->
 <!-- markdownlint-disable -->
 <table>
-  <tr>
-    <td align="center"><a href="https://www.linkedin.com/in/thomas-gentilhomme/"><img src="https://avatars.githubusercontent.com/u/4438263?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Gentilhomme</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Afraxken" title="Reviewed Pull Requests">👀</a> <a href="#security-fraxken" title="Security">🛡️</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Afraxken" title="Bug reports">🐛</a></td>
-    <td align="center"><a href="http://tonygo.dev"><img src="https://avatars.githubusercontent.com/u/22824417?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Tony Gorez</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Atony-go" title="Reviewed Pull Requests">👀</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Atony-go" title="Bug reports">🐛</a></td>
-    <td align="center"><a href="https://mickaelcroquet.fr"><img src="https://avatars.githubusercontent.com/u/23740372?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Haze</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=CroquetMickael" title="Code">💻</a></td>
-    <td align="center"><a href="https://github.com/mbalabash"><img src="https://avatars.githubusercontent.com/u/16868922?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Maksim Balabash</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=mbalabash" title="Code">💻</a></td>
-    <td align="center"><a href="https://dev.to/antoinecoulon"><img src="https://avatars.githubusercontent.com/u/43391199?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Antoine Coulon</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=antoine-coulon" title="Code">💻</a> <a href="#security-antoine-coulon" title="Security">🛡️</a></td>
-    <td align="center"><a href="https://www.linkedin.com/in/nicolas-hallaert/"><img src="https://avatars.githubusercontent.com/u/39910164?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Nicolas Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=Rossb0b" title="Code">💻</a></td>
-  </tr>
+  <tbody>
+    <tr>
+      <td align="center"><a href="https://www.linkedin.com/in/thomas-gentilhomme/"><img src="https://avatars.githubusercontent.com/u/4438263?v=4?s=100" width="100px;" alt="Gentilhomme"/><br /><sub><b>Gentilhomme</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Afraxken" title="Reviewed Pull Requests">👀</a> <a href="#security-fraxken" title="Security">🛡️</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Afraxken" title="Bug reports">🐛</a></td>
+      <td align="center"><a href="http://tonygo.dev"><img src="https://avatars.githubusercontent.com/u/22824417?v=4?s=100" width="100px;" alt="Tony Gorez"/><br /><sub><b>Tony Gorez</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Atony-go" title="Reviewed Pull Requests">👀</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Atony-go" title="Bug reports">🐛</a></td>
+      <td align="center"><a href="https://mickaelcroquet.fr"><img src="https://avatars.githubusercontent.com/u/23740372?v=4?s=100" width="100px;" alt="Haze"/><br /><sub><b>Haze</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=CroquetMickael" title="Code">💻</a></td>
+      <td align="center"><a href="https://github.com/mbalabash"><img src="https://avatars.githubusercontent.com/u/16868922?v=4?s=100" width="100px;" alt="Maksim Balabash"/><br /><sub><b>Maksim Balabash</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=mbalabash" title="Code">💻</a></td>
+      <td align="center"><a href="https://dev.to/antoinecoulon"><img src="https://avatars.githubusercontent.com/u/43391199?v=4?s=100" width="100px;" alt="Antoine Coulon"/><br /><sub><b>Antoine Coulon</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=antoine-coulon" title="Code">💻</a> <a href="#security-antoine-coulon" title="Security">🛡️</a></td>
+      <td align="center"><a href="https://www.linkedin.com/in/nicolas-hallaert/"><img src="https://avatars.githubusercontent.com/u/39910164?v=4?s=100" width="100px;" alt="Nicolas Hallaert"/><br /><sub><b>Nicolas Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=Rossb0b" title="Code">💻</a></td>
+      <td align="center"><a href="http://sofiand.github.io/portfolio-client/"><img src="https://avatars.githubusercontent.com/u/39944043?v=4?s=100" width="100px;" alt="Yefis"/><br /><sub><b>Yefis</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=SofianD" title="Code">💻</a></td>
+    </tr>
+    <tr>
+      <td align="center"><a href="https://www.linkedin.com/in/franck-hallaert/"><img src="https://avatars.githubusercontent.com/u/110826655?v=4?s=100" width="100px;" alt="Franck Hallaert"/><br /><sub><b>Franck Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=Aekk0" title="Code">💻</a></td>
+      <td align="center"><a href="https://www.linkedin.com/in/ange-tekeu-a155811b4/"><img src="https://avatars.githubusercontent.com/u/35274201?v=4?s=100" width="100px;" alt="Ange TEKEU"/><br /><sub><b>Ange TEKEU</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=tekeuange23" title="Code">💻</a></td>
+    </tr>
+  </tbody>
 </table>
 
