@nodesecure/tarball 1.0.0

package/README.md

@@ -0,0 +1,80 @@
+<p align="center"><h1 align="center">
+  @nodesecure/tarball
+</h1>
+
+<p align="center">
+  Utilities to extract and deeply analyze NPM tarball
+</p>
+
+## Requirements
+- [Node.js](https://nodejs.org/en/) v20 or higher
+
+## Getting Started
+
+This package is available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com).
+
+```bash
+$ npm i @nodesecure/tarball
+# or
+$ yarn add @nodesecure/tarball
+```
+
+## Usage example
+
+```ts
+import * as tarball from "@nodesecure/tarball";
+
+const scanResult = await tarball.scanPackage(
+  process.cwd()
+);
+console.log(scanResult);
+```
+
+> [!NOTE]
+> This package has been designed to be used by the Scanner package/workspace.
+
+## API
+
+### scanDirOrArchive
+
+Method created for Scanner (to be refactored soon)
+
+```ts
+export interface scanDirOrArchiveOptions {
+  ref: DependencyRef;
+  location?: string;
+  tmpLocation?: null | string;
+  locker: Locker;
+  registry: string;
+}
+```
+
+### scanPackage(dest: string, packageName?: string): Promise< ScannedPackageResult > 
+
+Scan a given tarball archive or a local project.
+
+```ts
+interface ScannedPackageResult {
+  files: {
+    /** Complete list of files for the given package */
+    list: string[];
+    /** Complete list of extensions (.js, .md etc.) */
+    extensions: string[];
+    /** List of minified javascript files */
+    minified: string[];
+  };
+  /** Size of the directory in bytes */
+  directorySize: number;
+  /** Unique license contained in the tarball (MIT, ISC ..) */
+  uniqueLicenseIds: string[];
+  /** All licenses with their SPDX */
+  licenses: ntlp.SpdxLicenseConformance[];
+  ast: {
+    dependencies: Record<string, Record<string, Dependency>>;
+    warnings: Warning[];
+  };
+}
+```
+
+## License
+MIT

package/dist/constants.d.ts

@@ -0,0 +1,10 @@
+export declare const NPM_TOKEN: {
+    token: string;
+} | {
+    token?: undefined;
+};
+/**
+ * @see https://www.nerdycode.com/prevent-npm-executing-scripts-security/
+ */
+export declare const UNSAFE_SCRIPTS: Set<string>;
+//# sourceMappingURL=constants.d.ts.map

package/dist/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,SAAS;;;;CAElB,CAAC;AAEL;;GAEG;AACH,eAAO,MAAM,cAAc,aAMzB,CAAC"}

package/dist/constants.js

@@ -0,0 +1,14 @@
+export const NPM_TOKEN = typeof process.env.NODE_SECURE_TOKEN === "string" ?
+    { token: process.env.NODE_SECURE_TOKEN } :
+    {};
+/**
+ * @see https://www.nerdycode.com/prevent-npm-executing-scripts-security/
+ */
+export const UNSAFE_SCRIPTS = new Set([
+    "install",
+    "preinstall",
+    "postinstall",
+    "preuninstall",
+    "postuninstall"
+]);
+//# sourceMappingURL=constants.js.map

package/dist/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,SAAS,GAAG,OAAO,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,QAAQ,CAAC,CAAC;IAC1E,EAAE,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC,CAAC;IAC1C,EAAE,CAAC;AAEL;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC;IACpC,SAAS;IACT,YAAY;IACZ,aAAa;IACb,cAAc;IACd,eAAe;CAChB,CAAC,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./tarball.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAC"}

package/dist/index.js

@@ -0,0 +1,2 @@
+export * from "./tarball.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAC"}

package/dist/manifest.d.ts

@@ -0,0 +1,18 @@
+import type { PackageJSON } from "@nodesecure/npm-types";
+export declare function read(location: string): Promise<PackageJSON>;
+export declare function readAnalyze(location: string): Promise<{
+    author: import("@nodesecure/utils").ParsedMaintainer | null;
+    description: string;
+    engines: Record<string, string>;
+    repository: {};
+    scripts: Record<string, string>;
+    hasScript: boolean;
+    packageDeps: string[];
+    packageDevDeps: string[];
+    nodejs: {
+        imports: Record<`#${string}`, string | import("@nodesecure/npm-types").NodeImport>;
+    };
+    hasNativeElements: boolean;
+    integrity: string;
+}>;
+//# sourceMappingURL=manifest.d.ts.map

package/dist/manifest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../src/manifest.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAazD,wBAAsB,IAAI,CACxB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,WAAW,CAAC,CAOtB;AAED,wBAAsB,WAAW,CAAC,QAAQ,EAAE,MAAM;;;;;;;;;;;;;;GAsDjD"}

package/dist/manifest.js

@@ -0,0 +1,55 @@
+// Import Node.js Dependencies
+import fs from "node:fs/promises";
+import path from "node:path";
+import crypto from "node:crypto";
+import { parseAuthor } from "@nodesecure/utils";
+// Import Internal Dependencies
+import { UNSAFE_SCRIPTS } from "./constants.js";
+// CONSTANTS
+// PR welcome to contribute to this list!
+const kNativeNpmPackages = new Set([
+    "node-gyp", "node-pre-gyp", "node-gyp-build", "node-addon-api"
+]);
+const kNodemodulesBinPrefix = "node_modules/.bin/";
+export async function read(location) {
+    const packageStr = await fs.readFile(path.join(location, "package.json"), "utf-8");
+    return JSON.parse(packageStr);
+}
+export async function readAnalyze(location) {
+    const { name, version, description = "", author = {}, scripts = {}, dependencies = {}, devDependencies = {}, gypfile = false, engines = {}, repository = {}, imports = {}, license = "" } = await read(location);
+    for (const [scriptName, scriptValue] of Object.entries(scripts)) {
+        if (scriptValue.startsWith(kNodemodulesBinPrefix)) {
+            scripts[scriptName] = scriptValue.replaceAll(kNodemodulesBinPrefix, "");
+        }
+    }
+    const integrityObj = {
+        name,
+        version,
+        dependencies,
+        license,
+        scripts
+    };
+    const integrity = crypto
+        .createHash("sha256")
+        .update(JSON.stringify(integrityObj))
+        .digest("hex");
+    const packageDeps = Object.keys(dependencies);
+    const packageDevDeps = Object.keys(devDependencies);
+    const hasNativePackage = [...packageDevDeps, ...packageDeps]
+        .some((pkg) => kNativeNpmPackages.has(pkg));
+    return {
+        author: parseAuthor(author),
+        description,
+        engines,
+        repository,
+        scripts,
+        hasScript: Object.keys(scripts)
+            .some((value) => UNSAFE_SCRIPTS.has(value.toLowerCase())),
+        packageDeps,
+        packageDevDeps,
+        nodejs: { imports },
+        hasNativeElements: hasNativePackage || gypfile,
+        integrity
+    };
+}
+//# sourceMappingURL=manifest.js.map

