@nodesecure/scanner 5.3.0 → 6.0.0

package/dist/types.d.ts

@@ -0,0 +1,216 @@
+import * as JSXRay from "@nodesecure/js-x-ray";
+import * as Vulnera from "@nodesecure/vuln";
+import type { SpdxFileLicenseConformance } from "@nodesecure/conformance";
+import type { IlluminatedContact } from "@nodesecure/contact";
+import type { Contact } from "@nodesecure/npm-types";
+export type Maintainer = Contact & {
+    /**
+     * Path to publisher's avatar on "https://www.npmjs.com"
+     * @example /npm-avatar/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.LwimMJA3puF3ioGeS-tfczR3370GXBZMIL-bdpu4hOU
+     */
+    npmAvatar?: string;
+};
+export type Publisher = Omit<Maintainer, "url"> & {
+    /**
+     * First version published.
+     */
+    version: string;
+    /**
+     * Date of the first publication
+     * @example 2021-08-10T20:45:08.342Z
+     */
+    at: string;
+};
+export interface DependencyLinks {
+    /** NPM Registry page */
+    npm: string;
+    /** Homepage URL */
+    homepage?: string;
+    /** VCS repository URL */
+    repository?: string;
+}
+export interface Engines {
+    node?: string;
+    npm?: string;
+}
+export interface Repository {
+    type: string;
+    url: string;
+}
+export interface DependencyVersion {
+    /** Id of the package (useful for usedBy relation) */
+    id: number;
+    isDevDependency: boolean;
+    /**
+     * Tell if the given package exist on the configured remote registry (npm by default)
+     * @default true
+     */
+    existOnRemoteRegistry: boolean;
+    /** By whom (id) is used the package */
+    usedBy: Record<string, string>;
+    /** Size on disk of the extracted tarball (in bytes) */
+    size: number;
+    /** Count of dependencies */
+    dependencyCount: number;
+    /** Package description */
+    description: string;
+    /** Author of the package. This information is not trustable and can be empty. */
+    author: Maintainer | null;
+    engines: Engines;
+    repository?: Repository;
+    scripts: Record<string, string>;
+    /**
+     * JS-X-Ray warnings
+     *
+     * @see https://github.com/NodeSecure/js-x-ray/blob/master/WARNINGS.md
+     */
+    warnings: JSXRay.Warning<JSXRay.WarningDefault>[];
+    alias: Record<string, string>;
+    /** Tarball composition (files and dependencies) */
+    composition: {
+        /** Files extensions (.js, .md, .exe etc..) */
+        extensions: string[];
+        files: string[];
+        /** Minified files (foo.min.js etc..) */
+        minified: string[];
+        required_files: string[];
+        required_thirdparty: string[];
+        required_nodejs: string[];
+        required_subpath: string[];
+        unused: string[];
+        missing: string[];
+    };
+    /**
+     * All Licenses with their SPDX conformance
+     */
+    licenses: SpdxFileLicenseConformance[];
+    uniqueLicenseIds: string[];
+    /**
+     * Flags (Array of string)
+     *
+     * @see https://github.com/NodeSecure/flags/blob/main/FLAGS.md
+     */
+    flags: string[];
+    /**
+     * If the dependency is a GIT repository
+     */
+    gitUrl: null | string;
+    /**
+     * Version MD5 integrity hash
+     * Generated by the scanner to verify manifest/tarball confusion
+     *
+     * (Not supported on GIT dependency)
+     */
+    integrity?: string;
+    links?: DependencyLinks;
+}
+export interface Dependency {
+    /** NPM Registry metadata */
+    metadata: {
+        /** Number of releases published on npm */
+        publishedCount: number;
+        lastUpdateAt: Date;
+        /** Last version SemVer */