 <!-- markdownlint-restore -->

package/index.d.ts

@@ -1,14 +1,14 @@
-import Scanner from "./types/scanner";
-import { cwd, from, verify, ScannerLoggerEvents } from "./types/api";
-import { depWalker } from "./types/walker";
-import { Logger, LoggerEventData } from "./types/logger";
-import tarball from "./types/tarball";
-
-export {
-  cwd, from, verify, ScannerLoggerEvents,
-  Scanner,
-  Logger,
-  LoggerEventData,
-  tarball,
-  depWalker
-}
+import Scanner from "./types/scanner";
+import { cwd, from, verify, ScannerLoggerEvents } from "./types/api";
+import { depWalker } from "./types/walker";
+import { Logger, LoggerEventData } from "./types/logger";
+import tarball from "./types/tarball";
+
+export {
+  cwd, from, verify, ScannerLoggerEvents,
+  Scanner,
+  Logger,
+  LoggerEventData,
+  tarball,
+  depWalker
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nodesecure/scanner",
-  "version": "3.7.0",
+  "version": "3.8.1",
   "description": "A package API to run a static analysis of your module's dependencies.",
   "exports": "./index.js",
   "engines": {
@@ -48,39 +48,39 @@
   },
   "homepage": "https://github.com/NodeSecure/scanner#readme",
   "devDependencies": {
-    "@nodesecure/eslint-config": "^1.4.1",
+    "@nodesecure/eslint-config": "^1.6.0",
     "@slimio/is": "^1.5.1",
     "@small-tech/esm-tape-runner": "^2.0.0",
     "@small-tech/tap-monkey": "^1.4.0",
-    "@types/node": "^18.0.0",
-    "c8": "^7.11.3",
+    "@types/node": "^18.11.18",
+    "c8": "^7.12.0",
     "cross-env": "^7.0.3",
-    "dotenv": "^16.0.1",
-    "eslint": "^8.18.0",
-    "get-folder-size": "^3.1.0",
+    "dotenv": "^16.0.3",
+    "eslint": "^8.31.0",
+    "get-folder-size": "^4.0.0",
     "pkg-ok": "^3.0.0",
-    "sinon": "^14.0.0",
+    "sinon": "^15.0.1",
     "snap-shot-core": "^10.2.4",
-    "tape": "^5.5.3"
+    "tape": "^5.6.1"
   },
   "dependencies": {
     "@nodesecure/flags": "^2.4.0",
     "@nodesecure/fs-walk": "^1.0.0",
-    "@nodesecure/i18n": "^2.0.0",
-    "@nodesecure/js-x-ray": "^5.0.1",
-    "@nodesecure/npm-registry-sdk": "^1.4.0",
-    "@nodesecure/ntlp": "^2.1.0",
+    "@nodesecure/i18n": "^2.1.1",
+    "@nodesecure/js-x-ray": "^5.1.0",
+    "@nodesecure/npm-registry-sdk": "^1.4.1",
+    "@nodesecure/ntlp": "^2.2.0",
     "@nodesecure/utils": "^1.0.0",
     "@nodesecure/vuln": "^1.7.0",
     "@npm/types": "^1.0.2",
-    "@npmcli/arborist": "^5.2.3",
+    "@npmcli/arborist": "^6.1.5",
     "@slimio/lock": "^1.0.0",
     "builtins": "^5.0.1",
     "combine-async-iterators": "^2.0.1",
     "itertools": "^1.7.1",
     "lodash.difference": "^4.5.0",
-    "pacote": "^13.6.1",
-    "semver": "^7.3.7"
+    "pacote": "^15.0.8",
+    "semver": "^7.3.8"
   },
   "type": "module"
 }

package/src/class/dependency.class.js

@@ -9,6 +9,8 @@ export default class Dependency {
     this.name = name;
     this.version = version;
     this.dev = false;
+    this.existOnRemoteRegistry = true;
+    this.alias = {};
 
     if (parent !== null) {
       parent.dependencyCount++;
@@ -62,6 +64,7 @@ export default class Dependency {
           id: typeof customId === "number" ? customId : Dependency.currentId++,
           usedBy: this.parent,
           isDevDependency: this.dev,
+          existOnRemoteRegistry: this.existOnRemoteRegistry,
           flags: this.flags,
           description: "",
           size: 0,
@@ -76,6 +79,7 @@ export default class Dependency {
             minified: [],
             unused: [],
             missing: [],
+            alias: this.alias,
             required_files: [],
             required_nodejs: [],
             required_thirdparty: [],

package/src/class/logger.class.js

@@ -1,54 +1,54 @@
-// Import Node.js Dependencies
-import { EventEmitter } from "events";
-import { performance } from "perf_hooks";
-
-export default class Logger extends EventEmitter {
-  constructor() {
-    super();
-
-    this.events = new Map();
-  }
-
-  start(eventName) {
-    if (this.events.has(eventName)) {
-      return this;
-    }
-
-    this.events.set(eventName, {
-      startedAt: performance.now(),
-      count: 0
-    });
-    this.emit("start", eventName);
-
-    return this;
-  }
-
-  tick(eventName) {
-    if (!this.events.has(eventName)) {
-      return this;
-    }
-
-    this.events.get(eventName).count++;
-    this.emit("tick", eventName);
-
-    return this;
-  }
-
-  count(eventName) {
-    return this.events.get(eventName)?.count ?? 0;
-  }
-
-  end(eventName) {
-    if (!this.events.has(eventName)) {
-      return this;
-    }
-
-    const data = this.events.get(eventName);
-    this.emit("end", eventName, {
-      ...data,
-      executionTime: performance.now() - data.startedAt
-    });
-
-    return this;
-  }
-}
+// Import Node.js Dependencies
+import { EventEmitter } from "events";
+import { performance } from "perf_hooks";
+
+export default class Logger extends EventEmitter {
+  constructor() {
+    super();
+
+    this.events = new Map();
+  }
+
+  start(eventName) {
+    if (this.events.has(eventName)) {
+      return this;
+    }
+
+    this.events.set(eventName, {
+      startedAt: performance.now(),
+      count: 0
+    });
+    this.emit("start", eventName);
+
+    return this;
+  }
+
+  tick(eventName) {
+    if (!this.events.has(eventName)) {
+      return this;
+    }
+
+    this.events.get(eventName).count++;
+    this.emit("tick", eventName);
+
+    return this;
+  }
+
+  count(eventName) {
+    return this.events.get(eventName)?.count ?? 0;
+  }
+
+  end(eventName) {
+    if (!this.events.has(eventName)) {
+      return this;
+    }
+
+    const data = this.events.get(eventName);
+    this.emit("end", eventName, {
+      ...data,
+      executionTime: performance.now() - data.startedAt
+    });
+
+    return this;
+  }
+}