package/dist/manifest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.js","sourceRoot":"","sources":["../src/manifest.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,MAAM,MAAM,aAAa,CAAC;AAIjC,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,+BAA+B;AAC/B,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEhD,YAAY;AACZ,yCAAyC;AACzC,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,UAAU,EAAE,cAAc,EAAE,gBAAgB,EAAE,gBAAgB;CAC/D,CAAC,CAAC;AACH,MAAM,qBAAqB,GAAG,oBAAoB,CAAC;AAEnD,MAAM,CAAC,KAAK,UAAU,IAAI,CACxB,QAAgB;IAEhB,MAAM,UAAU,GAAG,MAAM,EAAE,CAAC,QAAQ,CAClC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,EACnC,OAAO,CACR,CAAC;IAEF,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,QAAgB;IAChD,MAAM,EACJ,IAAI,EACJ,OAAO,EACP,WAAW,GAAG,EAAE,EAChB,MAAM,GAAG,EAAE,EACX,OAAO,GAAG,EAAE,EACZ,YAAY,GAAG,EAAE,EACjB,eAAe,GAAG,EAAE,EACpB,OAAO,GAAG,KAAK,EACf,OAAO,GAAG,EAAE,EACZ,UAAU,GAAG,EAAE,EACf,OAAO,GAAG,EAAE,EACZ,OAAO,GAAG,EAAE,EACb,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;IAEzB,KAAK,MAAM,CAAC,UAAU,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAChE,IAAI,WAAW,CAAC,UAAU,CAAC,qBAAqB,CAAC,EAAE,CAAC;YAClD,OAAO,CAAC,UAAU,CAAC,GAAG,WAAW,CAAC,UAAU,CAAC,qBAAqB,EAAE,EAAE,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAG;QACnB,IAAI;QACJ,OAAO;QACP,YAAY;QACZ,OAAO;QACP,OAAO;KACR,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM;SACrB,UAAU,CAAC,QAAQ,CAAC;SACpB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;SACpC,MAAM,CAAC,KAAK,CAAC,CAAC;IAEjB,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC9C,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACpD,MAAM,gBAAgB,GAAG,CAAC,GAAG,cAAc,EAAE,GAAG,WAAW,CAAC;SACzD,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IAE9C,OAAO;QACL,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC;QAC3B,WAAW;QACX,OAAO;QACP,UAAU;QACV,OAAO;QACP,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;aAC5B,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;QAC3D,WAAW;QACX,cAAc;QACd,MAAM,EAAE,EAAE,OAAO,EAAE;QACnB,iBAAiB,EAAE,gBAAgB,IAAI,OAAO;QAC9C,SAAS;KACV,CAAC;AACJ,CAAC"}

package/dist/sast/file.d.ts

@@ -0,0 +1,14 @@
+import { type WarningName, type WarningDefault } from "@nodesecure/js-x-ray";
+export interface scanFileReport {
+    file: string;
+    warnings: (Omit<WarningDefault<WarningName>, "value"> & {
+        file: string;
+    })[];
+    isMinified: boolean;
+    tryDependencies: string[];
+    dependencies: string[];
+    filesDependencies: string[];
+}
+export declare function scanFile(destination: string, file: string, packageName: string): Promise<scanFileReport>;
+export declare function scanManyFiles(files: string[], destination: string, packageName: string): Promise<scanFileReport[]>;
+//# sourceMappingURL=file.d.ts.map

package/dist/sast/file.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"file.d.ts","sourceRoot":"","sources":["../../src/sast/file.ts"],"names":[],"mappings":"AAIA,OAAO,EAEL,KAAK,WAAW,EAChB,KAAK,cAAc,EACpB,MAAM,sBAAsB,CAAC;AAU9B,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC,GAAG;QAAE,IAAI,EAAE,MAAM,CAAC;KAAE,CAAC,EAAE,CAAC;IAC7E,UAAU,EAAE,OAAO,CAAC;IACpB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,iBAAiB,EAAE,MAAM,EAAE,CAAC;CAC7B;AAED,wBAAsB,QAAQ,CAC5B,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,cAAc,CAAC,CAoCzB;AAED,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,EAAE,EACf,WAAW,EAAE,MAAM,EACnB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,cAAc,EAAE,CAAC,CAU3B"}

package/dist/sast/file.js

@@ -0,0 +1,44 @@
+// Import Node.js Dependencies
+import path from "node:path";
+// Import Third-party Dependencies
+import { AstAnalyser } from "@nodesecure/js-x-ray";
+// Import Internal Dependencies
+import { filterDependencyKind } from "../utils/index.js";
+// CONSTANTS
+const kJsExtname = new Set([".js", ".mjs", ".cjs"]);
+export async function scanFile(destination, file, packageName) {
+    const result = await new AstAnalyser().analyseFile(path.join(destination, file), {
+        packageName
+    });
+    const warnings = result.warnings.map((curr) => Object.assign({}, curr, { file }));
+    if (result.ok) {
+        const { packages, files } = filterDependencyKind([...result.dependencies.keys()], path.dirname(file));
+        const tryDependencies = [...result.dependencies.entries()]
+            .flatMap(([name, dependency]) => (dependency.inTry ? [name] : []));
+        return {
+            file,
+            warnings,
+            isMinified: result.isMinified,
+            tryDependencies,
+            dependencies: packages,
+            filesDependencies: files
+        };
+    }
+    return {
+        file,
+        warnings,
+        isMinified: false,
+        tryDependencies: [],
+        dependencies: [],
+        filesDependencies: []
+    };
+}
+export async function scanManyFiles(files, destination, packageName) {
+    const scannedFiles = await Promise.allSettled(files
+        .filter((fileName) => kJsExtname.has(path.extname(fileName)))
+        .map((file) => scanFile(destination, file, packageName)));
+    return scannedFiles
+        .filter((result) => result.status === "fulfilled")
+        .map((result) => result.value);
+}
+//# sourceMappingURL=file.js.map

package/dist/sast/file.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file.js","sourceRoot":"","sources":["../../src/sast/file.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,kCAAkC;AAClC,OAAO,EACL,WAAW,EAGZ,MAAM,sBAAsB,CAAC;AAE9B,+BAA+B;AAC/B,OAAO,EACL,oBAAoB,EACrB,MAAM,mBAAmB,CAAC;AAE3B,YAAY;AACZ,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAWpD,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,WAAmB,EACnB,IAAY,EACZ,WAAmB;IAEnB,MAAM,MAAM,GAAG,MAAM,IAAI,WAAW,EAAE,CAAC,WAAW,CAChD,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,EAC5B;QACE,WAAW;KACZ,CACF,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAClF,IAAI,MAAM,CAAC,EAAE,EAAE,CAAC;QACd,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,oBAAoB,CAC9C,CAAC,GAAG,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC,EAC/B,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CACnB,CAAC;QAEF,MAAM,eAAe,GAAG,CAAC,GAAG,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;aACvD,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,UAAU,CAAC,EAAE,EAAE,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAErE,OAAO;YACL,IAAI;YACJ,QAAQ;YACR,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,eAAe;YACf,YAAY,EAAE,QAAQ;YACtB,iBAAiB,EAAE,KAAK;SACzB,CAAC;IACJ,CAAC;IAED,OAAO;QACL,IAAI;QACJ,QAAQ;QACR,UAAU,EAAE,KAAK;QACjB,eAAe,EAAE,EAAE;QACnB,YAAY,EAAE,EAAE;QAChB,iBAAiB,EAAE,EAAE;KACtB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAe,EACf,WAAmB,EACnB,WAAmB;IAEnB,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,UAAU,CAC3C,KAAK;SACF,MAAM,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;SAC5D,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,EAAE,IAAI,EAAE,WAAW,CAAC,CAAC,CAC3D,CAAC;IAEF,OAAO,YAAY;SAChB,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,KAAK,WAAW,CAAC;SACjD,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACnC,CAAC"}

package/dist/sast/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./file.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/sast/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sast/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC"}

package/dist/sast/index.js

@@ -0,0 +1,2 @@
+export * from "./file.js";
+//# sourceMappingURL=index.js.map

package/dist/sast/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sast/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC"}

