@nodesecure/tree-walker 1.0.0

package/README.md

@@ -0,0 +1,128 @@
+<p align="center"><h1 align="center">
+  @nodesecure/tree-walker
+</h1>
+
+<p align="center">
+  Fetch and walk the dependency tree of a given manifest
+</p>
+
+## Requirements
+- [Node.js](https://nodejs.org/en/) v20 or higher
+
+## Getting Started
+
+This package is available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com).
+
+```bash
+$ npm i @nodesecure/tree-walker
+# or
+$ yarn add @nodesecure/tree-walker
+```
+
+## Usage example
+
+```ts
+import os from "node:os";
+
+import pacote from "pacote";
+import { npm } from "@nodesecure/tree-walker";
+
+const manifest = await pacote.manifest("some-package@1.0.0", {
+  cache: `${os.homedir()}/.npm`
+});
+
+const treeWalker = new npm.TreeWalker();
+
+for await (const dependency of treeWalker.walk(manifest)) {
+  console.log(dependency);
+}
+```
+
+> [!NOTE]
+> This package has been designed to be used by the Scanner package/workspace.
+
+## API
+
+### npm.TreeWalker
+
+#### constructor(options?: TreeWalkerOptions)
+
+```ts
+import pacote from "pacote";
+import Arborist from "@npmcli/arborist";
+
+interface LocalDependencyTreeLoaderProvider {
+  load(
+    location: string,
+    registry?: string
+  ): Promise<Arborist.Node>;
+}
+
+interface PacoteProviderApi {
+  manifest(
+    spec: string,
+    opts?: pacote.Options
+  ): Promise<pacote.AbbreviatedManifest & pacote.ManifestResult>;
+}
+
+interface TreeWalkerOptions {
+  registry?: string;
+  providers?: {
+    pacote?: PacoteProviderApi;
+    localTreeLoader?: LocalDependencyTreeLoaderProvider;
+  }
+}
+```
+
+#### *walk(manifest: PackageJSON | ManifestVersion, options: WalkOptions): AsyncIterableIterator< DependencyJSON >
+
+The `walk` method processes package metadata from a given **package.json file** or a **Manifest** result from the [pacote](https://www.npmjs.com/package/pacote) library.
+
+The `options` parameter is described by the following TypeScript interface:
+
+```ts
+interface WalkOptions {
+  /**
+   * Specifies the maximum depth to traverse for each root dependency.
+   * For example, a value of 2 would mean only traversing dependencies and their immediate dependencies.
+   *
+   * @default Infinity
+   */
+  maxDepth?: number;
+
+  /**
+   * Includes development dependencies in the walk.
+   * Note that enabling this option can significantly increase processing time.
+   *
+   * @default false
+   */
+  includeDevDeps?: boolean;
+
+  /**
+   * Enables the use of Arborist for rapidly walking over the dependency tree.
+   * When enabled, it triggers different methods based on the presence of `node_modules`:
+   * - `loadActual()` if `node_modules` is available.
+   * - `loadVirtual()` otherwise.
+   *
+   * When disabled, it will iterate on all dependencies by using pacote
+   */
+  packageLock?: {
+    /**
+     * Fetches all manifests for additional metadata.
+     * This option is useful only when `usePackageLock` is enabled.
+     *
+     * @default false
+     */
+    fetchManifest?: boolean;
+
+    /**
+     * Specifies the location of the manifest file for Arborist.
+     * This is typically the path to the `package.json` file.
+     */
+    location: string;
+  };
+}
+```
+
+## License
+MIT

package/dist/Dependency.class.d.ts

@@ -0,0 +1,41 @@
+import * as JSXRay from "@nodesecure/js-x-ray";
+export type NpmSpec = `${string}@${string}`;
+export interface DependencyJSON {
+    id: number;
+    name: string;
+    version: string;
+    usedBy: Record<string, string>;
+    isDevDependency: boolean;
+    existOnRemoteRegistry: boolean;
+    flags: string[];
+    warnings: JSXRay.Warning<JSXRay.WarningDefault>[];
+    alias: Record<string, string>;
+    dependencyCount: number;
+    gitUrl: string | null;
+}
+export type DependencyOptions = {
+    parent?: Dependency;
+} & Partial<Omit<DependencyJSON, "id" | "name" | "version">>;
+export declare class Dependency {
+    #private;
+    static currentId: number;
+    name: string;
+    version: string;
+    dev: boolean;
+    existOnRemoteRegistry: boolean;
+    dependencyCount: number;
+    gitUrl: null | string;
+    warnings: JSXRay.Warning<JSXRay.WarningDefault>[];
+    alias: Record<string, string>;
+    constructor(name: string, version: string, options?: DependencyOptions);
+    addChildren(): void;
+    get spec(): NpmSpec;
+    get flags(): string[];
+    get parent(): {
+        [x: string]: string;
+    };
+    addFlag(flagName: string, predicate?: boolean): void;
+    isGit(url?: string): this;
+    exportAsPlainObject(customId?: number): DependencyJSON;
+}
+//# sourceMappingURL=Dependency.class.d.ts.map

package/dist/Dependency.class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Dependency.class.d.ts","sourceRoot":"","sources":["../src/Dependency.class.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAC;AAE/C,MAAM,MAAM,OAAO,GAAG,GAAG,MAAM,IAAI,MAAM,EAAE,CAAC;AAE5C,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,eAAe,EAAE,OAAO,CAAC;IACzB,qBAAqB,EAAE,OAAO,CAAC;IAC/B,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC;IAClD,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9B,eAAe,EAAE,MAAM,CAAC;IACxB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED,MAAM,MAAM,iBAAiB,GAAG;IAC9B,MAAM,CAAC,EAAE,UAAU,CAAC;CACrB,GAAG,OAAO,CAAC,IAAI,CAAC,cAAc,EAAE,IAAI,GAAG,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC;AAE7D,qBAAa,UAAU;;IACrB,MAAM,CAAC,SAAS,SAAK;IAEd,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,UAAS;IACZ,qBAAqB,UAAQ;IAC7B,eAAe,SAAK;IACpB,MAAM,EAAE,IAAI,GAAG,MAAM,CAAQ;IAC7B,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAM;IACvD,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAM;gBAMxC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,OAAO,GAAE,iBAAsB;IAcjC,WAAW;IAIX,IAAI,IAAI,IAAI,OAAO,CAElB;IAED,IAAI,KAAK,aAER;IAED,IAAI,MAAM;;MAET;IAED,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,UAAO;IAc1C,KAAK,CAAC,GAAG,CAAC,EAAE,MAAM;IASlB,mBAAmB,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,cAAc;CAmBvD"}