package/src/constants.js

@@ -1,13 +1,13 @@
-
-export const ScannerLoggerEvents = {
-  done: "depWalkerFinished",
-  analysis: {
-    tree: "walkTree",
-    tarball: "tarball",
-    registry: "registry"
-  },
-  manifest: {
-    read: "readManifest",
-    fetch: "fetchManifest"
-  }
-};
+
+export const ScannerLoggerEvents = {
+  done: "depWalkerFinished",
+  analysis: {
+    tree: "walkTree",
+    tarball: "tarball",
+    registry: "registry"
+  },
+  manifest: {
+    read: "readManifest",
+    fetch: "fetchManifest"
+  }
+};

package/src/depWalker.js

@@ -37,10 +37,24 @@ export async function* searchDeepDependencies(packageName, gitURL, options) {
     registry,
     cache: `${os.homedir()}/.npm`
   });
-  const { dependencies, customResolvers } = mergeDependencies(pkg);
+  const { dependencies, customResolvers, alias } = mergeDependencies(pkg);
 
   const current = new Dependency(name, version, parent);
-  gitURL !== null && current.isGit(gitURL);
+  current.alias = Object.fromEntries(alias);
+
+  if (gitURL !== null) {
+    current.isGit(gitURL);
+    try {
+      await pacote.manifest(`${name}@${version}`, {
+        ...NPM_TOKEN,
+        registry,
+        cache: `${os.homedir()}/.npm`
+      });
+    }
+    catch {
+      current.existOnRemoteRegistry = false;
+    }
+  }
   current.addFlag("isDeprecated", deprecated === true);
   current.addFlag("hasCustomResolver", customResolvers.size > 0);
   current.addFlag("hasDependencies", dependencies.size > 0);
@@ -88,11 +102,16 @@ export async function* deepReadEdges(currentPackageName, options) {
       registry,
       cache: `${os.homedir()}/.npm`
     });
-    const { customResolvers } = mergeDependencies(pkg);
+    const { customResolvers, alias } = mergeDependencies(pkg);
 
+    current.alias = Object.fromEntries(alias);
     current.addFlag("hasValidIntegrity", _integrity === integrity);
     current.addFlag("isDeprecated");
     current.addFlag("hasCustomResolver", customResolvers.size > 0);
+
+    if (isGitDependency(to.resolved)) {
+      current.isGit(to.resolved);
+    }
   }
   current.addFlag("hasDependencies", to.edgesOut.size > 0);
 
@@ -121,8 +140,20 @@ export async function* getRootDependencies(manifest, options) {
     registry
   } = options;
 
-  const { dependencies, customResolvers } = mergeDependencies(manifest, void 0);
+  const { dependencies, customResolvers, alias } = mergeDependencies(manifest, void 0);
   const parent = new Dependency(manifest.name, manifest.version);
+  parent.alias = Object.fromEntries(alias);
+
+  try {
+    await pacote.manifest(`${manifest.name}@${manifest.version}`, {
+      ...NPM_TOKEN,
+      registry,
+      cache: `${os.homedir()}/.npm`
+    });
+  }
+  catch {
+    parent.existOnRemoteRegistry = false;
+  }
   parent.addFlag("hasCustomResolver", customResolvers.size > 0);
   parent.addFlag("hasDependencies", dependencies.size > 0);
 

package/src/utils/addMissingVersionFlags.js

@@ -1,24 +1,24 @@
-/**
- * @param {Set<string>} flags
- * @param {import("../../types/scanner").Dependency} descriptor
- */
-export function* addMissingVersionFlags(flags, descriptor) {
-  const { metadata, vulnerabilities = [], versions } = descriptor;
-  const semverVersions = Object.keys(versions);
-
-  if (!metadata.hasReceivedUpdateInOneYear && flags.has("hasOutdatedDependency") && !flags.has("isDead")) {
-    yield "isDead";
-  }
-  if (metadata.hasManyPublishers && !flags.has("hasManyPublishers")) {
-    yield "hasManyPublishers";
-  }
-  if (metadata.hasChangedAuthor && !flags.has("hasChangedAuthor")) {
-    yield "hasChangedAuthor";
-  }
-  if (vulnerabilities.length > 0 && !flags.has("hasVulnerabilities")) {
-    yield "hasVulnerabilities";
-  }
-  if (semverVersions.length > 1 && !flags.has("hasDuplicate")) {
-    yield "hasDuplicate";
-  }
-}
+/**
+ * @param {Set<string>} flags
+ * @param {import("../../types/scanner").Dependency} descriptor
+ */
+export function* addMissingVersionFlags(flags, descriptor) {
+  const { metadata, vulnerabilities = [], versions } = descriptor;
+  const semverVersions = Object.keys(versions);
+
+  if (!metadata.hasReceivedUpdateInOneYear && flags.has("hasOutdatedDependency") && !flags.has("isDead")) {
+    yield "isDead";
+  }
+  if (metadata.hasManyPublishers && !flags.has("hasManyPublishers")) {
+    yield "hasManyPublishers";
+  }
+  if (metadata.hasChangedAuthor && !flags.has("hasChangedAuthor")) {
+    yield "hasChangedAuthor";
+  }
+  if (vulnerabilities.length > 0 && !flags.has("hasVulnerabilities")) {
+    yield "hasVulnerabilities";
+  }
+  if (semverVersions.length > 1 && !flags.has("hasDuplicate")) {
+    yield "hasDuplicate";
+  }
+}