package/dist/tarball.d.ts

@@ -0,0 +1,60 @@
+import { type Warning, type Dependency } from "@nodesecure/js-x-ray";
+import * as conformance from "@nodesecure/conformance";
+export interface DependencyRef {
+    id: number;
+    usedBy: Record<string, string>;
+    isDevDependency: boolean;
+    existOnRemoteRegistry: boolean;
+    flags: string[];
+    description: string;
+    size: number;
+    author: Record<string, any>;
+    engines: Record<string, any>;
+    repository: any;
+    scripts: Record<string, string>;
+    warnings: any;
+    licenses: conformance.SpdxFileLicenseConformance[];
+    uniqueLicenseIds: string[];
+    gitUrl: string | null;
+    alias: Record<string, string>;
+    composition: {
+        extensions: string[];
+        files: string[];
+        minified: string[];
+        unused: string[];
+        missing: string[];
+        required_files: string[];
+        required_nodejs: string[];
+        required_thirdparty: string[];
+        required_subpath: Record<string, string>;
+    };
+}
+export interface scanDirOrArchiveOptions {
+    ref: DependencyRef;
+    location?: string;
+    tmpLocation?: null | string;
+    registry: string;
+}
+export declare function scanDirOrArchive(name: string, version: string, options: scanDirOrArchiveOptions): Promise<void>;
+export interface ScannedPackageResult {
+    files: {
+        /** Complete list of files for the given package */
+        list: string[];
+        /** Complete list of extensions (.js, .md etc.) */
+        extensions: string[];
+        /** List of minified javascript files */
+        minified: string[];
+    };
+    /** Size of the directory in bytes */
+    directorySize: number;
+    /** Unique license contained in the tarball (MIT, ISC ..) */
+    uniqueLicenseIds: string[];
+    /** All licenses with their SPDX */
+    licenses: conformance.SpdxFileLicenseConformance[];
+    ast: {
+        dependencies: Record<string, Record<string, Dependency>>;
+        warnings: Warning[];
+    };
+}
+export declare function scanPackage(dest: string, packageName?: string): Promise<ScannedPackageResult>;
+//# sourceMappingURL=tarball.d.ts.map

package/dist/tarball.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tarball.d.ts","sourceRoot":"","sources":["../src/tarball.ts"],"names":[],"mappings":"AAKA,OAAO,EAEL,KAAK,OAAO,EACZ,KAAK,UAAU,EAChB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,KAAK,WAAW,MAAM,yBAAyB,CAAC;AAavD,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,eAAe,EAAE,OAAO,CAAC;IACzB,qBAAqB,EAAE,OAAO,CAAC;IAC/B,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC5B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC7B,UAAU,EAAE,GAAG,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,QAAQ,EAAE,GAAG,CAAC;IACd,QAAQ,EAAE,WAAW,CAAC,0BAA0B,EAAE,CAAC;IACnD,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9B,WAAW,EAAE;QACX,UAAU,EAAE,MAAM,EAAE,CAAC;QACrB,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,OAAO,EAAE,MAAM,EAAE,CAAC;QAClB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,mBAAmB,EAAE,MAAM,EAAE,CAAC;QAC9B,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAC1C,CAAA;CACF;AAWD,MAAM,WAAW,uBAAuB;IACtC,GAAG,EAAE,aAAa,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC;IAC5B,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,uBAAuB,iBA+FjC;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE;QACL,mDAAmD;QACnD,IAAI,EAAE,MAAM,EAAE,CAAC;QACf,kDAAkD;QAClD,UAAU,EAAE,MAAM,EAAE,CAAC;QACrB,wCAAwC;QACxC,QAAQ,EAAE,MAAM,EAAE,CAAC;KACpB,CAAC;IACF,qCAAqC;IACrC,aAAa,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,mCAAmC;IACnC,QAAQ,EAAE,WAAW,CAAC,0BAA0B,EAAE,CAAC;IACnD,GAAG,EAAE;QACH,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;QACzD,QAAQ,EAAE,OAAO,EAAE,CAAC;KACrB,CAAC;CACH;AAED,wBAAsB,WAAW,CAC/B,IAAI,EAAE,MAAM,EACZ,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,oBAAoB,CAAC,CAkD/B"}

package/dist/tarball.js

@@ -0,0 +1,123 @@
+// Import Node.js Dependencies
+import path from "node:path";
+import os from "node:os";
+// Import Third-party Dependencies
+import { AstAnalyser } from "@nodesecure/js-x-ray";
+import pacote from "pacote";
+import * as conformance from "@nodesecure/conformance";
+import { ManifestManager } from "@nodesecure/mama";
+// Import Internal Dependencies
+import { getTarballComposition, isSensitiveFile, analyzeDependencies, booleanToFlags } from "./utils/index.js";
+import * as warnings from "./warnings.js";
+import * as sast from "./sast/index.js";
+// CONSTANTS
+const NPM_TOKEN = typeof process.env.NODE_SECURE_TOKEN === "string" ?
+    { token: process.env.NODE_SECURE_TOKEN } :
+    {};
+const kNativeCodeExtensions = new Set([".gyp", ".c", ".cpp", ".node", ".so", ".h"]);
+const kJsExtname = new Set([".js", ".mjs", ".cjs"]);
+export async function scanDirOrArchive(name, version, options) {
+    const { ref, location = process.cwd(), tmpLocation = null, registry } = options;
+    const isNpmTarball = !(tmpLocation === null);
+    const dest = isNpmTarball ? path.join(tmpLocation, `${name}@${version}`) : location;
+    // If this is an NPM tarball then we extract it on the disk with pacote.
+    if (isNpmTarball) {
+        await pacote.extract(ref.flags.includes("isGit") ? ref.gitUrl : `${name}@${version}`, dest, {
+            ...NPM_TOKEN,
+            registry,
+            cache: `${os.homedir()}/.npm`
+        });
+    }
+    // Read the package.json at the root of the directory or archive.
+    const [mama, composition, spdx] = await Promise.all([
+        ManifestManager.fromPackageJSON(dest),
+        getTarballComposition(dest),
+        conformance.extractLicenses(dest)
+    ]);
+    {
+        const { description, engines, repository, scripts } = mama.document;
+        Object.assign(ref, {
+            description, engines, repository, scripts,
+            author: mama.author,
+            integrity: mama.integrity
+        });
+    }
+    ref.licenses = spdx.licenses;
+    ref.uniqueLicenseIds = spdx.uniqueLicenseIds;
+    // Get the composition of the (extracted) directory
+    if (composition.files.length === 1 && composition.files.includes("package.json")) {
+        ref.warnings.push(warnings.getEmptyPackageWarning());
+    }
+    // Search for minified and runtime dependencies
+    // Run a JS-X-Ray analysis on each JavaScript files of the project!
+    const scannedFiles = await sast.scanManyFiles(composition.files, dest, name);
+    ref.warnings.push(...scannedFiles.flatMap((row) => row.warnings));
+    if (/^0(\.\d+)*$/.test(version)) {
+        ref.warnings.push(warnings.getSemVerWarning(version));
+    }
+    const dependencies = [...new Set(scannedFiles.flatMap((row) => row.dependencies))];
+    const filesDependencies = [...new Set(scannedFiles.flatMap((row) => row.filesDependencies))];
+    const tryDependencies = new Set(scannedFiles.flatMap((row) => row.tryDependencies));
+    const minifiedFiles = scannedFiles.filter((row) => row.isMinified).flatMap((row) => row.file);
+    const { nodeDependencies, thirdPartyDependencies, subpathImportsDependencies, missingDependencies, unusedDependencies, flags } = analyzeDependencies(dependencies, { mama, tryDependencies });
+    ref.size = composition.size;
+    ref.composition.extensions.push(...composition.ext);
+    ref.composition.files.push(...composition.files);
+    ref.composition.required_thirdparty = thirdPartyDependencies;
+    ref.composition.required_subpath = subpathImportsDependencies;
+    ref.composition.unused.push(...unusedDependencies);
+    ref.composition.missing.push(...missingDependencies);
+    ref.composition.required_files = filesDependencies;
+    ref.composition.required_nodejs = nodeDependencies;
+    ref.composition.minified = minifiedFiles;
+    ref.flags.push(...booleanToFlags({
+        ...flags,
+        hasNoLicense: spdx.uniqueLicenseIds.length === 0,
+        hasMultipleLicenses: spdx.uniqueLicenseIds.length > 1,
+        hasMinifiedCode: minifiedFiles.length > 0,
+        hasWarnings: ref.warnings.length > 0 && !ref.flags.includes("hasWarnings"),
+        hasBannedFile: composition.files.some((path) => isSensitiveFile(path)),
+        hasNativeCode: mama.flags.isNative ||
+            composition.files.some((file) => kNativeCodeExtensions.has(path.extname(file))),
+        hasScript: mama.flags.hasUnsafeScripts
+    }));
+}
+export async function scanPackage(dest, packageName) {
+    const [mama, composition, spdx] = await Promise.all([
+        ManifestManager.fromPackageJSON(dest),
+        getTarballComposition(dest),
+        conformance.extractLicenses(dest)
+    ]);
+    const { type = "script" } = mama.document;
+    // Search for runtime dependencies
+    const dependencies = Object.create(null);
+    const minified = [];
+    const warnings = [];
+    const JSFiles = composition.files
+        .filter((name) => kJsExtname.has(path.extname(name)));
+    for (const file of JSFiles) {
+        const result = await new AstAnalyser().analyseFile(path.join(dest, file), {
+            packageName: packageName ?? mama.document.name,
+            module: type === "module"
+        });
+        warnings.push(...result.warnings.map((curr) => Object.assign({}, curr, { file })));
+        if (result.ok) {
+            dependencies[file] = Object.fromEntries(result.dependencies);
+            if (result.isMinified) {
+                minified.push(file);
+            }
+        }
+    }
+    return {
+        files: {
+            list: composition.files,
+            extensions: [...composition.ext],
+            minified
+        },
+        directorySize: composition.size,
+        uniqueLicenseIds: spdx.uniqueLicenseIds,
+        licenses: spdx.licenses,
+        ast: { dependencies, warnings }
+    };
+}
+//# sourceMappingURL=tarball.js.map