+        lastVersion: string;
+        hasChangedAuthor: boolean;
+        hasManyPublishers: boolean;
+        hasReceivedUpdateInOneYear: boolean;
+        /** Author of the package. This information is not trustable and can be empty. */
+        author: Maintainer | null;
+        /** Package home page */
+        homepage: string | null;
+        /**
+         * List of maintainers (list of people in the organization related to the package)
+         */
+        maintainers: Maintainer[];
+        /**
+         * List of people who published this package
+         */
+        publishers: Publisher[];
+        /**
+         * Version MD5 integrity hash
+         * Generated by the scanner to verify manifest/tarball confusion
+         */
+        integrity: Record<string, string>;
+    };
+    /** List of versions of this package available in the dependency tree (In the payload) */
+    versions: Record<string, DependencyVersion>;
+    /**
+     * Vulnerabilities fetched dependending on the selected vulnerabilityStrategy
+     *
+     * @see https://github.com/NodeSecure/vuln
+     */
+    vulnerabilities: Vulnera.Strategy.StandardVulnerability[];
+}
+export type Dependencies = Record<string, Dependency>;
+export interface Payload {
+    /** Payload unique id */
+    id: string;
+    /** Name of the analyzed package */
+    rootDependencyName: string;
+    /** Global warnings list */
+    warnings: string[];
+    highlighted: {
+        contacts: IlluminatedContact[];
+    };
+    /** All the dependencies of the package (flattened) */
+    dependencies: Dependencies;
+    /** Version of the scanner used to generate the result */
+    scannerVersion: string;
+    /** Vulnerability strategy name (npm, snyk, node) */
+    vulnerabilityStrategy: Vulnera.Strategy.Kind;
+}
+export interface Options {
+    /**
+     * Maximum tree depth
+     *
+     * @default 4
+     */
+    readonly maxDepth?: number;
+    readonly registry?: string | URL;
+    /**
+     * Enables the use of Arborist for rapidly walking over the dependency tree.
+     * When enabled, it triggers different methods based on the presence of `node_modules`:
+     * - `loadActual()` if `node_modules` is available.
+     * - `loadVirtual()` otherwise.
+     *
+     * When disabled, it will iterate on all dependencies by using pacote
+     */
+    packageLock?: {
+        /**
+         * Fetches all manifests for additional metadata.
+         * This option is useful only when `usePackageLock` is enabled.
+         *
+         * @default false
+         */
+        fetchManifest?: boolean;
+        /**
+         * Specifies the location of the manifest file for Arborist.
+         * This is typically the path to the `package.json` file.
+         */
+        location: string;
+    };
+    highlight?: {
+        contacts: Contact[];
+    };
+    /**
+     * Include project devDependencies (only available for cwd command)
+     *
+     * @default false
+     */
+    readonly includeDevDeps?: boolean;
+    /**
+     * Vulnerability strategy name (npm, snyk, node)
+     *
+     * @default NONE
+     */
+    readonly vulnerabilityStrategy?: Vulnera.Strategy.Kind;
+    /**
+     * Analyze root package.
+     *
+     * @default false for from() API
+     * @default true  for cwd()  API
+     */