package/dist/Dependency.class.js

@@ -0,0 +1,74 @@
+// Import Third-party Dependencies
+import * as JSXRay from "@nodesecure/js-x-ray";
+export class Dependency {
+    static currentId = 1;
+    name;
+    version;
+    dev = false;
+    existOnRemoteRegistry = true;
+    dependencyCount = 0;
+    gitUrl = null;
+    warnings = [];
+    alias = {};
+    #flags = new Set();
+    #parent = null;
+    constructor(name, version, options = {}) {
+        this.name = name;
+        this.version = version;
+        const { parent = null, ...props } = options;
+        if (parent !== null) {
+            parent.addChildren();
+        }
+        this.#parent = parent;
+        Object.assign(this, props);
+    }
+    addChildren() {
+        this.dependencyCount += 1;
+    }
+    get spec() {
+        return `${this.name}@${this.version}`;
+    }
+    get flags() {
+        return [...this.#flags];
+    }
+    get parent() {
+        return this.#parent === null ? {} : { [this.#parent.name]: this.#parent.version };
+    }
+    addFlag(flagName, predicate = true) {
+        if (typeof flagName !== "string") {
+            throw new TypeError("flagName argument must be typeof string");
+        }
+        if (predicate) {
+            if (flagName === "hasDependencies" && this.#parent !== null) {
+                this.#parent.addFlag("hasIndirectDependencies");
+            }
+            this.#flags.add(flagName);
+        }
+    }
+    isGit(url) {
+        this.#flags.add("isGit");
+        if (typeof url === "string") {
+            this.gitUrl = url;
+        }
+        return this;
+    }
+    exportAsPlainObject(customId) {
+        if (this.warnings.length > 0) {
+            this.addFlag("hasWarnings");
+        }
+        return {
+            id: typeof customId === "number" ? customId : Dependency.currentId++,
+            name: this.name,
+            version: this.version,
+            usedBy: this.parent,
+            isDevDependency: this.dev,
+            existOnRemoteRegistry: this.existOnRemoteRegistry,
+            flags: this.flags,
+            warnings: this.warnings,
+            dependencyCount: this.dependencyCount,
+            gitUrl: this.gitUrl,
+            alias: this.alias
+        };
+    }
+}
+//# sourceMappingURL=Dependency.class.js.map

package/dist/Dependency.class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Dependency.class.js","sourceRoot":"","sources":["../src/Dependency.class.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAC;AAsB/C,MAAM,OAAO,UAAU;IACrB,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;IAEd,IAAI,CAAS;IACb,OAAO,CAAS;IAChB,GAAG,GAAG,KAAK,CAAC;IACZ,qBAAqB,GAAG,IAAI,CAAC;IAC7B,eAAe,GAAG,CAAC,CAAC;IACpB,MAAM,GAAkB,IAAI,CAAC;IAC7B,QAAQ,GAA4C,EAAE,CAAC;IACvD,KAAK,GAA2B,EAAE,CAAC;IAE1C,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IAC3B,OAAO,GAAsB,IAAI,CAAC;IAElC,YACE,IAAY,EACZ,OAAe,EACf,UAA6B,EAAE;QAE/B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,MAAM,EAAE,MAAM,GAAG,IAAI,EAAE,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;QAE5C,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,MAAM,CAAC,WAAW,EAAE,CAAC;QACvB,CAAC;QACD,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QAEtB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC7B,CAAC;IAED,WAAW;QACT,IAAI,CAAC,eAAe,IAAI,CAAC,CAAC;IAC5B,CAAC;IAED,IAAI,IAAI;QACN,OAAO,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;IACxC,CAAC;IAED,IAAI,KAAK;QACP,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC1B,CAAC;IAED,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,OAAO,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;IACpF,CAAC;IAED,OAAO,CAAC,QAAgB,EAAE,SAAS,GAAG,IAAI;QACxC,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjC,MAAM,IAAI,SAAS,CAAC,yCAAyC,CAAC,CAAC;QACjE,CAAC;QAED,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,QAAQ,KAAK,iBAAiB,IAAI,IAAI,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;gBAC5D,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,yBAAyB,CAAC,CAAC;YAClD,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,GAAY;QAChB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACzB,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC;QACpB,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED,mBAAmB,CAAC,QAAiB;QACnC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAC9B,CAAC;QAED,OAAO;YACL,EAAE,EAAE,OAAO,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,EAAE;YACpE,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,eAAe,EAAE,IAAI,CAAC,GAAG;YACzB,qBAAqB,EAAE,IAAI,CAAC,qBAAqB;YACjD,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC;IACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+export * as npm from "./npm/walker.js";
+export * from "./Dependency.class.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,GAAG,MAAM,iBAAiB,CAAC;AACvC,cAAc,uBAAuB,CAAC"}

package/dist/index.js

@@ -0,0 +1,3 @@
+export * as npm from "./npm/walker.js";
+export * from "./Dependency.class.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,GAAG,MAAM,iBAAiB,CAAC;AACvC,cAAc,uBAAuB,CAAC"}

package/dist/npm/LocalDependencyTreeLoader.d.ts

@@ -0,0 +1,8 @@
+import Arborist from "@npmcli/arborist";
+export interface LocalDependencyTreeLoaderProvider {
+    load(location: string, registry?: string): Promise<Arborist.Node>;
+}
+export declare class LocalDependencyTreeLoader implements LocalDependencyTreeLoaderProvider {
+    load(location: string, registry?: string): Promise<Arborist.Node>;
+}
+//# sourceMappingURL=LocalDependencyTreeLoader.d.ts.map

package/dist/npm/LocalDependencyTreeLoader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"LocalDependencyTreeLoader.d.ts","sourceRoot":"","sources":["../../src/npm/LocalDependencyTreeLoader.ts"],"names":[],"mappings":"AAQA,OAAO,QAAQ,MAAM,kBAAkB,CAAC;AAExC,MAAM,WAAW,iCAAiC;IAChD,IAAI,CACF,QAAQ,EAAE,MAAM,EAChB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;CAC3B;AAED,qBAAa,yBAA0B,YAAW,iCAAiC;IAC3E,IAAI,CACR,QAAQ,EAAE,MAAM,EAChB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;CAkB1B"}