package/dist/tarball.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tarball.js","sourceRoot":"","sources":["../src/tarball.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AAEzB,kCAAkC;AAClC,OAAO,EACL,WAAW,EAGZ,MAAM,sBAAsB,CAAC;AAC9B,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,KAAK,WAAW,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEnD,+BAA+B;AAC/B,OAAO,EACL,qBAAqB,EACrB,eAAe,EACf,mBAAmB,EACnB,cAAc,EACf,MAAM,kBAAkB,CAAC;AAC1B,OAAO,KAAK,QAAQ,MAAM,eAAe,CAAC;AAC1C,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AAiCxC,YAAY;AACZ,MAAM,SAAS,GAAG,OAAO,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,QAAQ,CAAC,CAAC;IACnE,EAAE,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC,CAAC;IAC1C,EAAE,CAAC;AAEL,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC;AACpF,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AASpD,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,IAAY,EACZ,OAAe,EACf,OAAgC;IAEhC,MAAM,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,GAAG,EAAE,EAAE,WAAW,GAAG,IAAI,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAEhF,MAAM,YAAY,GAAG,CAAC,CAAC,WAAW,KAAK,IAAI,CAAC,CAAC;IAC7C,MAAM,IAAI,GAAG,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;IAEpF,wEAAwE;IACxE,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,MAAM,CAAC,OAAO,CAClB,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAO,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,OAAO,EAAE,EAChE,IAAI,EACJ;YACE,GAAG,SAAS;YACZ,QAAQ;YACR,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,OAAO;SAC9B,CACF,CAAC;IACJ,CAAC;IAED,iEAAiE;IACjE,MAAM,CACJ,IAAI,EACJ,WAAW,EACX,IAAI,CACL,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACpB,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC;QACrC,qBAAqB,CAAC,IAAI,CAAC;QAC3B,WAAW,CAAC,eAAe,CAAC,IAAI,CAAC;KAClC,CAAC,CAAC;IAEH,CAAC;QACC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QACpE,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE;YACjB,WAAW,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO;YACzC,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAC;IACL,CAAC;IACD,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;IAC7B,GAAG,CAAC,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAC;IAE7C,mDAAmD;IACnD,IAAI,WAAW,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QACjF,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,sBAAsB,EAAE,CAAC,CAAC;IACvD,CAAC;IAED,+CAA+C;IAC/C,mEAAmE;IACnE,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,WAAW,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAE7E,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;IAClE,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAChC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,YAAY,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnF,MAAM,iBAAiB,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC;IAC7F,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC;IACpF,MAAM,aAAa,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAE9F,MAAM,EACJ,gBAAgB,EAChB,sBAAsB,EACtB,0BAA0B,EAC1B,mBAAmB,EACnB,kBAAkB,EAClB,KAAK,EACN,GAAG,mBAAmB,CACrB,YAAY,EACZ,EAAE,IAAI,EAAE,eAAe,EAAE,CAC1B,CAAC;IAEF,GAAG,CAAC,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC;IAC5B,GAAG,CAAC,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACpD,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IACjD,GAAG,CAAC,WAAW,CAAC,mBAAmB,GAAG,sBAAsB,CAAC;IAC7D,GAAG,CAAC,WAAW,CAAC,gBAAgB,GAAG,0BAA0B,CAAC;IAC9D,GAAG,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,CAAC;IACnD,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,CAAC;IACrD,GAAG,CAAC,WAAW,CAAC,cAAc,GAAG,iBAAiB,CAAC;IACnD,GAAG,CAAC,WAAW,CAAC,eAAe,GAAG,gBAAgB,CAAC;IACnD,GAAG,CAAC,WAAW,CAAC,QAAQ,GAAG,aAAa,CAAC;IAEzC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC;QAC/B,GAAG,KAAK;QACR,YAAY,EAAE,IAAI,CAAC,gBAAgB,CAAC,MAAM,KAAK,CAAC;QAChD,mBAAmB,EAAE,IAAI,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC;QACrD,eAAe,EAAE,aAAa,CAAC,MAAM,GAAG,CAAC;QACzC,WAAW,EAAE,GAAG,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC;QAC1E,aAAa,EAAE,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;QACtE,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ;YAChC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,qBAAqB,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACjF,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,gBAAgB;KACvC,CAAC,CAAC,CAAC;AACN,CAAC;AAuBD,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,IAAY,EACZ,WAAoB;IAEpB,MAAM,CACJ,IAAI,EACJ,WAAW,EACX,IAAI,CACL,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACpB,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC;QACrC,qBAAqB,CAAC,IAAI,CAAC;QAC3B,WAAW,CAAC,eAAe,CAAC,IAAI,CAAC;KAClC,CAAC,CAAC;IACH,MAAM,EAAE,IAAI,GAAG,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;IAE1C,kCAAkC;IAClC,MAAM,YAAY,GAA+C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACrF,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,MAAM,OAAO,GAAG,WAAW,CAAC,KAAK;SAC9B,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACxD,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,MAAM,IAAI,WAAW,EAAE,CAAC,WAAW,CAChD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,EACrB;YACE,WAAW,EAAE,WAAW,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI;YAC9C,MAAM,EAAE,IAAI,KAAK,QAAQ;SAC1B,CACF,CAAC;QAEF,QAAQ,CAAC,IAAI,CACX,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CACpE,CAAC;QACF,IAAI,MAAM,CAAC,EAAE,EAAE,CAAC;YACd,YAAY,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YAC7D,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;gBACtB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK,EAAE;YACL,IAAI,EAAE,WAAW,CAAC,KAAK;YACvB,UAAU,EAAE,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC;YAChC,QAAQ;SACT;QACD,aAAa,EAAE,WAAW,CAAC,IAAI;QAC/B,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;QACvC,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,GAAG,EAAE,EAAE,YAAY,EAAE,QAAQ,EAAE;KAChC,CAAC;AACJ,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,31 @@
+import type { SpdxFileLicenseConformance } from "@nodesecure/conformance";
+export interface DependencyRef {
+    id: number;
+    usedBy: Record<string, string>;
+    isDevDependency: boolean;
+    existOnRemoteRegistry: boolean;
+    flags: string[];
+    description: string;
+    size: number;
+    author: Record<string, any>;
+    engines: Record<string, any>;
+    repository: any;
+    scripts: Record<string, string>;
+    warnings: any;
+    licenses: SpdxFileLicenseConformance[];
+    uniqueLicenseIds: string[];
+    gitUrl: string | null;
+    alias: Record<string, string>;
+    composition: {
+        extensions: string[];
+        files: string[];
+        minified: string[];
+        unused: string[];
+        missing: string[];
+        required_files: string[];
+        required_nodejs: string[];
+        required_thirdparty: string[];
+        required_subpath: Record<string, string>;
+    };
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,yBAAyB,CAAC;AAE1E,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,eAAe,EAAE,OAAO,CAAC;IACzB,qBAAqB,EAAE,OAAO,CAAC;IAC/B,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC5B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC7B,UAAU,EAAE,GAAG,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,QAAQ,EAAE,GAAG,CAAC;IACd,QAAQ,EAAE,0BAA0B,EAAE,CAAC;IACvC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9B,WAAW,EAAE;QACX,UAAU,EAAE,MAAM,EAAE,CAAC;QACrB,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,OAAO,EAAE,MAAM,EAAE,CAAC;QAClB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,mBAAmB,EAAE,MAAM,EAAE,CAAC;QAC9B,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAC1C,CAAA;CACF"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/dist/utils/analyzeDependencies.d.ts