+    readonly scanRootNode?: boolean;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAC;AAC/C,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAE5C,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,yBAAyB,CAAC;AAC1E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAC9D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAErD,MAAM,MAAM,UAAU,GAAG,OAAO,GAAG;IACjC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAA;AAED,MAAM,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,GAAG;IAChD;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,EAAE,EAAE,MAAM,CAAC;CACZ,CAAA;AAED,MAAM,WAAW,eAAe;IAC9B,wBAAwB;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,mBAAmB;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yBAAyB;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,OAAO;IACtB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,iBAAiB;IAChC,qDAAqD;IACrD,EAAE,EAAE,MAAM,CAAC;IACX,eAAe,EAAE,OAAO,CAAC;IACzB;;;OAGG;IACH,qBAAqB,EAAE,OAAO,CAAC;IAC/B,uCAAuC;IACvC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;IACb,4BAA4B;IAC5B,eAAe,EAAE,MAAM,CAAC;IACxB,0BAA0B;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,iFAAiF;IACjF,MAAM,EAAE,UAAU,GAAG,IAAI,CAAC;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC;;;;OAIG;IACH,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC;IAClD,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9B,mDAAmD;IACnD,WAAW,EAAE;QACX,8CAA8C;QAC9C,UAAU,EAAE,MAAM,EAAE,CAAC;QACrB,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,wCAAwC;QACxC,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,mBAAmB,EAAE,MAAM,EAAE,CAAC;QAC9B,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,gBAAgB,EAAE,MAAM,EAAE,CAAC;QAC3B,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IACF;;OAEG;IACH,QAAQ,EAAE,0BAA0B,EAAE,CAAC;IACvC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B;;;;OAIG;IACH,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB;;OAEG;IACH,MAAM,EAAE,IAAI,GAAG,MAAM,CAAC;IACtB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,eAAe,CAAC;CACzB;AAED,MAAM,WAAW,UAAU;IACzB,4BAA4B;IAC5B,QAAQ,EAAE;QACR,0CAA0C;QAC1C,cAAc,EAAE,MAAM,CAAC;QACvB,YAAY,EAAE,IAAI,CAAC;QACnB,0BAA0B;QAC1B,WAAW,EAAE,MAAM,CAAC;QACpB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,iBAAiB,EAAE,OAAO,CAAC;QAC3B,0BAA0B,EAAE,OAAO,CAAC;QACpC,iFAAiF;QACjF,MAAM,EAAE,UAAU,GAAG,IAAI,CAAC;QAC1B,wBAAwB;QACxB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB;;WAEG;QACH,WAAW,EAAE,UAAU,EAAE,CAAC;QAC1B;;WAEG;QACH,UAAU,EAAE,SAAS,EAAE,CAAC;QACxB;;;WAGG;QACH,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACnC,CAAA;IACD,yFAAyF;IACzF,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IAC5C;;;;OAIG;IACH,eAAe,EAAE,OAAO,CAAC,QAAQ,CAAC,qBAAqB,EAAE,CAAC;CAC3D;AAED,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;AAEtD,MAAM,WAAW,OAAO;IACtB,wBAAwB;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,mCAAmC;IACnC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,2BAA2B;IAC3B,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,WAAW,EAAE;QACX,QAAQ,EAAE,kBAAkB,EAAE,CAAC;KAChC,CAAC;IACF,sDAAsD;IACtD,YAAY,EAAE,YAAY,CAAC;IAC3B,yDAAyD;IACzD,cAAc,EAAE,MAAM,CAAC;IACvB,oDAAoD;IACpD,qBAAqB,EAAE,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;CAC9C;AAED,MAAM,WAAW,OAAO;IACtB;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAE3B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,GAAG,CAAC;IAEjC;;;;;;;OAOG;IACH,WAAW,CAAC,EAAE;QACZ;;;;;WAKG;QACH,aAAa,CAAC,EAAE,OAAO,CAAC;QAExB;;;WAGG;QACH,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;IAEF,SAAS,CAAC,EAAE;QACV,QAAQ,EAAE,OAAO,EAAE,CAAC;KACrB,CAAA;IAED;;;;OAIG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,OAAO,CAAC;IAElC;;;;OAIG;IACH,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;IAEvD;;;;;OAKG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC;CACjC"}