package/dist/npm/LocalDependencyTreeLoader.js

@@ -0,0 +1,24 @@
+// Import Node.js Dependencies
+import path from "node:path";
+import fs from "node:fs/promises";
+// Import Internal Dependencies
+import * as utils from "../utils/index.js";
+// Import Third-party Dependencies
+import Arborist from "@npmcli/arborist";
+export class LocalDependencyTreeLoader {
+    async load(location, registry) {
+        const arb = new Arborist({
+            ...utils.NPM_TOKEN,
+            path: location,
+            registry
+        });
+        try {
+            await fs.access(path.join(location, "node_modules"));
+            return await arb.loadActual();
+        }
+        catch {
+            return arb.loadVirtual();
+        }
+    }
+}
+//# sourceMappingURL=LocalDependencyTreeLoader.js.map

package/dist/npm/LocalDependencyTreeLoader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"LocalDependencyTreeLoader.js","sourceRoot":"","sources":["../../src/npm/LocalDependencyTreeLoader.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAElC,+BAA+B;AAC/B,OAAO,KAAK,KAAK,MAAM,mBAAmB,CAAC;AAE3C,kCAAkC;AAClC,OAAO,QAAQ,MAAM,kBAAkB,CAAC;AASxC,MAAM,OAAO,yBAAyB;IACpC,KAAK,CAAC,IAAI,CACR,QAAgB,EAChB,QAAiB;QAEjB,MAAM,GAAG,GAAG,IAAI,QAAQ,CAAC;YACvB,GAAG,KAAK,CAAC,SAAS;YAClB,IAAI,EAAE,QAAQ;YACd,QAAQ;SACT,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,MAAM,CACb,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CACpC,CAAC;YAEF,OAAO,MAAM,GAAG,CAAC,UAAU,EAAE,CAAC;QAChC,CAAC;QACD,MAAM,CAAC;YACL,OAAO,GAAG,CAAC,WAAW,EAAE,CAAC;QAC3B,CAAC;IACH,CAAC;CACF"}

package/dist/npm/walker.d.ts

@@ -0,0 +1,69 @@
+import pacote from "pacote";
+import type { PackageJSON, ManifestVersion } from "@nodesecure/npm-types";
+import { type LocalDependencyTreeLoaderProvider } from "./LocalDependencyTreeLoader.js";
+import { type DependencyJSON, type NpmSpec } from "../Dependency.class.js";
+export interface PacoteProviderApi {
+    manifest(spec: string, opts?: pacote.Options): Promise<pacote.AbbreviatedManifest & pacote.ManifestResult>;
+    packument(spec: string, opts?: pacote.Options): Promise<pacote.AbbreviatedPackument & pacote.PackumentResult>;
+}
+export interface TreeWalkerOptions {
+    registry?: string;
+    providers?: {
+        pacote?: PacoteProviderApi;
+        localTreeLoader?: LocalDependencyTreeLoaderProvider;
+    };
+}
+export interface WalkOptions {
+    /**
+     * Specifies the maximum depth to traverse for each root dependency.
+     * For example, a value of 2 would mean only traversing dependencies and their immediate dependencies.
+     *
+     * @default Infinity
+     */
+    maxDepth?: number;
+    /**
+     * Includes development dependencies in the walk.
+     * Note that enabling this option can significantly increase processing time.
+     *
+     * @default false
+     */
+    includeDevDeps?: boolean;
+    /**
+     * Enables the use of Arborist for rapidly walking over the dependency tree.
+     * When enabled, it triggers different methods based on the presence of `node_modules`:
+     * - `loadActual()` if `node_modules` is available.
+     * - `loadVirtual()` otherwise.
+     *
+     * When disabled, it will iterate on all dependencies by using pacote
+     */
+    packageLock?: {
+        /**
+         * Fetches all manifests for additional metadata.
+         * This option is useful only when `usePackageLock` is enabled.
+         *
+         * @default false
+         */
+        fetchManifest?: boolean;
+        /**
+         * Specifies the location of the manifest file for Arborist.
+         * This is typically the path to the `package.json` file.
+         */
+        location: string;
+    };
+}
+export declare class TreeWalker {
+    /**
+     * A Map of Children Spec -> Parent Spec (as a unique list)
+     */
+    relationsMap: Map<NpmSpec, Set<NpmSpec>>;
+    registry: string;
+    private providers;
+    constructor(options?: TreeWalkerOptions);
+    private get registryOptions();
+    private addTreeRelation;
+    private resolveDependencyVersion;
+    private walkRemoteDependency;
+    private walkLocalDependency;
+    walk(manifest: PackageJSON | ManifestVersion, options?: WalkOptions): AsyncIterableIterator<DependencyJSON>;
+}
+//# sourceMappingURL=walker.d.ts.map

package/dist/npm/walker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"walker.d.ts","sourceRoot":"","sources":["../../src/npm/walker.ts"],"names":[],"mappings":"AAMA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAK5B,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAI1E,OAAO,EAEL,KAAK,iCAAiC,EACvC,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAEL,KAAK,cAAc,EACnB,KAAK,OAAO,EACb,MAAM,wBAAwB,CAAC;AAehC,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CACN,IAAI,EAAE,MAAM,EACZ,IAAI,CAAC,EAAE,MAAM,CAAC,OAAO,GACpB,OAAO,CAAC,MAAM,CAAC,mBAAmB,GAAG,MAAM,CAAC,cAAc,CAAC,CAAC;IAC/D,SAAS,CACP,IAAI,EAAE,MAAM,EACZ,IAAI,CAAC,EAAE,MAAM,CAAC,OAAO,GACpB,OAAO,CAAC,MAAM,CAAC,oBAAoB,GAAG,MAAM,CAAC,eAAe,CAAC,CAAC;CAClE;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE;QACV,MAAM,CAAC,EAAE,iBAAiB,CAAC;QAC3B,eAAe,CAAC,EAAE,iCAAiC,CAAC;KACrD,CAAA;CACF;AAED,MAAM,WAAW,WAAW;IAC1B;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;OAKG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;IAEzB;;;;;;;OAOG;IACH,WAAW,CAAC,EAAE;QACZ;;;;;WAKG;QACH,aAAa,CAAC,EAAE,OAAO,CAAC;QAExB;;;WAGG;QACH,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;CACH;AAED,qBAAa,UAAU;IACrB;;OAEG;IACI,YAAY,EAAE,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC,CAAa;IACrD,QAAQ,EAAE,MAAM,CAAC;IAExB,OAAO,CAAC,SAAS,CAGd;gBAGD,OAAO,GAAE,iBAAsB;IAQjC,OAAO,KAAK,eAAe,GAM1B;IAED,OAAO,CAAC,eAAe;YAaT,wBAAwB;YA2BvB,oBAAoB;YAqEpB,mBAAmB;IAqD3B,IAAI,CACT,QAAQ,EAAE,WAAW,GAAG,eAAe,EACvC,OAAO,GAAE,WAAgB,GACxB,qBAAqB,CAAC,cAAc,CAAC;CA8FzC"}