@@ -0,0 +1,19 @@
+import { ManifestManager } from "@nodesecure/mama";
+export declare const builtins: Set<string>;
+export interface analyzeDependenciesOptions {
+    mama: Pick<ManifestManager, "dependencies" | "devDependencies"> & Partial<Pick<ManifestManager, "nodejsImports">>;
+    tryDependencies: Set<string>;
+}
+export interface analyzeDependenciesResult {
+    nodeDependencies: string[];
+    thirdPartyDependencies: string[];
+    subpathImportsDependencies: Record<string, string>;
+    unusedDependencies: string[];
+    missingDependencies: string[];
+    flags: {
+        hasExternalCapacity: boolean;
+        hasMissingOrUnusedDependency: boolean;
+    };
+}
+export declare function analyzeDependencies(sourceDependencies: string[], options: analyzeDependenciesOptions): analyzeDependenciesResult;
+//# sourceMappingURL=analyzeDependencies.d.ts.map

package/dist/utils/analyzeDependencies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzeDependencies.d.ts","sourceRoot":"","sources":["../../src/utils/analyzeDependencies.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAOnD,eAAO,MAAM,QAAQ,aA6CnB,CAAC;AAIH,MAAM,WAAW,0BAA0B;IACzC,IAAI,EACF,IAAI,CAAC,eAAe,EAAE,cAAc,GAAG,iBAAiB,CAAC,GACzD,OAAO,CAAC,IAAI,CAAC,eAAe,EAAE,eAAe,CAAC,CAAC,CAAC;IAClD,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CAC9B;AAED,MAAM,WAAW,yBAAyB;IACxC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,sBAAsB,EAAE,MAAM,EAAE,CAAC;IACjC,0BAA0B,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnD,kBAAkB,EAAE,MAAM,EAAE,CAAC;IAC7B,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B,KAAK,EAAE;QACL,mBAAmB,EAAE,OAAO,CAAC;QAC7B,4BAA4B,EAAE,OAAO,CAAC;KACvC,CAAA;CACF;AAED,wBAAgB,mBAAmB,CACjC,kBAAkB,EAAE,MAAM,EAAE,EAC5B,OAAO,EAAE,0BAA0B,GAClC,yBAAyB,CA8C3B"}

package/dist/utils/analyzeDependencies.js

@@ -0,0 +1,109 @@
+// Import Node.js Dependencies
+import path from "node:path";
+// Import Third-party Dependencies
+import { ManifestManager } from "@nodesecure/mama";
+// Import Internal Dependencies
+import { getPackageName } from "./getPackageName.js";
+// CONSTANTS
+export const builtins = new Set([
+    "assert",
+    "buffer",
+    "child_process",
+    "cluster",
+    "console",
+    "constants",
+    "crypto",
+    "dgram",
+    "dns",
+    "domain",
+    "events",
+    "fs",
+    "http",
+    "https",
+    "module",
+    "net",
+    "os",
+    "path",
+    "punycode",
+    "querystring",
+    "readline",
+    "repl",
+    "stream",
+    "string_decoder",
+    "sys",
+    "timers",
+    "tls",
+    "tty",
+    "url",
+    "util",
+    "vm",
+    "zlib",
+    "freelist",
+    "v8",
+    "process",
+    "inspector",
+    "async_hooks",
+    "http2",
+    "perf_hooks",
+    "trace_events",
+    "worker_threads",
+    "node:test",
+    "wasi",
+    "diagnostics_channel"
+]);
+const kExternalModules = new Set(["http", "https", "net", "http2", "dgram", "child_process"]);
+export function analyzeDependencies(sourceDependencies, options) {
+    const { mama, tryDependencies } = options;
+    const { dependencies, devDependencies, nodejsImports = {} } = mama;
+    // See: https://nodejs.org/api/packages.html#subpath-imports
+    const subpathImportsDependencies = Object.fromEntries(sourceDependencies
+        .filter((name) => isAliasFileModule(name) && name in nodejsImports)
+        .map((name) => buildSubpathDependency(name, nodejsImports)));
+    const thirdPartyDependenciesAliased = new Set(Object.values(subpathImportsDependencies).filter((mod) => !isFile(mod)));
+    const thirdPartyDependencies = sourceDependencies.flatMap((sourceName) => {
+        const name = dependencies.includes(sourceName) ? sourceName : getPackageName(sourceName);
+        return isFile(name) ||
+            isCoreModule(name) ||
+            devDependencies.includes(name) ||
+            tryDependencies.has(name) ?
+            [] : name;
+    });
+    const unusedDependencies = difference(dependencies.filter((name) => !name.startsWith("@types")), [...thirdPartyDependencies, ...thirdPartyDependenciesAliased]);
+    const missingDependencies = [
+        ...new Set(difference(thirdPartyDependencies, dependencies))
+    ]
+        .filter((name) => !(name in nodejsImports) && !thirdPartyDependenciesAliased.has(name));
+    const nodeDependencies = sourceDependencies.filter((name) => isCoreModule(name));
+    return {
+        nodeDependencies,
+        thirdPartyDependencies: [...new Set(thirdPartyDependencies)],
+        subpathImportsDependencies,
+        unusedDependencies,
+        missingDependencies,
+        flags: {
+            hasExternalCapacity: nodeDependencies.some((depName) => kExternalModules.has(depName)),
+            hasMissingOrUnusedDependency: unusedDependencies.length > 0 || missingDependencies.length > 0
+        }
+    };
+}
+function difference(arr1, arr2) {
+    return arr1.filter((item) => !arr2.includes(item));
+}
+function isFile(name) {
+    return name.startsWith(".") || path.extname(name) !== "";
+}
+function isCoreModule(moduleName) {
+    const cleanModuleName = moduleName.startsWith("node:") ? moduleName.slice(5) : moduleName;
+    // Note: We need to also check moduleName because builtins package only return true for 'node:test'.
+    return builtins.has(cleanModuleName) || builtins.has(moduleName);
+}
+function isAliasFileModule(moduleName) {
+    return moduleName.charAt(0) === "#";
+}
+function buildSubpathDependency(alias, nodeImports) {
+    const importEntry = nodeImports[alias];
+    return typeof importEntry === "string" ?
+        [alias, importEntry] :
+        [alias, "node" in importEntry ? importEntry.node : importEntry.default];
+}
+//# sourceMappingURL=analyzeDependencies.js.map