package/dist/types.js

@@ -0,0 +1,4 @@
+// Import Third-party Dependencies
+import * as JSXRay from "@nodesecure/js-x-ray";
+import * as Vulnera from "@nodesecure/vuln";
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAC;AAC/C,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC"}

package/dist/utils/addMissingVersionFlags.d.ts

@@ -0,0 +1,3 @@
+import type { Dependency } from "../types.js";
+export declare function addMissingVersionFlags(flags: Set<string>, dep: Dependency): IterableIterator<string>;
+//# sourceMappingURL=addMissingVersionFlags.d.ts.map

package/dist/utils/addMissingVersionFlags.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"addMissingVersionFlags.d.ts","sourceRoot":"","sources":["../../src/utils/addMissingVersionFlags.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAG9C,wBAAiB,sBAAsB,CACrC,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,EAClB,GAAG,EAAE,UAAU,GACd,gBAAgB,CAAC,MAAM,CAAC,CAmB1B"}

package/dist/utils/addMissingVersionFlags.js

@@ -0,0 +1,21 @@
+// TODO: add strict flags type
+export function* addMissingVersionFlags(flags, dep) {
+    const { metadata, vulnerabilities = [], versions } = dep;
+    const semverVersions = Object.keys(versions);
+    if (!metadata.hasReceivedUpdateInOneYear && flags.has("hasOutdatedDependency") && !flags.has("isDead")) {
+        yield "isDead";
+    }
+    if (metadata.hasManyPublishers && !flags.has("hasManyPublishers")) {
+        yield "hasManyPublishers";
+    }
+    if (metadata.hasChangedAuthor && !flags.has("hasChangedAuthor")) {
+        yield "hasChangedAuthor";
+    }
+    if (vulnerabilities.length > 0 && !flags.has("hasVulnerabilities")) {
+        yield "hasVulnerabilities";
+    }
+    if (semverVersions.length > 1 && !flags.has("hasDuplicate")) {
+        yield "hasDuplicate";
+    }
+}
+//# sourceMappingURL=addMissingVersionFlags.js.map

package/dist/utils/addMissingVersionFlags.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"addMissingVersionFlags.js","sourceRoot":"","sources":["../../src/utils/addMissingVersionFlags.ts"],"names":[],"mappings":"AAGA,8BAA8B;AAC9B,MAAM,SAAS,CAAC,CAAC,sBAAsB,CACrC,KAAkB,EAClB,GAAe;IAEf,MAAM,EAAE,QAAQ,EAAE,eAAe,GAAG,EAAE,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;IACzD,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAE7C,IAAI,CAAC,QAAQ,CAAC,0BAA0B,IAAI,KAAK,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvG,MAAM,QAAQ,CAAC;IACjB,CAAC;IACD,IAAI,QAAQ,CAAC,iBAAiB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,mBAAmB,CAAC,EAAE,CAAC;QAClE,MAAM,mBAAmB,CAAC;IAC5B,CAAC;IACD,IAAI,QAAQ,CAAC,gBAAgB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAChE,MAAM,kBAAkB,CAAC;IAC3B,CAAC;IACD,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACnE,MAAM,oBAAoB,CAAC;IAC7B,CAAC;IACD,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;QAC5D,MAAM,cAAc,CAAC;IACvB,CAAC;AACH,CAAC"}

package/dist/utils/dirname.d.ts

@@ -0,0 +1,2 @@
+export declare function getDirNameFromUrl(url: string | URL): string;
+//# sourceMappingURL=dirname.d.ts.map

package/dist/utils/dirname.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dirname.d.ts","sourceRoot":"","sources":["../../src/utils/dirname.ts"],"names":[],"mappings":"AAIA,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,GAAG,MAAM,CAI3D"}

package/dist/utils/dirname.js

@@ -0,0 +1,8 @@
+// Import Node.js Dependencies
+import { fileURLToPath } from "node:url";
+import { dirname } from "node:path";
+export function getDirNameFromUrl(url) {
+    const __filename = fileURLToPath(url);
+    return dirname(__filename);
+}
+//# sourceMappingURL=dirname.js.map

package/dist/utils/dirname.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dirname.js","sourceRoot":"","sources":["../../src/utils/dirname.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,MAAM,UAAU,iBAAiB,CAAC,GAAiB;IACjD,MAAM,UAAU,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IAEtC,OAAO,OAAO,CAAC,UAAU,CAAC,CAAC;AAC7B,CAAC"}

package/dist/utils/getLinks.d.ts

@@ -0,0 +1,7 @@
+import type { PackumentVersion } from "@nodesecure/npm-types";
+export declare function getLinks(packumentVersion: PackumentVersion): {
+    npm: string;
+    homepage: string | null;
+    repository: string | null;
+};
+//# sourceMappingURL=getLinks.d.ts.map

package/dist/utils/getLinks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getLinks.d.ts","sourceRoot":"","sources":["../../src/utils/getLinks.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AA6B9D,wBAAgB,QAAQ,CACtB,gBAAgB,EAAE,gBAAgB;;;;EAcnC"}