package/dist/npm/walker.js

@@ -0,0 +1,211 @@
+// Import Node.js Dependencies
+import os from "node:os";
+// Import Third-party Dependencies
+import * as iter from "itertools";
+import combineAsyncIterators from "combine-async-iterators";
+import pacote from "pacote";
+import Arborist from "@npmcli/arborist";
+// @ts-ignore
+import pickManifest from "npm-pick-manifest";
+import { getNpmRegistryURL } from "@nodesecure/npm-registry-sdk";
+// Import Internal Dependencies
+import * as utils from "../utils/index.js";
+import { LocalDependencyTreeLoader } from "./LocalDependencyTreeLoader.js";
+import { Dependency } from "../Dependency.class.js";
+export class TreeWalker {
+    /**
+     * A Map of Children Spec -> Parent Spec (as a unique list)
+     */
+    relationsMap = new Map();
+    registry;
+    providers = Object.seal({
+        pacote,
+        localTreeLoader: new LocalDependencyTreeLoader()
+    });
+    constructor(options = {}) {
+        const { providers = {} } = options;
+        this.registry = options?.registry ?? getNpmRegistryURL();
+        Object.assign(this.providers, providers);
+    }
+    get registryOptions() {
+        return {
+            ...utils.NPM_TOKEN,
+            registry: this.registry,
+            cache: `${os.homedir()}/.npm`
+        };
+    }
+    addTreeRelation(key, value) {
+        if (!this.relationsMap.has(key)) {
+            return;
+        }
+        this.relationsMap
+            .get(key)
+            .add(value);
+    }
+    async resolveDependencyVersion(dependency) {
+        const [dependencyName, range] = dependency;
+        try {
+            const packument = await this.providers.pacote.packument(dependencyName, this.registryOptions);
+            const manifest = pickManifest(packument, range);
+            return {
+                rangedSpec: `${dependencyName}@${range}`,
+                spec: `${dependencyName}@${manifest.version}`,
+                isLatest: manifest.version === packument["dist-tags"].latest
+            };
+        }
+        catch {
+            return {
+                rangedSpec: `${dependencyName}@${range}`,
+                spec: `${dependencyName}@${utils.cleanRange(range)}`,
+                isLatest: true
+            };
+        }
+    }
+    async *walkRemoteDependency(spec, options) {
+        const { currDepth = 1, parent, maxDepth, gitURL } = options;
+        const { name, version, deprecated, ...pkg } = await this.providers.pacote.manifest(gitURL ?? spec, this.registryOptions);
+        const { dependencies, customResolvers, alias } = utils.mergeDependencies(pkg);
+        const current = new Dependency(name, version, {
+            parent,
+            alias: Object.fromEntries(alias)
+        });
+        if (gitURL !== null) {
+            current.isGit(gitURL);
+            try {
+                await this.providers.pacote.manifest(`${name}@${version}`, this.registryOptions);
+            }
+            catch {
+                current.existOnRemoteRegistry = false;
+            }
+        }
+        current.addFlag("isDeprecated", deprecated === true);
+        current.addFlag("hasCustomResolver", customResolvers.size > 0);
+        current.addFlag("hasDependencies", dependencies.size > 0);
+        if (currDepth < maxDepth) {
+            const config = {
+                currDepth: currDepth + 1, parent: current, maxDepth
+            };
+            const gitDependencies = iter.filter(customResolvers.entries(), ([, valueStr]) => utils.isGitDependency(valueStr));
+            for (const [depName, gitURL] of gitDependencies) {
+                yield* this.walkRemoteDependency(depName, { ...config, gitURL });
+            }
+            const resolvedDependencies = await Promise.all(iter.map(dependencies.entries(), this.resolveDependencyVersion.bind(this)));
+            for (const { rangedSpec, spec, isLatest } of resolvedDependencies) {
+                if (!isLatest) {
+                    current.addFlag("hasOutdatedDependency");
+                }
+                if (this.relationsMap.has(spec)) {
+                    current.addChildren();
+                    this.relationsMap.get(spec).add(current.spec);
+                }
+                else {
+                    this.relationsMap.set(spec, new Set([current.spec]));
+                    yield* this.walkRemoteDependency(rangedSpec, config);
+                }
+            }
+        }
+        yield current;
+    }
+    async *walkLocalDependency(packageName, node, options) {
+        const { parent, fetchManifest = false, includeDevDeps = false } = options;
+        const { version, integrity = node.integrity } = node.package;
+        const updatedVersion = version === "*" || typeof version === "undefined" ?
+            "latest" : version;
+        const current = new Dependency(packageName, updatedVersion, {
+            parent,
+            isDevDependency: node.dev
+        });
+        if (fetchManifest && !includeDevDeps) {
+            const { _integrity, ...pkg } = await this.providers.pacote.manifest(`${packageName}@${updatedVersion}`, this.registryOptions);
+            const { customResolvers, alias } = utils.mergeDependencies(pkg);
+            current.alias = Object.fromEntries(alias);
+            current.addFlag("hasValidIntegrity", _integrity === integrity);
+            current.addFlag("isDeprecated");
+            current.addFlag("hasCustomResolver", customResolvers.size > 0);
+            if (node.resolved && utils.isGitDependency(node.resolved)) {
+                current.isGit(node.resolved);
+            }
+        }
+        current.addFlag("hasDependencies", node.edgesOut.size > 0);
+        for (const [packageName, { to: toNode }] of node.edgesOut) {
+            if (toNode === null || (!includeDevDeps && toNode.dev)) {
+                continue;
+            }
+            const spec = `${packageName}@${toNode.package.version}`;
+            if (this.relationsMap.has(spec)) {
+                current.addChildren();
+                this.relationsMap.get(spec).add(current.spec);
+            }
+            else {
+                this.relationsMap.set(spec, new Set([current.spec]));
+                yield* this.walkLocalDependency(packageName, toNode, { parent: current });
+            }
+        }
+        yield current;
+    }
+    async *walk(manifest, options = {}) {
+        this.relationsMap.clear();
+        const { maxDepth = Infinity, packageLock = null, includeDevDeps = false } = options;
+        const { dependencies, customResolvers, alias } = utils.mergeDependencies(manifest);
+        const rootDependency = new Dependency(manifest.name, manifest.version, {
+            alias: Object.fromEntries(alias)
+        });
+        try {
+            await this.providers.pacote.manifest(`${manifest.name}@${manifest.version}`, this.registryOptions);
+        }
+        catch {
+            rootDependency.existOnRemoteRegistry = false;
+        }
+        rootDependency.addFlag("hasCustomResolver", customResolvers.size > 0);
+        rootDependency.addFlag("hasDependencies", dependencies.size > 0);
+        if (packageLock === null) {
+            const walkRemoteOptions = { maxDepth, parent: rootDependency };
+            const iterators = [
+                ...iter
+                    .filter(customResolvers.entries(), ([, version]) => utils.isGitDependency(version))
+                    .map(([name, gitURL]) => this.walkRemoteDependency(name, { ...walkRemoteOptions, gitURL })),
+                ...iter
+                    .map(dependencies.entries(), ([name, ver]) => this.walkRemoteDependency(`${name}@${ver}`, walkRemoteOptions))
+            ];
+            for await (const dep of combineAsyncIterators({}, ...iterators)) {
+                yield dep.exportAsPlainObject();
+            }
+            /**
+             * Add root dependencies to the relations Map because the parent is not handled by walkRemoteDependency.
+             * If we skip this step, the code will fail to properly re-link dependencies in the subsequent steps.
+             */
+            const resolvedDependencies = await Promise.all(iter.map(dependencies.entries(), this.resolveDependencyVersion.bind(this)));
+            for (const { spec, isLatest } of resolvedDependencies) {
+                if (!isLatest) {
+                    rootDependency.addFlag("hasOutdatedDependency");
+                }
+                this.addTreeRelation(spec, rootDependency.spec);
+            }
+        }
+        else {
+            const { location, ...packageLockOptions } = packageLock;
+            const { edgesOut } = await this.providers.localTreeLoader.load(location, this.registry);
+            const iterators = [
+                ...iter
+                    .filter(edgesOut.entries(), ([, { to }]) => to !== null && (includeDevDeps ? true : (!to.dev || to.isWorkspace)))
+                    .map(([packageName, { to }]) => [packageName, to.isWorkspace ? to.target : to])
+                    .map(([packageName, to]) => this.walkLocalDependency(packageName, to, {
+                    parent: rootDependency,
+                    includeDevDeps,
+                    ...packageLockOptions
+                }))
+            ];
+            for await (const dep of combineAsyncIterators({}, ...iterators)) {
+                yield dep.exportAsPlainObject();
+            }
+            for (const [packageName, { to: toNode }] of edgesOut) {
+                if (toNode === null || (!includeDevDeps && toNode.dev)) {
+                    continue;
+                }
+                this.addTreeRelation(`${packageName}@${toNode.package.version}`, rootDependency.spec);
+            }
+        }
+        yield rootDependency.exportAsPlainObject(0);
+    }
+}
+//# sourceMappingURL=walker.js.map