package/src/utils/booleanToFlags.js

@@ -1,12 +1,12 @@
-/**
- * @param {Record<string, boolean>} flagsRecord
- * @example
- * console.log(...booleanToFlags({ hasScript: true })); // "hasScript"
- */
-export function* booleanToFlags(flagsRecord) {
-  for (const [flagName, boolValue] of Object.entries(flagsRecord)) {
-    if (boolValue) {
-      yield flagName;
-    }
-  }
-}
+/**
+ * @param {Record<string, boolean>} flagsRecord
+ * @example
+ * console.log(...booleanToFlags({ hasScript: true })); // "hasScript"
+ */
+export function* booleanToFlags(flagsRecord) {
+  for (const [flagName, boolValue] of Object.entries(flagsRecord)) {
+    if (boolValue) {
+      yield flagName;
+    }
+  }
+}

package/src/utils/dirname.js

@@ -1,9 +1,9 @@
-// Import Node.js Dependencies
-import { fileURLToPath } from "url";
-import { dirname } from "path";
-
-export function getDirNameFromUrl(url) {
-  const __filename = fileURLToPath(url);
-
-  return dirname(__filename);
-}
+// Import Node.js Dependencies
+import { fileURLToPath } from "url";
+import { dirname } from "path";
+
+export function getDirNameFromUrl(url) {
+  const __filename = fileURLToPath(url);
+
+  return dirname(__filename);
+}

package/src/utils/filterDependencyKind.js

@@ -1,44 +1,44 @@
-// Import Node.js Dependencies
-import path from "path";
-
-// CONSTANTS
-const kRelativeImportPath = new Set([".", "..", "./", "../"]);
-
-/**
- * @see https://nodejs.org/docs/latest/api/modules.html#file-modules
- *
- * @param {IterableIterator<string>} dependencies
- * @param {!string} relativeFileLocation
- */
-export function filterDependencyKind(dependencies, relativeFileLocation) {
-  const packages = [];
-  const files = [];
-
-  for (const moduleNameOrPath of dependencies) {
-    const firstChar = moduleNameOrPath.charAt(0);
-
-    /**
-     * @example
-     * require("..");
-     * require("/home/marco/foo.js");
-     */
-    if (firstChar === "." || firstChar === "/") {
-      // Note: condition only possible for CJS
-      if (kRelativeImportPath.has(moduleNameOrPath)) {
-        files.push(path.join(moduleNameOrPath, "index.js"));
-      }
-      else {
-        // Note: we are speculating that the extension is .js (but it could be .json or .node)
-        const fixedFileName = path.extname(moduleNameOrPath) === "" ?
-          `${moduleNameOrPath}.js` : moduleNameOrPath;
-
-        files.push(path.join(relativeFileLocation, fixedFileName));
-      }
-    }
-    else {
-      packages.push(moduleNameOrPath);
-    }
-  }
-
-  return { packages, files };
-}
+// Import Node.js Dependencies
+import path from "path";
+
+// CONSTANTS
+const kRelativeImportPath = new Set([".", "..", "./", "../"]);
+
+/**
+ * @see https://nodejs.org/docs/latest/api/modules.html#file-modules
+ *
+ * @param {IterableIterator<string>} dependencies
+ * @param {!string} relativeFileLocation
+ */
+export function filterDependencyKind(dependencies, relativeFileLocation) {
+  const packages = [];
+  const files = [];
+
+  for (const moduleNameOrPath of dependencies) {
+    const firstChar = moduleNameOrPath.charAt(0);
+
+    /**
+     * @example
+     * require("..");
+     * require("/home/marco/foo.js");
+     */
+    if (firstChar === "." || firstChar === "/") {
+      // Note: condition only possible for CJS
+      if (kRelativeImportPath.has(moduleNameOrPath)) {
+        files.push(path.join(moduleNameOrPath, "index.js"));
+      }
+      else {
+        // Note: we are speculating that the extension is .js (but it could be .json or .node)
+        const fixedFileName = path.extname(moduleNameOrPath) === "" ?
+          `${moduleNameOrPath}.js` : moduleNameOrPath;
+
+        files.push(path.join(relativeFileLocation, fixedFileName));
+      }
+    }
+    else {
+      packages.push(moduleNameOrPath);
+    }
+  }
+
+  return { packages, files };
+}