package/dist/utils/getLinks.js

@@ -0,0 +1,32 @@
+// CONSTANTS
+const kVCSHosts = new Set(["github.com", "gitlab.com"]);
+function getVCSRepositoryURL(link) {
+    if (!link) {
+        return null;
+    }
+    try {
+        const url = new URL(link);
+        const { hostname, pathname } = url;
+        if (kVCSHosts.has(hostname) === false) {
+            return null;
+        }
+        const [owner, repo] = pathname.split("/").filter(Boolean).map((curr) => curr.replace(".git", ""));
+        return `https://${hostname}/${owner}/${repo}`;
+    }
+    catch {
+        return null;
+    }
+}
+export function getLinks(packumentVersion) {
+    const homepage = packumentVersion.homepage || null;
+    const repositoryUrl = typeof packumentVersion.repository === "string" ?
+        packumentVersion.repository :
+        packumentVersion.repository?.url ?? null;
+    return {
+        npm: `https://www.npmjs.com/package/${packumentVersion.name}/v/${packumentVersion.version}`,
+        homepage,
+        repository: getVCSRepositoryURL(homepage) ??
+            getVCSRepositoryURL(repositoryUrl)
+    };
+}
+//# sourceMappingURL=getLinks.js.map

package/dist/utils/getLinks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getLinks.js","sourceRoot":"","sources":["../../src/utils/getLinks.ts"],"names":[],"mappings":"AAGA,YAAY;AACZ,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC,CAAC;AAExD,SAAS,mBAAmB,CAC1B,IAAmB;IAEnB,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC;QAC1B,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEnC,IAAI,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,KAAK,EAAE,CAAC;YACtC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC;QAElG,OAAO,WAAW,QAAQ,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;IAChD,CAAC;IACD,MAAM,CAAC;QACL,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,QAAQ,CACtB,gBAAkC;IAElC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,QAAQ,IAAI,IAAI,CAAC;IACnD,MAAM,aAAa,GAAG,OAAO,gBAAgB,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC;QACrE,gBAAgB,CAAC,UAAU,CAAC,CAAC;QAC7B,gBAAgB,CAAC,UAAU,EAAE,GAAG,IAAI,IAAI,CAAC;IAE3C,OAAO;QACL,GAAG,EAAE,iCAAiC,gBAAgB,CAAC,IAAI,MAAM,gBAAgB,CAAC,OAAO,EAAE;QAC3F,QAAQ;QACR,UAAU,EACR,mBAAmB,CAAC,QAAQ,CAAC;YAC7B,mBAAmB,CAAC,aAAa,CAAC;KACrC,CAAC;AACJ,CAAC"}

package/dist/utils/index.d.ts

@@ -0,0 +1,11 @@
+export * from "./dirname.js";
+export * from "./warnings.js";
+export * from "./addMissingVersionFlags.js";
+export * from "./getLinks.js";
+export * from "./urlToString.js";
+export declare const NPM_TOKEN: {
+    token: string;
+} | {
+    token?: undefined;
+};
+//# sourceMappingURL=index.d.ts.map

package/dist/utils/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAC;AAC7B,cAAc,eAAe,CAAC;AAC9B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,eAAe,CAAC;AAC9B,cAAc,kBAAkB,CAAC;AAEjC,eAAO,MAAM,SAAS;;;;CAElB,CAAC"}

package/dist/utils/index.js

@@ -0,0 +1,9 @@
+export * from "./dirname.js";
+export * from "./warnings.js";
+export * from "./addMissingVersionFlags.js";
+export * from "./getLinks.js";
+export * from "./urlToString.js";
+export const NPM_TOKEN = typeof process.env.NODE_SECURE_TOKEN === "string" ?
+    { token: process.env.NODE_SECURE_TOKEN } :
+    {};
+//# sourceMappingURL=index.js.map

package/dist/utils/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAC;AAC7B,cAAc,eAAe,CAAC;AAC9B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,eAAe,CAAC;AAC9B,cAAc,kBAAkB,CAAC;AAEjC,MAAM,CAAC,MAAM,SAAS,GAAG,OAAO,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,QAAQ,CAAC,CAAC;IAC1E,EAAE,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC,CAAC;IAC1C,EAAE,CAAC"}