package/dist/npm/walker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"walker.js","sourceRoot":"","sources":["../../src/npm/walker.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,EAAE,MAAM,SAAS,CAAC;AAEzB,kCAAkC;AAClC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,qBAAqB,MAAM,yBAAyB,CAAC;AAC5D,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,QAAQ,MAAM,kBAAkB,CAAC;AACxC,aAAa;AACb,OAAO,YAAY,MAAM,mBAAmB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AAGjE,+BAA+B;AAC/B,OAAO,KAAK,KAAK,MAAM,mBAAmB,CAAC;AAC3C,OAAO,EACL,yBAAyB,EAE1B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,UAAU,EAGX,MAAM,wBAAwB,CAAC;AA4EhC,MAAM,OAAO,UAAU;IACrB;;OAEG;IACI,YAAY,GAA+B,IAAI,GAAG,EAAE,CAAC;IACrD,QAAQ,CAAS;IAEhB,SAAS,GAAuD,MAAM,CAAC,IAAI,CAAC;QAClF,MAAM;QACN,eAAe,EAAE,IAAI,yBAAyB,EAAE;KACjD,CAAC,CAAC;IAEH,YACE,UAA6B,EAAE;QAE/B,MAAM,EAAE,SAAS,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC;QACnC,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,iBAAiB,EAAE,CAAC;QAEzD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IAC3C,CAAC;IAED,IAAY,eAAe;QACzB,OAAO;YACL,GAAG,KAAK,CAAC,SAAS;YAClB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,OAAO;SAC9B,CAAC;IACJ,CAAC;IAEO,eAAe,CACrB,GAAY,EACZ,KAAc;QAEd,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO;QACT,CAAC;QAED,IAAI,CAAC,YAAY;aACd,GAAG,CAAC,GAAG,CAAE;aACT,GAAG,CAAC,KAAK,CAAC,CAAC;IAChB,CAAC;IAEO,KAAK,CAAC,wBAAwB,CACpC,UAAyC;QAEzC,MAAM,CAAC,cAAc,EAAE,KAAK,CAAC,GAAG,UAAU,CAAC;QAE3C,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CACrD,cAAc,EACd,IAAI,CAAC,eAAe,CACrB,CAAC;YACF,MAAM,QAAQ,GAAG,YAAY,CAAC,SAAS,EAAE,KAAK,CAAoB,CAAC;YAEnE,OAAO;gBACL,UAAU,EAAE,GAAG,cAAc,IAAI,KAAK,EAAE;gBACxC,IAAI,EAAE,GAAG,cAAc,IAAI,QAAQ,CAAC,OAAO,EAAE;gBAC7C,QAAQ,EAAE,QAAQ,CAAC,OAAO,KAAK,SAAS,CAAC,WAAW,CAAC,CAAC,MAAM;aAC7D,CAAC;QACJ,CAAC;QACD,MAAM,CAAC;YACL,OAAO;gBACL,UAAU,EAAE,GAAG,cAAc,IAAI,KAAK,EAAE;gBACxC,IAAI,EAAE,GAAG,cAAc,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE;gBACpD,QAAQ,EAAE,IAAI;aACf,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAA,CAAE,oBAAoB,CACjC,IAAY,EACZ,OAA0B;QAE1B,MAAM,EAAE,SAAS,GAAG,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;QAE5D,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,GAAG,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAChF,MAAM,IAAI,IAAI,EACd,IAAI,CAAC,eAAe,CACrB,CAAC;QACF,MAAM,EAAE,YAAY,EAAE,eAAe,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAE9E,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,IAAI,EAAE,OAAO,EAAE;YAC5C,MAAM;YACN,KAAK,EAAE,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC;SACjC,CAAC,CAAC;QAEH,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YACtB,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAClC,GAAG,IAAI,IAAI,OAAO,EAAE,EACpB,IAAI,CAAC,eAAe,CACrB,CAAC;YACJ,CAAC;YACD,MAAM,CAAC;gBACL,OAAO,CAAC,qBAAqB,GAAG,KAAK,CAAC;YACxC,CAAC;QACH,CAAC;QACD,OAAO,CAAC,OAAO,CAAC,cAAc,EAAE,UAAU,KAAK,IAAI,CAAC,CAAC;QACrD,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE,eAAe,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,OAAO,CAAC,iBAAiB,EAAE,YAAY,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;QAE1D,IAAI,SAAS,GAAG,QAAQ,EAAE,CAAC;YACzB,MAAM,MAAM,GAAG;gBACb,SAAS,EAAE,SAAS,GAAG,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ;aACpD,CAAC;YAEF,MAAM,eAAe,GAAG,IAAI,CAAC,MAAM,CACjC,eAAe,CAAC,OAAO,EAAE,EACzB,CAAC,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,QAAQ,CAAC,CAClD,CAAC;YACF,KAAK,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,eAAe,EAAE,CAAC;gBAChD,KAAK,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,OAAO,EAAE,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;YACnE,CAAC;YAED,MAAM,oBAAoB,GAAG,MAAM,OAAO,CAAC,GAAG,CAC5C,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,EAAE,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAC3E,CAAC;YACF,KAAK,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,oBAAoB,EAAE,CAAC;gBAClE,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACd,OAAO,CAAC,OAAO,CAAC,uBAAuB,CAAC,CAAC;gBAC3C,CAAC;gBAED,IAAI,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;oBAChC,OAAO,CAAC,WAAW,EAAE,CAAC;oBACtB,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAE,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBACjD,CAAC;qBACI,CAAC;oBACJ,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;oBAErD,KAAK,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;gBACvD,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,OAAO,CAAC;IAChB,CAAC;IAEO,KAAK,CAAA,CAAE,mBAAmB,CAChC,WAAmB,EACnB,IAAmB,EACnB,OAAyB;QAEzB,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,KAAK,EAAE,cAAc,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;QAC1E,MAAM,EAAE,OAAO,EAAE,SAAS,GAAG,IAAI,CAAC,SAAS,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAE7D,MAAM,cAAc,GAAG,OAAO,KAAK,GAAG,IAAI,OAAO,OAAO,KAAK,WAAW,CAAC,CAAC;YACxE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;QACrB,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