package/src/utils/getPackageName.js

@@ -1,21 +1,21 @@
-// CONSTANTS
-const kPackageSeparator = "/";
-const kPackageOrgSymbol = "@";
-
-/**
- * @see https://github.com/npm/validate-npm-package-name#naming-rules
- *
- * @param {!string} name full package name
- * @returns {string}
- *
- * @example
- * getPackageName("foo"); // foo
- * getPackageName("foo/bar"); // foo
- * getPackageName("@org/bar"); // @org/bar
- */
-export function getPackageName(name) {
-  const parts = name.split(kPackageSeparator);
-
-  // Note: only scoped package are allowed to start with @
-  return name.startsWith(kPackageOrgSymbol) ? `${parts[0]}/${parts[1]}` : parts[0];
-}
+// CONSTANTS
+const kPackageSeparator = "/";
+const kPackageOrgSymbol = "@";
+
+/**
+ * @see https://github.com/npm/validate-npm-package-name#naming-rules
+ *
+ * @param {!string} name full package name
+ * @returns {string}
+ *
+ * @example
+ * getPackageName("foo"); // foo
+ * getPackageName("foo/bar"); // foo
+ * getPackageName("@org/bar"); // @org/bar
+ */
+export function getPackageName(name) {
+  const parts = name.split(kPackageSeparator);
+
+  // Note: only scoped package are allowed to start with @
+  return name.startsWith(kPackageOrgSymbol) ? `${parts[0]}/${parts[1]}` : parts[0];
+}

package/src/utils/getTarballComposition.js

@@ -1,38 +1,38 @@
-// Import Node.js Dependencies
-import fs from "fs/promises";
-import path from "path";
-
-// Import Third-party Dependencies
-import { walk } from "@nodesecure/fs-walk";
-
-export async function getTarballComposition(tarballDir) {
-  const ext = new Set();
-  const files = [];
-  const dirs = [];
-  let { size } = await fs.stat(tarballDir);
-
-  for await (const [dirent, file] of walk(tarballDir)) {
-    if (dirent.isFile()) {
-      ext.add(path.extname(file));
-      files.push(file);
-    }
-    else if (dirent.isDirectory()) {
-      dirs.push(file);
-    }
-  }
-
-  const sizeUnfilteredResult = await Promise.allSettled([
-    ...files.map((file) => fs.stat(file)),
-    ...dirs.map((file) => fs.stat(file))
-  ]);
-  const sizeAll = sizeUnfilteredResult
-    .filter((promiseSettledResult) => promiseSettledResult.status === "fulfilled")
-    .map((promiseSettledResult) => promiseSettledResult.value);
-  size += sizeAll.reduce((prev, curr) => prev + curr.size, 0);
-
-  return {
-    ext,
-    size,
-    files: files.map((fileLocation) => path.relative(tarballDir, fileLocation)).sort()
-  };
-}
+// Import Node.js Dependencies
+import fs from "fs/promises";
+import path from "path";
+
+// Import Third-party Dependencies
+import { walk } from "@nodesecure/fs-walk";
+
+export async function getTarballComposition(tarballDir) {
+  const ext = new Set();
+  const files = [];
+  const dirs = [];
+  let { size } = await fs.stat(tarballDir);
+
+  for await (const [dirent, file] of walk(tarballDir)) {
+    if (dirent.isFile()) {
+      ext.add(path.extname(file));
+      files.push(file);
+    }
+    else if (dirent.isDirectory()) {
+      dirs.push(file);
+    }
+  }
+
+  const sizeUnfilteredResult = await Promise.allSettled([
+    ...files.map((file) => fs.stat(file)),
+    ...dirs.map((file) => fs.stat(file))
+  ]);
+  const sizeAll = sizeUnfilteredResult
+    .filter((promiseSettledResult) => promiseSettledResult.status === "fulfilled")
+    .map((promiseSettledResult) => promiseSettledResult.value);
+  size += sizeAll.reduce((prev, curr) => prev + curr.size, 0);
+
+  return {
+    ext,
+    size,
+    files: files.map((fileLocation) => path.relative(tarballDir, fileLocation)).sort()
+  };
+}

package/src/utils/isGitDependency.js

@@ -1,5 +1,3 @@
-const kGitVersionVariants = ["git:", "git+", "github:"];
-
 /**
  * @example isGitDependency("github:NodeSecure/scanner") // => true
  * @example isGitDependency("git+ssh://git@github.com:npm/cli#semver:^5.0") // => true
@@ -9,12 +7,5 @@ const kGitVersionVariants = ["git:", "git+", "github:"];
  * @returns {boolean}
  */
 export function isGitDependency(version) {
-  for (const variant of kGitVersionVariants) {
-    if (version.startsWith(variant)) {
-      return true;
-    }
-  }
-
-  return false;
+  return /^git(:|\+|hub:)/.test(version);
 }
-

package/src/utils/isSensitiveFile.js

@@ -1,17 +1,17 @@
-// Import Node.js Dependencies
-import path from "path";
-
-// CONSTANTS
-const kSensitiveFileName = new Set([".npmrc", ".env"]);
-const kSensitiveFileExtension = new Set([".key", ".pem"]);
-
-/**
- * @see https://github.com/jandre/safe-commit-hook/blob/master/git-deny-patterns.json
- *
- * @param {!string} fileName
- * @returns {boolean}
- */
-export function isSensitiveFile(fileName) {
-  return kSensitiveFileName.has(path.basename(fileName)) ||
-    kSensitiveFileExtension.has(path.extname(fileName));
-}
+// Import Node.js Dependencies
+import path from "path";
+
+// CONSTANTS
+const kSensitiveFileName = new Set([".npmrc", ".env"]);
+const kSensitiveFileExtension = new Set([".key", ".pem"]);
+
+/**
+ * @see https://github.com/jandre/safe-commit-hook/blob/master/git-deny-patterns.json
+ *
+ * @param {!string} fileName
+ * @returns {boolean}
+ */
+export function isSensitiveFile(fileName) {
+  return kSensitiveFileName.has(path.basename(fileName)) ||
+    kSensitiveFileExtension.has(path.extname(fileName));
+}