package/dist/utils/analyzeDependencies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzeDependencies.js","sourceRoot":"","sources":["../../src/utils/analyzeDependencies.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,kCAAkC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAGnD,+BAA+B;AAC/B,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAErD,YAAY;AACZ,MAAM,CAAC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC;IAC9B,QAAQ;IACR,QAAQ;IACR,eAAe;IACf,SAAS;IACT,SAAS;IACT,WAAW;IACX,QAAQ;IACR,OAAO;IACP,KAAK;IACL,QAAQ;IACR,QAAQ;IACR,IAAI;IACJ,MAAM;IACN,OAAO;IACP,QAAQ;IACR,KAAK;IACL,IAAI;IACJ,MAAM;IACN,UAAU;IACV,aAAa;IACb,UAAU;IACV,MAAM;IACN,QAAQ;IACR,gBAAgB;IAChB,KAAK;IACL,QAAQ;IACR,KAAK;IACL,KAAK;IACL,KAAK;IACL,MAAM;IACN,IAAI;IACJ,MAAM;IACN,UAAU;IACV,IAAI;IACJ,SAAS;IACT,WAAW;IACX,aAAa;IACb,OAAO;IACP,YAAY;IACZ,cAAc;IACd,gBAAgB;IAChB,WAAW;IACX,MAAM;IACN,qBAAqB;CACtB,CAAC,CAAC;AAEH,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,eAAe,CAAC,CAAC,CAAC;AAqB9F,MAAM,UAAU,mBAAmB,CACjC,kBAA4B,EAC5B,OAAmC;IAEnC,MAAM,EAAE,IAAI,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC;IAC1C,MAAM,EAAE,YAAY,EAAE,eAAe,EAAE,aAAa,GAAG,EAAE,EAAE,GAAG,IAAI,CAAC;IAEnE,4DAA4D;IAC5D,MAAM,0BAA0B,GAAG,MAAM,CAAC,WAAW,CACnD,kBAAkB;SACf,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,aAAa,CAAC;SAClE,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,sBAAsB,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,CAC9D,CAAC;IACF,MAAM,6BAA6B,GAAG,IAAI,GAAG,CAC3C,MAAM,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CACxE,CAAC;IAEF,MAAM,sBAAsB,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC,UAAU,EAAE,EAAE;QACvE,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QAEzF,OAAO,MAAM,CAAC,IAAI,CAAC;YACjB,YAAY,CAAC,IAAI,CAAC;YAClB,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC;YAC9B,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;YAC3B,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,MAAM,kBAAkB,GAAG,UAAU,CACnC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,EACzD,CAAC,GAAG,sBAAsB,EAAE,GAAG,6BAA6B,CAAC,CAC9D,CAAC;IACF,MAAM,mBAAmB,GAAG;QAC1B,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,sBAAsB,EAAE,YAAY,CAAC,CAAC;KAC7D;SACE,MAAM,CAAC,CAAC,IAAY,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,aAAa,CAAC,IAAI,CAAC,6BAA6B,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;IAClG,MAAM,gBAAgB,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;IAEjF,OAAO;QACL,gBAAgB;QAChB,sBAAsB,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,sBAAsB,CAAC,CAAC;QAC5D,0BAA0B;QAC1B,kBAAkB;QAClB,mBAAmB;QAEnB,KAAK,EAAE;YACL,mBAAmB,EAAE,gBAAgB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACtF,4BAA4B,EAAE,kBAAkB,CAAC,MAAM,GAAG,CAAC,IAAI,mBAAmB,CAAC,MAAM,GAAG,CAAC;SAC9F;KACF,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAI,IAAS,EAAE,IAAS;IACzC,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,MAAM,CACb,IAAY;IAEZ,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;AAC3D,CAAC;AAED,SAAS,YAAY,CACnB,UAAkB;IAElB,MAAM,eAAe,GAAG,UAAU,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IAE1F,oGAAoG;IACpG,OAAO,QAAQ,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;AACnE,CAAC;AAED,SAAS,iBAAiB,CACxB,UAAkB;IAElB,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC;AACtC,CAAC;AAED,SAAS,sBAAsB,CAC7B,KAAa,EACb,WAAgD;IAEhD,MAAM,WAAW,GAAG,WAAW,CAAC,KAAK,CAAE,CAAC;IAExC,OAAO,OAAO,WAAW,KAAK,QAAQ,CAAC,CAAC;QACtC,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,CAAC;QACtB,CAAC,KAAK,EAAE,MAAM,IAAI,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;AAC5E,CAAC"}

package/dist/utils/booleanToFlags.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @example
+ * console.log(...booleanToFlags({ hasScript: true })); // "hasScript"
+ */
+export declare function booleanToFlags(flagsRecord: Record<string, boolean>): IterableIterator<string>;
+//# sourceMappingURL=booleanToFlags.d.ts.map

package/dist/utils/booleanToFlags.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"booleanToFlags.d.ts","sourceRoot":"","sources":["../../src/utils/booleanToFlags.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,wBAAiB,cAAc,CAC7B,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACnC,gBAAgB,CAAC,MAAM,CAAC,CAM1B"}

package/dist/utils/booleanToFlags.js

@@ -0,0 +1,12 @@
+/**
+ * @example
+ * console.log(...booleanToFlags({ hasScript: true })); // "hasScript"
+ */
+export function* booleanToFlags(flagsRecord) {
+    for (const [flagName, boolValue] of Object.entries(flagsRecord)) {
+        if (boolValue) {
+            yield flagName;
+        }
+    }
+}
+//# sourceMappingURL=booleanToFlags.js.map

package/dist/utils/booleanToFlags.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"booleanToFlags.js","sourceRoot":"","sources":["../../src/utils/booleanToFlags.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,SAAS,CAAC,CAAC,cAAc,CAC7B,WAAoC;IAEpC,KAAK,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QAChE,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,QAAQ,CAAC;QACjB,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/utils/filterDependencyKind.d.ts