package/dist/utils/urlToString.d.ts

@@ -0,0 +1,2 @@
+export declare function urlToString(uri: string | URL): string;
+//# sourceMappingURL=urlToString.d.ts.map

package/dist/utils/urlToString.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"urlToString.d.ts","sourceRoot":"","sources":["../../src/utils/urlToString.ts"],"names":[],"mappings":"AAAA,wBAAgB,WAAW,CACzB,GAAG,EAAE,MAAM,GAAG,GAAG,GAChB,MAAM,CAIR"}

package/dist/utils/urlToString.js

@@ -0,0 +1,6 @@
+export function urlToString(uri) {
+    return typeof uri === "string" ?
+        new URL(uri).toString() :
+        uri.toString();
+}
+//# sourceMappingURL=urlToString.js.map

package/dist/utils/urlToString.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"urlToString.js","sourceRoot":"","sources":["../../src/utils/urlToString.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,WAAW,CACzB,GAAiB;IAEjB,OAAO,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC;QAC9B,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QACzB,GAAG,CAAC,QAAQ,EAAE,CAAC;AACnB,CAAC"}

package/dist/utils/warnings.d.ts

@@ -0,0 +1,9 @@
+import { type IlluminatedContact } from "@nodesecure/contact";
+import type { Contact } from "@nodesecure/npm-types";
+import type { Dependency } from "../types.js";
+export interface GetWarningsResult {
+    warnings: string[];
+    illuminated: IlluminatedContact[];
+}
+export declare function getDependenciesWarnings(dependenciesMap: Map<string, Dependency>, highlightContacts?: Contact[]): Promise<GetWarningsResult>;
+//# sourceMappingURL=warnings.d.ts.map

package/dist/utils/warnings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"warnings.d.ts","sourceRoot":"","sources":["../../src/utils/warnings.ts"],"names":[],"mappings":"AAMA,OAAO,EAEL,KAAK,kBAAkB,EAExB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAIrD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAoB9C,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,WAAW,EAAE,kBAAkB,EAAE,CAAC;CACnC;AAED,wBAAsB,uBAAuB,CAC3C,eAAe,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,EACxC,iBAAiB,GAAE,OAAO,EAAO,GAChC,OAAO,CAAC,iBAAiB,CAAC,CAoC5B"}

package/dist/utils/warnings.js

@@ -0,0 +1,49 @@
+// Import Node.js Dependencies
+import path from "node:path";
+// Import Third-party Dependencies
+import * as i18n from "@nodesecure/i18n";
+import * as RC from "@nodesecure/rc";
+import { ContactExtractor } from "@nodesecure/contact";
+// Import Internal Dependencies
+import { getDirNameFromUrl } from "./dirname.js";
+await i18n.extendFromSystemPath(path.join(getDirNameFromUrl(import.meta.url), "..", "i18n"));
+// CONSTANTS
+const kDetectedDep = i18n.taggedString `The dependency '${0}' has been detected in the dependency Tree.`;
+const kDefaultIlluminatedContacts = [
+    {
+        name: "marak",
+        email: "marak.squires@gmail.com"
+    }
+];
+const kDependencyWarnMessage = {
+    "@scarf/scarf": await i18n.getToken("scanner.disable_scarf"),
+    iohook: await i18n.getToken("scanner.keylogging")
+};
+export async function getDependenciesWarnings(dependenciesMap, highlightContacts = []) {
+    const vulnerableDependencyNames = Object.keys(kDependencyWarnMessage);
+    const warnings = vulnerableDependencyNames
+        .flatMap((name) => (dependenciesMap.has(name) ? `${kDetectedDep(name)} ${kDependencyWarnMessage[name]}` : []));
+    const dependencies = Object.create(null);
+    for (const [packageName, dependency] of dependenciesMap) {
+        const { author, maintainers } = dependency.metadata;
+        dependencies[packageName] = {
+            maintainers,
+            ...(author === null ? {} : { author })
+        };
+    }
+    const memoizedConfig = RC.memoized();
+    const extractor = new ContactExtractor({
+        highlight: [
+            ...highlightContacts,
+            ...(memoizedConfig === null ?
+                [] : (memoizedConfig.scanner?.highlight?.contacts ?? [])),
+            ...kDefaultIlluminatedContacts
+        ]
+    });
+    const illuminated = extractor.fromDependencies(dependencies);
+    return {
+        warnings,
+        illuminated
+    };
+}
+//# sourceMappingURL=warnings.js.map