,WAAW,EAAE,cAAc,EAAE;YAC1D,MAAM;YACN,eAAe,EAAE,IAAI,CAAC,GAAG;SAC1B,CAAC,CAAC;QAEH,IAAI,aAAa,IAAI,CAAC,cAAc,EAAE,CAAC;YACrC,MAAM,EAAE,UAAU,EAAE,GAAG,GAAG,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CACjE,GAAG,WAAW,IAAI,cAAc,EAAE,EAClC,IAAI,CAAC,eAAe,CACrB,CAAC;YACF,MAAM,EAAE,eAAe,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC;YAEhE,OAAO,CAAC,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YAC1C,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE,UAAU,KAAK,SAAS,CAAC,CAAC;YAC/D,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;YAChC,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE,eAAe,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;YAE/D,IAAI,IAAI,CAAC,QAAQ,IAAI,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC1D,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;QACD,OAAO,CAAC,OAAO,CAAC,iBAAiB,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;QAE3D,KAAK,MAAM,CAAC,WAAW,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC1D,IAAI,MAAM,KAAK,IAAI,IAAI,CAAC,CAAC,cAAc,IAAI,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;gBACvD,SAAS;YACX,CAAC;YACD,MAAM,IAAI,GAAY,GAAG,WAAW,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;YAEjE,IAAI,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChC,OAAO,CAAC,WAAW,EAAE,CAAC;gBACtB,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAE,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACjD,CAAC;iBACI,CAAC;gBACJ,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAErD,KAAK,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;YAC5E,CAAC;QACH,CAAC;QAED,MAAM,OAAO,CAAC;IAChB,CAAC;IAED,KAAK,CAAA,CAAE,IAAI,CACT,QAAuC,EACvC,UAAuB,EAAE;QAEzB,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QAC1B,MAAM,EACJ,QAAQ,GAAG,QAAQ,EACnB,WAAW,GAAG,IAAI,EAClB,cAAc,GAAG,KAAK,EACvB,GAAG,OAAO,CAAC;QAEZ,MAAM,EAAE,YAAY,EAAE,eAAe,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QACnF,MAAM,cAAc,GAAG,IAAI,UAAU,CACnC,QAAQ,CAAC,IAAI,EACb,QAAQ,CAAC,OAAO,EAChB;YACE,KAAK,EAAE,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC;SACjC,CACF,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAClC,GAAG,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,EAAE,EACtC,IAAI,CAAC,eAAe,CACrB,CAAC;QACJ,CAAC;QACD,MAAM,CAAC;YACL,cAAc,CAAC,qBAAqB,GAAG,KAAK,CAAC;QAC/C,CAAC;QACD,cAAc,CAAC,OAAO,CAAC,mBAAmB,EAAE,eAAe,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;QACtE,cAAc,CAAC,OAAO,CAAC,iBAAiB,EAAE,YAAY,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;QAEjE,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;YACzB,MAAM,iBAAiB,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;YAC/D,MAAM,SAAS,GAAG;gBAChB,GAAG,IAAI;qBACJ,MAAM,CAAC,eAAe,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;qBAClF,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,oBAAoB,CAAC,IAAI,EAAE,EAAE,GAAG,iBAAiB,EAAE,MAAM,EAAE,CAAC,CAAC;gBAC7F,GAAG,IAAI;qBACJ,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,oBAAoB,CAAC,GAAG,IAAI,IAAI,GAAG,EAAE,EAAE,iBAAiB,CAAC,CAAC;aAChH,CAAC;YAEF,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,qBAAqB,CAAC,EAAE,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC;gBAChE,MAAM,GAAG,CAAC,mBAAmB,EAAE,CAAC;YAClC,CAAC;YAED;;;eAGG;YACH,MAAM,oBAAoB,GAAG,MAAM,OAAO,CAAC,GAAG,CAC5C,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,EAAE,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAC3E,CAAC;YACF,KAAK,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,oBAAoB,EAAE,CAAC;gBACtD,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACd,cAAc,CAAC,OAAO,CAAC,uBAAuB,CAAC,CAAC;gBAClD,CAAC;gBACD,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,cAAc,CAAC,IAAI,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;aACI,CAAC;YACJ,MAAM,EAAE,QAAQ,EAAE,GAAG,kBAAkB,EAAE,GAAG,WAAW,CAAC;YAExD,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,IAAI,CAC5D,QAAQ,EACR,IAAI,CAAC,QAAQ,CACd,CAAC;YAEF,MAAM,SAAS,GAAG;gBAChB,GAAG,IAAI;qBACJ,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,KAAK,IAAI,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC;qBAChH,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAU,CAAC;qBACvF,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,mBAAmB,CAAC,WAAW,EAAE,EAAE,EAAE;oBACpE,MAAM,EAAE,cAAc;oBACtB,cAAc;oBACd,GAAG,kBAAkB;iBACtB,CAAC,CAAC;aACN,CAAC;YAEF,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,qBAAqB,CAAC,EAAE,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC;gBAChE,MAAM,GAAG,CAAC,mBAAmB,EAAE,CAAC;YAClC,CAAC;YAED,KAAK,MAAM,CAAC,WAAW,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACrD,IAAI,MAAM,KAAK,IAAI,IAAI,CAAC,CAAC,cAAc,IAAI,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;oBACvD,SAAS;gBACX,CAAC;gBAED,IAAI,CAAC,eAAe,CAClB,GAAG,WAAW,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,EAC1C,cAAc,CAAC,IAAI,CACpB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,MAAM,cAAc,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC;IAC9C,CAAC;CACF"}