@@ -0,0 +1,8 @@
+/**
+ * @see https://nodejs.org/docs/latest/api/modules.html#file-modules
+ */
+export declare function filterDependencyKind(dependencies: string[], relativeFileLocation: string): {
+    packages: string[];
+    files: string[];
+};
+//# sourceMappingURL=filterDependencyKind.d.ts.map

package/dist/utils/filterDependencyKind.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"filterDependencyKind.d.ts","sourceRoot":"","sources":["../../src/utils/filterDependencyKind.ts"],"names":[],"mappings":"AAMA;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,YAAY,EAAE,MAAM,EAAE,EACtB,oBAAoB,EAAE,MAAM,GAC3B;IAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAAC,KAAK,EAAE,MAAM,EAAE,CAAA;CAAE,CA+BzC"}

package/dist/utils/filterDependencyKind.js

@@ -0,0 +1,36 @@
+// Import Node.js Dependencies
+import path from "node:path";
+// CONSTANTS
+const kRelativeImportPath = new Set([".", "..", "./", "../"]);
+/**
+ * @see https://nodejs.org/docs/latest/api/modules.html#file-modules
+ */
+export function filterDependencyKind(dependencies, relativeFileLocation) {
+    const packages = [];
+    const files = [];
+    for (const moduleNameOrPath of dependencies) {
+        const firstChar = moduleNameOrPath.charAt(0);
+        /**
+         * @example
+         * require("..");
+         * require("/home/marco/foo.js");
+         */
+        if (firstChar === "." || firstChar === "/") {
+            // Note: condition only possible for CJS
+            if (kRelativeImportPath.has(moduleNameOrPath)) {
+                files.push(path.join(moduleNameOrPath, "index.js"));
+            }
+            else {
+                // Note: we are speculating that the extension is .js (but it could be .json or .node)
+                const fixedFileName = path.extname(moduleNameOrPath) === "" ?
+                    `${moduleNameOrPath}.js` : moduleNameOrPath;
+                files.push(path.join(relativeFileLocation, fixedFileName));
+            }
+        }
+        else {
+            packages.push(moduleNameOrPath);
+        }
+    }
+    return { packages, files };
+}
+//# sourceMappingURL=filterDependencyKind.js.map

package/dist/utils/filterDependencyKind.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"filterDependencyKind.js","sourceRoot":"","sources":["../../src/utils/filterDependencyKind.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,YAAY;AACZ,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;AAE9D;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,YAAsB,EACtB,oBAA4B;IAE5B,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,MAAM,gBAAgB,IAAI,YAAY,EAAE,CAAC;QAC5C,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAE7C;;;;WAIG;QACH,IAAI,SAAS,KAAK,GAAG,IAAI,SAAS,KAAK,GAAG,EAAE,CAAC;YAC3C,wCAAwC;YACxC,IAAI,mBAAmB,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAC9C,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,UAAU,CAAC,CAAC,CAAC;YACtD,CAAC;iBACI,CAAC;gBACJ,sFAAsF;gBACtF,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,CAAC,CAAC;oBAC3D,GAAG,gBAAgB,KAAK,CAAC,CAAC,CAAC,gBAAgB,CAAC;gBAE9C,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,oBAAoB,EAAE,aAAa,CAAC,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;aACI,CAAC;YACJ,QAAQ,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;AAC7B,CAAC"}

package/dist/utils/getPackageName.d.ts

@@ -0,0 +1,9 @@
+/**
+ * @see https://github.com/npm/validate-npm-package-name#naming-rules
+ * @example
+ * getPackageName("foo"); // foo
+ * getPackageName("foo/bar"); // foo
+ * getPackageName("@org/bar"); // @org/bar
+ */
+export declare function getPackageName(name: string): string;
+//# sourceMappingURL=getPackageName.d.ts.map

package/dist/utils/getPackageName.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getPackageName.d.ts","sourceRoot":"","sources":["../../src/utils/getPackageName.ts"],"names":[],"mappings":"AAIA;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,GACX,MAAM,CAKR"}

package/dist/utils/getPackageName.js

@@ -0,0 +1,16 @@
+// CONSTANTS
+const kPackageSeparator = "/";
+const kPackageOrgSymbol = "@";
+/**
+ * @see https://github.com/npm/validate-npm-package-name#naming-rules
+ * @example
+ * getPackageName("foo"); // foo
+ * getPackageName("foo/bar"); // foo
+ * getPackageName("@org/bar"); // @org/bar
+ */
+export function getPackageName(name) {
+    const parts = name.split(kPackageSeparator);
+    // Note: only scoped package are allowed to start with @
+    return name.startsWith(kPackageOrgSymbol) ? `${parts[0]}/${parts[1]}` : parts[0];
+}
+//# sourceMappingURL=getPackageName.js.map

package/dist/utils/getPackageName.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getPackageName.js","sourceRoot":"","sources":["../../src/utils/getPackageName.ts"],"names":[],"mappings":"AAAA,YAAY;AACZ,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAC9B,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAE9B;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAC5B,IAAY;IAEZ,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAE5C,wDAAwD;IACxD,OAAO,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC;AACpF,CAAC"}

package/dist/utils/getSemverWarning.d.ts

@@ -0,0 +1,3 @@
+import type { WarningDefault } from "@nodesecure/js-x-ray";
+export declare function getSemVerWarning(value: string): WarningDefault<"zero-semver">;
+//# sourceMappingURL=getSemverWarning.d.ts.map

package/dist/utils/getSemverWarning.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getSemverWarning.d.ts","sourceRoot":"","sources":["../../src/utils/getSemverWarning.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,MAAM,GACZ,cAAc,CAAC,aAAa,CAAC,CAW/B"}

package/dist/utils/getSemverWarning.js

@@ -0,0 +1,13 @@
+export function getSemVerWarning(value) {
+    return {
+        kind: "zero-semver",
+        file: "package.json",
+        value,
+        location: null,
+        i18n: "sast_warnings.zeroSemVer",
+        severity: "Information",
+        source: "Scanner",
+        experimental: false
+    };
+}
+//# sourceMappingURL=getSemverWarning.js.map

package/dist/utils/getSemverWarning.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getSemverWarning.js","sourceRoot":"","sources":["../../src/utils/getSemverWarning.ts"],"names":[],"mappings":"AAGA,MAAM,UAAU,gBAAgB,CAC9B,KAAa;IAEb,OAAO;QACL,IAAI,EAAE,aAAa;QACnB,IAAI,EAAE,cAAc;QACpB,KAAK;QACL,QAAQ,EAAE,IAAI;QACd,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,aAAa;QACvB,MAAM,EAAE,SAAS;QACjB,YAAY,EAAE,KAAK;KACpB,CAAC;AACJ,CAAC"}

package/dist/utils/getTarballComposition.d.ts

@@ -0,0 +1,7 @@
+export interface TarballComposition {
+    ext: Set<string>;
+    size: number;
+    files: string[];
+}
+export declare function getTarballComposition(tarballDir: string): Promise<TarballComposition>;
+//# sourceMappingURL=getTarballComposition.d.ts.map

package/dist/utils/getTarballComposition.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getTarballComposition.d.ts","sourceRoot":"","sources":["../../src/utils/getTarballComposition.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,wBAAsB,qBAAqB,CACzC,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,kBAAkB,CAAC,CA8B7B"}

package/dist/utils/getTarballComposition.js

@@ -0,0 +1,34 @@
+// Import Node.js Dependencies
+import { Stats, promises as fs } from "node:fs";
+import path from "node:path";
+// Import Third-party Dependencies
+import { walk } from "@nodesecure/fs-walk";
+export async function getTarballComposition(tarballDir) {
+    const ext = new Set();
+    const files = [];
+    const dirs = [];
+    let { size } = await fs.stat(tarballDir);
+    for await (const [dirent, file] of walk(tarballDir)) {
+        if (dirent.isFile()) {
+            ext.add(path.extname(file));
+            files.push(file);
+        }
+        else if (dirent.isDirectory()) {
+            dirs.push(file);
+        }
+    }
+    const sizeUnfilteredResult = await Promise.allSettled([
+        ...files.map((file) => fs.stat(file)),
+        ...dirs.map((file) => fs.stat(file))
+    ]);
+    const sizeAll = sizeUnfilteredResult
+        .filter((promiseSettledResult) => promiseSettledResult.status === "fulfilled")
+        .map((promiseSettledResult) => promiseSettledResult.value);
+    size += sizeAll.reduce((prev, curr) => prev + curr.size, 0);
+    return {
+        ext,
+        size,
+        files: files.map((fileLocation) => path.relative(tarballDir, fileLocation)).sort()
+    };
+}
+//# sourceMappingURL=getTarballComposition.js.map