package/src/utils/mergeDependencies.js

@@ -1,6 +1,7 @@
 export function mergeDependencies(manifest, types = ["dependencies"]) {
   const dependencies = new Map();
   const customResolvers = new Map();
+  const alias = new Map();
 
   for (const fieldName of types) {
     if (!Reflect.has(manifest, fieldName)) {
@@ -15,12 +16,15 @@ export function mergeDependencies(manifest, types = ["dependencies"]) {
        */
       if (/^([a-zA-Z]+:|git\+|\.\\)/.test(version)) {
         customResolvers.set(name, version);
-        continue;
+        if (!version.startsWith("npm:")) {
+          continue;
+        }
+        alias.set(name, version.slice(4));
       }
 
       dependencies.set(name, version);
     }
   }
 
-  return { dependencies, customResolvers };
+  return { dependencies, customResolvers, alias };
 }

package/src/utils/semver.js

@@ -1,49 +1,49 @@
-// Import Third-party Dependencies
-import pacote from "pacote";
-import semver from "semver";
-import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
-
-// Import Internal Dependencies
-import { NPM_TOKEN } from "./index.js";
-
-/**
- * @param {!string} version semver range
- * @returns {string} semver version
- *
- * @example
- * cleanRange(">=1.5.0"); // 1.5.0
- * cleanRange("^2.0.0"); // 2.0.0
- */
-export function cleanRange(version) {
-  // TODO: how do we handle complicated range like pkg-name@1 || 2 or pkg-name@2.1.2 < 3
-  const firstChar = version.charAt(0);
-  if (firstChar === "^" || firstChar === "<" || firstChar === ">" || firstChar === "=" || firstChar === "~") {
-    return version.slice(version.charAt(1) === "=" ? 2 : 1);
-  }
-
-  return version;
-}
-
-/**
- * @param {!string} depName dependency name (WITHOUT version/range)
- * @param {!string} range semver range, ex: >=1.5.0
- */
-export async function getExpectedSemVer(depName, range) {
-  try {
-    const { versions, "dist-tags": { latest } } = await pacote.packument(depName, {
-      ...NPM_TOKEN, registry: getLocalRegistryURL()
-    });
-    const currVersion = semver.maxSatisfying(Object.keys(versions), range);
-
-    return currVersion === null ? [latest, true] : [currVersion, semver.eq(latest, currVersion)];
-  }
-  catch (err) {
-    return [cleanRange(range), true];
-  }
-}
-
-export async function getCleanDependencyName([depName, range]) {
-  const [depVer, isLatest] = await getExpectedSemVer(depName, range);
-
-  return [`${depName}@${range}`, `${depName}@${depVer}`, isLatest];
-}
+// Import Third-party Dependencies
+import pacote from "pacote";
+import semver from "semver";
+import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
+
+// Import Internal Dependencies
+import { NPM_TOKEN } from "./index.js";
+
+/**
+ * @param {!string} version semver range
+ * @returns {string} semver version
+ *
+ * @example
+ * cleanRange(">=1.5.0"); // 1.5.0
+ * cleanRange("^2.0.0"); // 2.0.0
+ */
+export function cleanRange(version) {
+  // TODO: how do we handle complicated range like pkg-name@1 || 2 or pkg-name@2.1.2 < 3
+  const firstChar = version.charAt(0);
+  if (firstChar === "^" || firstChar === "<" || firstChar === ">" || firstChar === "=" || firstChar === "~") {
+    return version.slice(version.charAt(1) === "=" ? 2 : 1);
+  }
+
+  return version;
+}
+
+/**
+ * @param {!string} depName dependency name (WITHOUT version/range)
+ * @param {!string} range semver range, ex: >=1.5.0
+ */
+export async function getExpectedSemVer(depName, range) {
+  try {
+    const { versions, "dist-tags": { latest } } = await pacote.packument(depName, {
+      ...NPM_TOKEN, registry: getLocalRegistryURL()
+    });
+    const currVersion = semver.maxSatisfying(Object.keys(versions), range);
+
+    return currVersion === null ? [latest, true] : [currVersion, semver.eq(latest, currVersion)];
+  }
+  catch (err) {
+    return [cleanRange(range), true];
+  }
+}
+
+export async function getCleanDependencyName([depName, range]) {
+  const [depVer, isLatest] = await getExpectedSemVer(depName, range);
+
+  return [`${depName}@${range}`, `${depName}@${depVer}`, isLatest];
+}