package/dist/utils/warnings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"warnings.js","sourceRoot":"","sources":["../../src/utils/warnings.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,kCAAkC;AAClC,OAAO,KAAK,IAAI,MAAM,kBAAkB,CAAC;AACzC,OAAO,KAAK,EAAE,MAAM,gBAAgB,CAAC;AACrC,OAAO,EACL,gBAAgB,EAGjB,MAAM,qBAAqB,CAAC;AAG7B,+BAA+B;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAGjD,MAAM,IAAI,CAAC,oBAAoB,CAC7B,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,CAC5D,CAAC;AAEF,YAAY;AACZ,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,CAAA,mBAAmB,CAAC,6CAA6C,CAAC;AACxG,MAAM,2BAA2B,GAAc;IAC7C;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,yBAAyB;KACjC;CACF,CAAC;AAEF,MAAM,sBAAsB,GAAG;IAC7B,cAAc,EAAE,MAAM,IAAI,CAAC,QAAQ,CAAC,uBAAuB,CAAC;IAC5D,MAAM,EAAE,MAAM,IAAI,CAAC,QAAQ,CAAC,oBAAoB,CAAC;CACzC,CAAC;AAOX,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,eAAwC,EACxC,oBAA+B,EAAE;IAEjC,MAAM,yBAAyB,GAAG,MAAM,CAAC,IAAI,CAC3C,sBAAsB,CAC+B,CAAC;IAExD,MAAM,QAAQ,GAAG,yBAAyB;SACvC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,sBAAsB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAEjH,MAAM,YAAY,GAAoD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC1F,KAAK,MAAM,CAAC,WAAW,EAAE,UAAU,CAAC,IAAI,eAAe,EAAE,CAAC;QACxD,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,UAAU,CAAC,QAAQ,CAAC;QAEpD,YAAY,CAAC,WAAW,CAAC,GAAG;YAC1B,WAAW;YACX,GAAG,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC;SACvC,CAAC;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,gBAAgB,CAAC;QACrC,SAAS,EAAE;YACT,GAAG,iBAAiB;YACpB,GAAG,CAAC,cAAc,KAAK,IAAI,CAAC,CAAC;gBAC3B,EAAE,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,OAAO,EAAE,SAAS,EAAE,QAAQ,IAAI,EAAE,CAAC,CACzD;YACD,GAAG,2BAA2B;SAC/B;KACF,CAAC,CAAC;IACH,MAAM,WAAW,GAAG,SAAS,CAAC,gBAAgB,CAC5C,YAAY,CACb,CAAC;IAEF,OAAO;QACL,QAAQ;QACR,WAAW;KACZ,CAAC;AACJ,CAAC"}