package/dist/utils/index.d.ts

@@ -0,0 +1,9 @@
+export declare const NPM_TOKEN: {
+    token: string;
+} | {
+    token?: undefined;
+};
+export * from "./mergeDependencies.js";
+export * from "./isGitDependency.js";
+export * from "./semver.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/utils/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AACA,eAAO,MAAM,SAAS;;;;CAElB,CAAC;AAEL,cAAc,wBAAwB,CAAC;AACvC,cAAc,sBAAsB,CAAC;AACrC,cAAc,aAAa,CAAC"}

package/dist/utils/index.js

@@ -0,0 +1,8 @@
+// CONSTANTS
+export const NPM_TOKEN = typeof process.env.NODE_SECURE_TOKEN === "string" ?
+    { token: process.env.NODE_SECURE_TOKEN } :
+    {};
+export * from "./mergeDependencies.js";
+export * from "./isGitDependency.js";
+export * from "./semver.js";
+//# sourceMappingURL=index.js.map

package/dist/utils/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA,YAAY;AACZ,MAAM,CAAC,MAAM,SAAS,GAAG,OAAO,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,QAAQ,CAAC,CAAC;IAC1E,EAAE,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC,CAAC;IAC1C,EAAE,CAAC;AAEL,cAAc,wBAAwB,CAAC;AACvC,cAAc,sBAAsB,CAAC;AACrC,cAAc,aAAa,CAAC"}

package/dist/utils/isGitDependency.d.ts

@@ -0,0 +1,10 @@
+/**
+ * @example isGitDependency("github:NodeSecure/scanner") // => true
+ * @example isGitDependency("git+ssh://git@github.com:npm/cli#semver:^5.0") // => true
+ * @example isGitDependency(">=1.0.2 <2.1.2") // => false
+ * @example isGitDependency("http://asdf.com/asdf.tar.gz") // => false
+ * @param {string} version
+ * @returns {boolean}
+ */
+export declare function isGitDependency(version: string): boolean;
+//# sourceMappingURL=isGitDependency.d.ts.map

package/dist/utils/isGitDependency.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"isGitDependency.d.ts","sourceRoot":"","sources":["../../src/utils/isGitDependency.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAExD"}

package/dist/utils/isGitDependency.js

@@ -0,0 +1,12 @@
+/**
+ * @example isGitDependency("github:NodeSecure/scanner") // => true
+ * @example isGitDependency("git+ssh://git@github.com:npm/cli#semver:^5.0") // => true
+ * @example isGitDependency(">=1.0.2 <2.1.2") // => false
+ * @example isGitDependency("http://asdf.com/asdf.tar.gz") // => false
+ * @param {string} version
+ * @returns {boolean}
+ */
+export function isGitDependency(version) {
+    return /^git(:|\+|hub:)/.test(version);
+}
+//# sourceMappingURL=isGitDependency.js.map

package/dist/utils/isGitDependency.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"isGitDependency.js","sourceRoot":"","sources":["../../src/utils/isGitDependency.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,OAAO,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AACzC,CAAC"}