package/src/utils/warnings.js

@@ -1,36 +1,36 @@
-// Import Third-party Dependencies
-import { getToken, taggedString } from "@nodesecure/i18n";
-
-// CONSTANTS
-const kDetectedDep = taggedString`The dependency '${0}' has been detected in the dependency Tree.`;
-const kWarningsMessages = Object.freeze({
-  "@scarf/scarf": getToken("warnings.disable_scarf"),
-  iohook: getToken("warnings.keylogging")
-});
-const kPackages = new Set(Object.keys(kWarningsMessages));
-const kAuthors = new Set(["marak", "marak.squires@gmail.com"]);
-
-function getWarning(depName) {
-  return `${kDetectedDep(depName)} ${kWarningsMessages[depName]}`;
-}
-
-export function getDependenciesWarnings(dependencies) {
-  const warnings = [];
-  for (const depName of kPackages) {
-    if (dependencies.has(depName)) {
-      warnings.push(getWarning(depName));
-    }
-  }
-
-  // TODO: optimize with @nodesecure/author later
-  for (const [packageName, dependency] of dependencies) {
-    for (const { name, email } of dependency.metadata.maintainers) {
-      if (kAuthors.has(name) || kAuthors.has(email)) {
-        warnings.push(`'Marak Squires' package '${packageName}' has been detected in the dependency tree`);
-      }
-    }
-  }
-
-  return warnings;
-}
-
+// Import Third-party Dependencies
+import { getToken, taggedString } from "@nodesecure/i18n";
+
+// CONSTANTS
+const kDetectedDep = taggedString`The dependency '${0}' has been detected in the dependency Tree.`;
+const kWarningsMessages = Object.freeze({
+  "@scarf/scarf": getToken("warnings.disable_scarf"),
+  iohook: getToken("warnings.keylogging")
+});
+const kPackages = new Set(Object.keys(kWarningsMessages));
+const kAuthors = new Set(["marak", "marak.squires@gmail.com"]);
+
+function getWarning(depName) {
+  return `${kDetectedDep(depName)} ${kWarningsMessages[depName]}`;
+}
+
+export function getDependenciesWarnings(dependencies) {
+  const warnings = [];
+  for (const depName of kPackages) {
+    if (dependencies.has(depName)) {
+      warnings.push(getWarning(depName));
+    }
+  }
+
+  // TODO: optimize with @nodesecure/author later
+  for (const [packageName, dependency] of dependencies) {
+    for (const { name, email } of dependency.metadata.maintainers) {
+      if (kAuthors.has(name) || kAuthors.has(email)) {
+        warnings.push(`'Marak Squires' package '${packageName}' has been detected in the dependency tree`);
+      }
+    }
+  }
+
+  return warnings;
+}
+

package/types/api.d.ts

@@ -1,5 +1,5 @@
-import Scanner from "./scanner";
-import { Logger, LoggerEvents } from "./logger";
+import Scanner from "./scanner.js";
+import { Logger, LoggerEvents } from "./logger.js";
 
 export {
   cwd,

package/types/logger.d.ts

@@ -1,38 +1,38 @@
-import { EventEmitter } from "events";
-
-export {
-  Logger,
-  LoggerEventData,
-  LoggerEvents
-}
-
-interface LoggerEvents {
-  readonly done: "depWalkerFinished";
-  readonly analysis: {
-      readonly tree: "walkTree";
-      readonly tarball: "tarball";
-      readonly registry: "registry";
-  };
-  readonly manifest: {
-      readonly read: "readManifest";
-      readonly fetch: "fetchManifest";
-  };
-}
-
-interface LoggerEventData {
-  /** UNIX Timestamp */
-  startedAt: number;
-  /** Count of triggered event */
-  count: number;
-}
-
-declare class Logger extends EventEmitter {
-  public events: Map<string, LoggerEventData>;
-
-  constructor();
-
-  start(eventName: string): Logger;
-  end(eventName: string): Logger;
-  tick(eventName: string): Logger;
-  count(eventName: string): number;
-}
+import { EventEmitter } from "events";
+
+export {
+  Logger,
+  LoggerEventData,
+  LoggerEvents
+}
+
+interface LoggerEvents {
+  readonly done: "depWalkerFinished";
+  readonly analysis: {
+      readonly tree: "walkTree";
+      readonly tarball: "tarball";
+      readonly registry: "registry";
+  };
+  readonly manifest: {
+      readonly read: "readManifest";
+      readonly fetch: "fetchManifest";
+  };
+}
+
+interface LoggerEventData {
+  /** UNIX Timestamp */
+  startedAt: number;
+  /** Count of triggered event */
+  count: number;
+}
+
+declare class Logger extends EventEmitter {
+  public events: Map<string, LoggerEventData>;
+
+  constructor();
+
+  start(eventName: string): Logger;
+  end(eventName: string): Logger;
+  tick(eventName: string): Logger;
+  count(eventName: string): number;
+}

package/types/scanner.d.ts

@@ -2,7 +2,6 @@
 import * as JSXRay from "@nodesecure/js-x-ray";
 import { license as License } from "@nodesecure/ntlp";
 import * as Vuln from "@nodesecure/vuln";
-import { Flags } from "@nodesecure/flags";
 
 // Import Third-party Dependencies
 import { Maintainer } from "@npm/types";
@@ -34,6 +33,11 @@ declare namespace Scanner {
     /** Id of the package (useful for usedBy relation) */
     id: number;
     isDevDependency: boolean;
+    /**
+     * Tell if the given package exist on the configured remote registry (npm by default)
+     * @default true
+     */
+    existOnRemoteRegistry: boolean;
     /** By whom (id) is used the package */
     usedBy: Record<string, string>;
     /** Size on disk of the extracted tarball (in bytes) */
@@ -56,7 +60,7 @@ declare namespace Scanner {
      *
      * @see https://github.com/NodeSecure/js-x-ray/blob/master/WARNINGS.md
      */
-    warnings: JSXRay.Warning<JSXRay.BaseWarning>[];
+    warnings: JSXRay.Warning<JSXRay.WarningDefault>[];
     /** Tarball composition (files and dependencies) */
     composition: {
       /** Files extensions (.js, .md, .exe etc..) */
@@ -64,6 +68,7 @@ declare namespace Scanner {
       files: string[];
       /** Minified files (foo.min.js etc..) */
       minified: string[];
+      alias: Record<string, string>;
       required_files: string[];
       required_thirdparty: string[];
       required_nodejs: string[];
@@ -83,7 +88,7 @@ declare namespace Scanner {
      *
      * @see https://github.com/NodeSecure/flags/blob/main/FLAGS.md
      */
-    flags: Flags[];
+    flags: string[];
     /**
      * If the dependency is a GIT repository
      */
@@ -155,7 +160,7 @@ declare namespace Scanner {
     licenses: License[];
     ast: {
       dependencies: Record<string, JSXRay.Dependency>;
-      warnings: JSXRay.Warning<JSXRay.BaseWarning>[];
+      warnings: JSXRay.Warning<JSXRay.WarningDefault>[];
     };
   }
 