package/dist/utils/getTarballComposition.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getTarballComposition.js","sourceRoot":"","sources":["../../src/utils/getTarballComposition.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,EAAE,KAAK,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AAChD,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,kCAAkC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,qBAAqB,CAAC;AAQ3C,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,UAAkB;IAElB,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,IAAI,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAEzC,IAAI,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QACpD,IAAI,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC;YACpB,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;YAC5B,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnB,CAAC;aACI,IAAI,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC;YAC9B,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,MAAM,oBAAoB,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC;QACpD,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;KACrC,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,oBAAoB;SACjC,MAAM,CAAC,CAAC,oBAAoB,EAAE,EAAE,CAAC,oBAAoB,CAAC,MAAM,KAAK,WAAW,CAAC;SAC7E,GAAG,CAAC,CAAC,oBAAoB,EAAE,EAAE,CAAE,oBAAsD,CAAC,KAAK,CAAC,CAAC;IAChG,IAAI,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAE5D,OAAO;QACL,GAAG;QACH,IAAI;QACJ,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,YAAY,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC,CAAC,IAAI,EAAE;KACnF,CAAC;AACJ,CAAC"}

package/dist/utils/index.d.ts

@@ -0,0 +1,7 @@
+export * from "./analyzeDependencies.js";
+export * from "./booleanToFlags.js";
+export * from "./isSensitiveFile.js";
+export * from "./getPackageName.js";
+export * from "./getTarballComposition.js";
+export * from "./filterDependencyKind.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/utils/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA,cAAc,0BAA0B,CAAC;AACzC,cAAc,qBAAqB,CAAC;AACpC,cAAc,sBAAsB,CAAC;AACrC,cAAc,qBAAqB,CAAC;AACpC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,2BAA2B,CAAC"}

package/dist/utils/index.js

@@ -0,0 +1,7 @@
+export * from "./analyzeDependencies.js";
+export * from "./booleanToFlags.js";
+export * from "./isSensitiveFile.js";
+export * from "./getPackageName.js";
+export * from "./getTarballComposition.js";
+export * from "./filterDependencyKind.js";
+//# sourceMappingURL=index.js.map

package/dist/utils/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA,cAAc,0BAA0B,CAAC;AACzC,cAAc,qBAAqB,CAAC;AACpC,cAAc,sBAAsB,CAAC;AACrC,cAAc,qBAAqB,CAAC;AACpC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,2BAA2B,CAAC"}

package/dist/utils/isSensitiveFile.d.ts

@@ -0,0 +1,5 @@
+/**
+ * @see https://github.com/jandre/safe-commit-hook/blob/master/git-deny-patterns.json
+ */
+export declare function isSensitiveFile(fileName: string): boolean;
+//# sourceMappingURL=isSensitiveFile.d.ts.map

package/dist/utils/isSensitiveFile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"isSensitiveFile.d.ts","sourceRoot":"","sources":["../../src/utils/isSensitiveFile.ts"],"names":[],"mappings":"AAOA;;GAEG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,GACf,OAAO,CAGT"}

package/dist/utils/isSensitiveFile.js

@@ -0,0 +1,13 @@
+// Import Node.js Dependencies
+import path from "node:path";
+// CONSTANTS
+const kSensitiveFileName = new Set([".npmrc", ".env"]);
+const kSensitiveFileExtension = new Set([".key", ".pem"]);
+/**
+ * @see https://github.com/jandre/safe-commit-hook/blob/master/git-deny-patterns.json
+ */
+export function isSensitiveFile(fileName) {
+    return kSensitiveFileName.has(path.basename(fileName)) ||
+        kSensitiveFileExtension.has(path.extname(fileName));
+}
+//# sourceMappingURL=isSensitiveFile.js.map

package/dist/utils/isSensitiveFile.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"isSensitiveFile.js","sourceRoot":"","sources":["../../src/utils/isSensitiveFile.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,YAAY;AACZ,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;AACvD,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAE1D;;GAEG;AACH,MAAM,UAAU,eAAe,CAC7B,QAAgB;IAEhB,OAAO,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACpD,uBAAuB,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;AACxD,CAAC"}

package/dist/warnings.d.ts

@@ -0,0 +1,4 @@
+import type { WarningDefault } from "@nodesecure/js-x-ray";
+export declare function getSemVerWarning(value: string): WarningDefault<"zero-semver">;
+export declare function getEmptyPackageWarning(): WarningDefault<"empty-package">;
+//# sourceMappingURL=warnings.d.ts.map

package/dist/warnings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"warnings.d.ts","sourceRoot":"","sources":["../src/warnings.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,MAAM,GACZ,cAAc,CAAC,aAAa,CAAC,CAW/B;AAED,wBAAgB,sBAAsB,IAAI,cAAc,CAAC,eAAe,CAAC,CAWxE"}

package/dist/warnings.js

@@ -0,0 +1,25 @@
+export function getSemVerWarning(value) {
+    return {
+        kind: "zero-semver",
+        file: "package.json",
+        value,
+        location: null,
+        i18n: "sast_warnings.zeroSemVer",
+        severity: "Information",
+        source: "Scanner",
+        experimental: false
+    };
+}
+export function getEmptyPackageWarning() {
+    return {
+        kind: "empty-package",
+        file: "package.json",
+        value: "package.json",
+        location: null,
+        i18n: "sast_warnings.emptyPackage",
+        severity: "Critical",
+        source: "Scanner",
+        experimental: false
+    };
+}
+//# sourceMappingURL=warnings.js.map

package/dist/warnings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"warnings.js","sourceRoot":"","sources":["../src/warnings.ts"],"names":[],"mappings":"AAGA,MAAM,UAAU,gBAAgB,CAC9B,KAAa;IAEb,OAAO;QACL,IAAI,EAAE,aAAa;QACnB,IAAI,EAAE,cAAc;QACpB,KAAK;QACL,QAAQ,EAAE,IAAI;QACd,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,aAAa;QACvB,MAAM,EAAE,SAAS;QACjB,YAAY,EAAE,KAAK;KACpB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB;IACpC,OAAO;QACL,IAAI,EAAE,eAAe;QACrB,IAAI,EAAE,cAAc;QACpB,KAAK,EAAE,cAAc;QACrB,QAAQ,EAAE,IAAI;QACd,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,SAAS;QACjB,YAAY,EAAE,KAAK;KACpB,CAAC;AACJ,CAAC"}

package/package.json

@@ -0,0 +1,43 @@
+{
+  "name": "@nodesecure/tarball",
+  "version": "1.0.0",
+  "description": "NodeSecure tarball scanner",
+  "type": "module",
+  "exports": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "scripts": {
+    "build": "tsc -b",
+    "prepublishOnly": "npm run build",
+    "test-only": "glob -c \"tsx --test\" \"./test/**/*.spec.ts\"",
+    "test": "c8 -r html npm run test-only"
+  },
+  "files": [
+    "dist"
+  ],
+  "keywords": [
+    "NodeSecure",
+    "tarball"
+  ],
+  "author": "GENTILHOMME Thomas <gentilhomme.thomas@gmail.com>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/NodeSecure/scanner.git"
+  },
+  "bugs": {
+    "url": "https://github.com/NodeSecure/scanner/issues"
+  },
+  "homepage": "https://github.com/NodeSecure/tree/master/workspaces/tarball#readme",
+  "dependencies": {
+    "@nodesecure/conformance": "^1.0.0",
+    "@nodesecure/fs-walk": "^2.0.0",
+    "@nodesecure/js-x-ray": "^7.3.0",
+    "@nodesecure/mama": "^1.0.0",
+    "@nodesecure/npm-types": "^1.1.0",
+    "@nodesecure/utils": "^2.1.0",
+    "pacote": "^18.0.6"
+  },
+  "devDependencies": {
+    "get-folder-size": "^5.0.0"
+  }
+}