package/dist/utils/mergeDependencies.d.ts

@@ -0,0 +1,8 @@
+import type { PackageJSON } from "@nodesecure/npm-types";
+export type NpmDependency = "dependencies" | "devDependencies" | "optionalDependencies" | "peerDependencies" | "bundleDependencies" | "bundledDependencies";
+export declare function mergeDependencies(manifest: Partial<PackageJSON>, types?: NpmDependency[]): {
+    dependencies: Map<string, string>;
+    customResolvers: Map<string, string>;
+    alias: Map<string, string>;
+};
+//# sourceMappingURL=mergeDependencies.d.ts.map

package/dist/utils/mergeDependencies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mergeDependencies.d.ts","sourceRoot":"","sources":["../../src/utils/mergeDependencies.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEzD,MAAM,MAAM,aAAa,GACvB,cAAc,GACd,iBAAiB,GACjB,sBAAsB,GACtB,kBAAkB,GAClB,oBAAoB,GACpB,qBAAqB,CAAC;AAExB,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,OAAO,CAAC,WAAW,CAAC,EAC9B,KAAK,GAAE,aAAa,EAA8B;;;;EA+BnD"}

package/dist/utils/mergeDependencies.js

@@ -0,0 +1,27 @@
+export function mergeDependencies(manifest, types = ["dependencies"]) {
+    const dependencies = new Map();
+    const customResolvers = new Map();
+    const alias = new Map();
+    for (const fieldName of types) {
+        if (!(fieldName in manifest)) {
+            continue;
+        }
+        const dep = manifest[fieldName];
+        for (const [name, version] of Object.entries(dep)) {
+            /**
+             * Version can be file:, github:, git:, git+, ./...
+             * @see https://docs.npmjs.com/cli/v7/configuring-npm/package-json#dependencies
+             */
+            if (/^([a-zA-Z]+:|git\+|\.\\)/.test(version)) {
+                customResolvers.set(name, version);
+                if (!version.startsWith("npm:")) {
+                    continue;
+                }
+                alias.set(name, version.slice(4));
+            }
+            dependencies.set(name, version);
+        }
+    }
+    return { dependencies, customResolvers, alias };
+}
+//# sourceMappingURL=mergeDependencies.js.map

package/dist/utils/mergeDependencies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mergeDependencies.js","sourceRoot":"","sources":["../../src/utils/mergeDependencies.ts"],"names":[],"mappings":"AAWA,MAAM,UAAU,iBAAiB,CAC/B,QAA8B,EAC9B,QAAyB,CAAC,cAAc,CAAU;IAElD,MAAM,YAAY,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC/C,MAAM,eAAe,GAAG,IAAI,GAAG,EAAkB,CAAC;IAClD,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IAExC,KAAK,MAAM,SAAS,IAAI,KAAK,EAAE,CAAC;QAC9B,IAAI,CAAC,CAAC,SAAS,IAAI,QAAQ,CAAC,EAAE,CAAC;YAC7B,SAAS;QACX,CAAC;QAED,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,CAA2B,CAAC;QAE1D,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAClD;;;eAGG;YACH,IAAI,0BAA0B,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC7C,eAAe,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;gBACnC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;oBAChC,SAAS;gBACX,CAAC;gBACD,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACpC,CAAC;YAED,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC;AAClD,CAAC"}

package/dist/utils/semver.d.ts

@@ -0,0 +1,7 @@
+/**
+ * @example
+ * cleanRange(">=1.5.0"); // 1.5.0
+ * cleanRange("^2.0.0"); // 2.0.0
+ */
+export declare function cleanRange(version: string): string;
+//# sourceMappingURL=semver.d.ts.map

package/dist/utils/semver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"semver.d.ts","sourceRoot":"","sources":["../../src/utils/semver.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,wBAAgB,UAAU,CACxB,OAAO,EAAE,MAAM,GACd,MAAM,CAQR"}

package/dist/utils/semver.js

@@ -0,0 +1,14 @@
+/**
+ * @example
+ * cleanRange(">=1.5.0"); // 1.5.0
+ * cleanRange("^2.0.0"); // 2.0.0
+ */
+export function cleanRange(version) {
+    // TODO: how do we handle complicated range like pkg-name@1 || 2 or pkg-name@2.1.2 < 3
+    const firstChar = version.charAt(0);
+    if (firstChar === "^" || firstChar === "<" || firstChar === ">" || firstChar === "=" || firstChar === "~") {
+        return version.slice(version.charAt(1) === "=" ? 2 : 1);
+    }
+    return version;
+}
+//# sourceMappingURL=semver.js.map

package/dist/utils/semver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"semver.js","sourceRoot":"","sources":["../../src/utils/semver.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,UAAU,UAAU,CACxB,OAAe;IAEf,sFAAsF;IACtF,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACpC,IAAI,SAAS,KAAK,GAAG,IAAI,SAAS,KAAK,GAAG,IAAI,SAAS,KAAK,GAAG,IAAI,SAAS,KAAK,GAAG,IAAI,SAAS,KAAK,GAAG,EAAE,CAAC;QAC1G,OAAO,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "@nodesecure/tree-walker",
+  "version": "1.0.0",
+  "description": "NodeSecure tree walker",
+  "type": "module",
+  "exports": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "scripts": {
+    "build": "tsc -b",
+    "prepublishOnly": "npm run build",
+    "test-only": "glob -c \"tsx --test\" \"./test/**/*.spec.ts\"",
+    "test": "c8 -r html npm run test-only"
+  },
+  "files": [
+    "dist"
+  ],
+  "keywords": [
+    "NodeSecure",
+    "tree",
+    "walker"
+  ],
+  "author": "GENTILHOMME Thomas <gentilhomme.thomas@gmail.com>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/NodeSecure/scanner.git"
+  },
+  "bugs": {
+    "url": "https://github.com/NodeSecure/scanner/issues"
+  },
+  "homepage": "https://github.com/NodeSecure/tree/master/workspaces/tree-walker#readme",
+  "dependencies": {
+    "@nodesecure/js-x-ray": "^7.3.0",
+    "@nodesecure/npm-registry-sdk": "^3.0.0",
+    "@nodesecure/npm-types": "^1.1.0",
+    "@npmcli/arborist": "^7.5.1",
+    "combine-async-iterators": "^3.0.0",
+    "itertools": "^2.3.1",
+    "npm-pick-manifest": "^9.1.0",
+    "pacote": "^18.0.4",
+    "semver": "^7.6.0"
+  },
+  "devDependencies": {
+    "@types/npmcli__arborist": "^5.6.9"
+  }
+}