package/types/tarball.d.ts

@@ -1,63 +1,63 @@
-import ntlp from "@nodesecure/ntlp";
-import Locker from "@slimio/lock";
-import Logger from "../src/logger.class";
-
-export = tarball;
-
-declare namespace tarball {
-  export interface ManifestData {
-    /** Dependencies in package.json */
-    packageDeps: string[];
-    /** DevDependencies in package.json */
-    packageDevDeps: string[];
-    /** Does package.json contain a 'gypfile' property ? */
-    packageGyp: boolean;
-  }
-
-  export interface ScannedFileResult {
-    /** Dependencies in try/catch block (probably optional dependencies) */
-    inTryDeps: string[];
-    /** Dependencies required or imported */
-    dependencies: string[];
-    /** Required or imported javascript files */
-    filesDependencies: string[];
-  }
-
-  export interface ScannedPackageResult {
-    files: {
-      /** Complete list of files for the given package */
-      list: string[];
-      /** Complete list of extensions (.js, .md etc.) */
-      extensions: string[];
-      /** List of minified javascript files */
-      minified: string[];
-    };
-    /** Size of the directory in bytes */
-    directorySize: number;
-    /** Unique license contained in the tarball (MIT, ISC ..) */
-    uniqueLicenseIds: string[];
-    /** All licenses with their SPDX */
-    licenses: ntlp.license[];
-    ast: {
-      dependencies: any;
-      warnings: any[];
-    };
-  }
-
-  export interface ScanDirOrArchiveOptions {
-    ref: any;
-    locker: Locker;
-    tmpLocation: string;
-    logger: Logger;
-  }
-
-  export interface ScanFileOptions {
-    name: string;
-    ref: any;
-  }
-
-  export function readManifest(dest: string, ref: any): Promise<ManifestData>;
-  export function scanFile(dest: string, file: string, options: ScanFileOptions): Promise<ScannedFileResult | null>;
-  export function scanPackage(dest: string, packageName: string): Promise<ScannedPackageResult>;
-  export function scanDirOrArchive(name: string, version: string, options: ScanDirOrArchiveOptions): Promise<void>;
-}
+import ntlp from "@nodesecure/ntlp";
+import Locker from "@slimio/lock";
+import { Logger } from "./logger.js";
+
+export = tarball;
+
+declare namespace tarball {
+  export interface ManifestData {
+    /** Dependencies in package.json */
+    packageDeps: string[];
+    /** DevDependencies in package.json */
+    packageDevDeps: string[];
+    /** Does package.json contain a 'gypfile' property ? */
+    packageGyp: boolean;
+  }
+
+  export interface ScannedFileResult {
+    /** Dependencies in try/catch block (probably optional dependencies) */
+    inTryDeps: string[];
+    /** Dependencies required or imported */
+    dependencies: string[];
+    /** Required or imported javascript files */
+    filesDependencies: string[];
+  }
+
+  export interface ScannedPackageResult {
+    files: {
+      /** Complete list of files for the given package */
+      list: string[];
+      /** Complete list of extensions (.js, .md etc.) */
+      extensions: string[];
+      /** List of minified javascript files */
+      minified: string[];
+    };
+    /** Size of the directory in bytes */
+    directorySize: number;
+    /** Unique license contained in the tarball (MIT, ISC ..) */
+    uniqueLicenseIds: string[];
+    /** All licenses with their SPDX */
+    licenses: ntlp.license[];
+    ast: {
+      dependencies: any;
+      warnings: any[];
+    };
+  }
+
+  export interface ScanDirOrArchiveOptions {
+    ref: any;
+    locker: Locker;
+    tmpLocation: string;
+    logger: Logger;
+  }
+
+  export interface ScanFileOptions {
+    name: string;
+    ref: any;
+  }
+
+  export function readManifest(dest: string, ref: any): Promise<ManifestData>;
+  export function scanFile(dest: string, file: string, options: ScanFileOptions): Promise<ScannedFileResult | null>;
+  export function scanPackage(dest: string, packageName?: string): Promise<ScannedPackageResult>;
+  export function scanDirOrArchive(name: string, version: string, options: ScanDirOrArchiveOptions): Promise<void>;
+}

package/types/walker.d.ts

@@ -1,8 +1,8 @@
-import { Manifest } from "@npm/types";
-import Scanner from "./scanner";
-
-export {
-  depWalker
-}
-
-declare function depWalker(manifest: Manifest, options?: Scanner.Options);
+import { Manifest } from "@npm/types";
+import Scanner from "./scanner.js";
+
+export {
+  depWalker
+}
+
+declare function depWalker(manifest: Manifest, options?: Scanner.Options);