package/package.json

@@ -1,25 +1,23 @@
 {
   "name": "@nodesecure/scanner",
-  "version": "5.3.0",
+  "version": "6.0.0",
   "description": "A package API to run a static analysis of your module's dependencies.",
-  "exports": "./index.js",
+  "type": "module",
+  "exports": "./dist/index.js",
+  "types": "./dist/index.d.ts",
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "scripts": {
+    "build": "tsc -b",
     "lint": "eslint src test",
-    "prepublishOnly": "pkg-ok",
-    "test": "npm run lint && npm run test-only",
-    "test:ci": "node --test test/**.spec.js test/**/*.spec.js",
-    "test-only": "glob -c \"node --test-reporter=spec --test\" \"./test/**/*.spec.js\"",
+    "prepublishOnly": "npm run build && pkg-ok",
+    "test": "npm run test-only",
+    "test-only": "glob -c \"tsx --test\" \"./test/**/*.spec.ts\"",
     "coverage": "c8 -r html npm run test-only"
   },
   "files": [
-    "src",
-    "i18n",
-    "types",
-    "index.js",
-    "index.d.ts"
+    "dist"
   ],
   "repository": {
     "type": "git",
@@ -48,38 +46,21 @@
   "bugs": {
     "url": "https://github.com/NodeSecure/scanner/issues"
   },
-  "homepage": "https://github.com/NodeSecure/scanner#readme",
-  "devDependencies": {
-    "@nodesecure/eslint-config": "^1.8.0",
-    "@slimio/is": "^2.0.0",
-    "@types/node": "^20.10.0",
-    "c8": "^8.0.1",
-    "dotenv": "^16.3.1",
-    "eslint": "8.37.0",
-    "get-folder-size": "^4.0.0",
-    "glob": "^10.3.10",
-    "pkg-ok": "^3.0.0",
-    "sinon": "^17.0.1",
-    "snap-shot-core": "^10.2.4"
-  },
+  "homepage": "https://github.com/NodeSecure/tree/master/workspaces/scanner#readme",
   "dependencies": {
-    "@nodesecure/authors": "^1.0.2",
+    "@nodesecure/conformance": "^1.0.0",
     "@nodesecure/flags": "^2.4.0",
-    "@nodesecure/fs-walk": "^1.0.0",
-    "@nodesecure/i18n": "^3.5.0",
-    "@nodesecure/js-x-ray": "^6.3.0",
-    "@nodesecure/npm-registry-sdk": "^2.0.0",
-    "@nodesecure/ntlp": "^2.2.1",
+    "@nodesecure/i18n": "^4.0.1",
+    "@nodesecure/js-x-ray": "^7.3.0",
+    "@nodesecure/mama": "^1.0.0",
+    "@nodesecure/npm-registry-sdk": "^3.0.0",
+    "@nodesecure/npm-types": "^1.1.0",
+    "@nodesecure/rc": "^3.0.0",
+    "@nodesecure/tarball": "^1.0.0",
+    "@nodesecure/tree-walker": "^1.0.0",
     "@nodesecure/vuln": "^1.7.0",
-    "@npm/types": "^1.0.2",
-    "@npmcli/arborist": "^7.2.1",
-    "@slimio/lock": "^1.0.0",
-    "builtins": "^5.0.1",
-    "combine-async-iterators": "^2.1.0",
-    "itertools": "^2.1.2",
-    "lodash.difference": "^4.5.0",
-    "pacote": "^17.0.4",
+    "@openally/mutex": "^1.0.0",
+    "pacote": "^18.0.6",
     "semver": "^7.5.4"
-  },
-  "type": "module"
+  }
 }

package/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2021 NodeSecure
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

package/i18n/english.js

@@ -1,6 +0,0 @@
-const scanner = {
-  disable_scarf: "This dependency could collect data against your consent so think to disable it with the env var: SCARF_ANALYTICS",
-  keylogging: "This dependency can retrieve your keyboard and mouse inputs. It can be used for 'keylogging' attacks/malwares."
-};
-
-export default { scanner };

package/i18n/french.js

@@ -1,7 +0,0 @@
-const scanner = {
-  disable_scarf: "Cette dépendance peut récolter des données contre votre volonté, pensez donc à la désactiver en fournissant la variable d'environnement SCARF_ANALYTICS",
-  keylogging: "Cette dépendance peut obtenir vos entrées clavier ou de souris. Cette dépendance peut être utilisée en tant que 'keylogging' attacks/malwares."
-};
-
-export default { scanner };
-

package/index.d.ts

@@ -1,14 +0,0 @@
-import Scanner from "./types/scanner.js";
-import { cwd, from, verify, ScannerLoggerEvents } from "./types/api.js";
-import { depWalker } from "./types/walker.js";
-import { Logger, LoggerEventData } from "./types/logger.js";
-import tarball from "./types/tarball.js";
-
-export {
-  cwd, from, verify, ScannerLoggerEvents,
-  Scanner,
-  Logger,
-  LoggerEventData,
-  tarball,
-  depWalker
-}