prscan 1.0.0

package/src/util/analyze.ts

@@ -0,0 +1,248 @@
+import * as t from "@babel/types";
+import { parse } from "@babel/parser";
+
+import _traverse, { type Visitor, type NodePath } from "@babel/traverse";
+
+// 使用 require 方式导入以获得正确的类型
+const traverse: (node: t.Node, visitor: Visitor) => void = _traverse.default as any;
+
+export type GlobalUsageMap = Record<string, "r" | "rw">;
+
+export const ECMAGlobals = [
+    "AggregateError",
+    "Array",
+    "ArrayBuffer",
+    "Atomics",
+    "BigInt",
+    "BigInt64Array",
+    "BigUint64Array",
+    "Boolean",
+    "DataView",
+    "Date",
+    "Error",
+    "EvalError",
+    "FinalizationRegistry",
+    "Float16Array",
+    "Float32Array",
+    "Float64Array",
+    "Function",
+    "Infinity",
+    "Int16Array",
+    "Int32Array",
+    "Int8Array",
+    "Intl",
+    "Iterator",
+    "JSON",
+    "Map",
+    "Math",
+    "NaN",
+    "Number",
+    "Object",
+    "Promise",
+    "Proxy",
+    "RangeError",
+    "ReferenceError",
+    "Reflect",
+    "RegExp",
+    "Set",
+    "SharedArrayBuffer",
+    "String",
+    "Symbol",
+    "SyntaxError",
+    "TypeError",
+    "Uint16Array",
+    "Uint32Array",
+    "Uint8Array",
+    "Uint8ClampedArray",
+    "URIError",
+    "WeakMap",
+    "WeakRef",
+    "WeakSet",
+    "decodeURI",
+    "decodeURIComponent",
+    "encodeURI",
+    "encodeURIComponent",
+    "escape",
+    // "eval",
+    "globalThis",
+    "isFinite",
+    "isNaN",
+    "parseFloat",
+    "parseInt",
+    "undefined",
+    "unescape",
+];
+
+class GVPool {
+    public globals: Map<string, "r" | "rw"> = new Map();
+
+    add(name: string, perm: "r" | "rw") {
+        // 不管控除eval以外的ECMA全局变量的读权限
+        if (ECMAGlobals.includes(name) && perm === "r") {
+            return;
+        }
+
+        if (this.globals.has(name)) {
+            if (perm === "rw") {
+                this.globals.set(name, "rw");
+            }
+        } else {
+            this.globals.set(name, perm);
+        }
+    }
+}
+
+export function analyzeGlobals(code: string): GlobalUsageMap {
+    const pool = new GVPool();
+
+    const ast = parse(code, {
+        sourceType: "unambiguous",
+    });
+
+    traverse(ast, {
+        MemberExpression(path: NodePath<t.MemberExpression>) {
+            let expr: string[] = [];
+            let node: t.MemberExpression = path.node;
+            let flag = true;
+            while (t.isMemberExpression(node)) {
+                if (t.isIdentifier(node.property) && !node.computed) {
+                    expr.unshift(node.property.name);
+                } else if (t.isStringLiteral(node.property)) {
+                    expr.unshift(node.property.value);
+                } else {
+                    flag = false;
+                    break;
+                }
+
+                if (t.isIdentifier(node.object)) {
+                    expr.unshift(node.object.name);
+                    break;
+                } else if (t.isMemberExpression(node.object)) {
+                    node = node.object;
+                } else {
+                    flag = false;
+                    break;
+                }
+            }
+
+            if (!flag) {
+                return;
+            }
+
+            // 处理 __webpack_require__.g.xxx 的情况, __webpack_require__.g 就是 globalThis
+            if (
+                expr.length >= 2 &&
+                expr[0] === "__webpack_require__" &&
+                expr[1] === "g"
+            ) {
+                expr = expr.slice(2);
+            }
+
+            const globalAlias = ["globalThis", "self", "window"];
+            let mustBeGlobal = false;
+            while (
+                expr.length > 0 &&
+                globalAlias.includes(expr[0]!) &&
+                !path.scope.hasBinding(expr[0]!, { noGlobals: true })
+            ) {
+                expr = expr.slice(1);
+                // 如果是globalThis/self/window开头的, 则一定是全局变量
+                mustBeGlobal = true;
+            }
+
+            if (
+                expr.length > 0 &&
+                (mustBeGlobal ||
+                    !path.scope.hasBinding(expr[0]!, { noGlobals: true })) &&
+                expr[0] !== "arguments"
+            ) {
+                pool.add(
+                    expr[0]!,
+
+                    t.isAssignmentExpression(path.parent) &&
+                        path.parent.left === path.node &&
+                        expr.length === 1
+                        ? "rw"
+                        : "r"
+                );
+            }
+
+            path.skip();
+        },
+        Identifier(path: NodePath<t.Identifier>) {
+            if (!path.scope.hasBinding(path.node.name, { noGlobals: true })) {
+                // 排除一些不算真正变量读取的场景
+                if (
+                    (t.isMemberExpression(path.parent) ||
+                        t.isOptionalMemberExpression(path.parent)) &&
+                    path.parent.property === path.node
+                ) {
+                    return;
+                } else if (
+                    t.isObjectProperty(path.parent) &&
+                    path.parent.key === path.node
+                ) {
+                    return;
+                } else if (
+                    (t.isLabeledStatement(path.parent) ||
+                        t.isBreakStatement(path.parent) ||
+                        t.isContinueStatement(path.parent)) &&
+                    path.parent.label === path.node
+                ) {
+                    return;
+                } else if (
+                    (t.isFunctionDeclaration(path.parent) ||
+                        t.isFunctionExpression(path.parent)) &&
+                    path.parent.id === path.node
+                ) {
+                    return;
+                } else if (
+                    t.isCatchClause(path.parent) &&
+                    path.parent.param === path.node
+                ) {
+                    return;
+                } else if (
+                    t.isFunction(path.parent) &&
+                    (path.parent.params.includes(path.node) ||
+                        (path.parent as any).id === path.node ||
+                        (path.parent as any).kind === path.node.name ||
+                        (path.parent as any).key === path.node)
+                ) {
+                    return;
+                } else if (t.isMetaProperty(path.parent)) {
+                    return;
+                } else if (
+                    t.isClassProperty(path.parent) &&
+                    path.parent.key === path.node
+                ) {
+                    return;
+                    // globalAlias默认可访问
+                } else if (
+                    path.node.name === "globalThis" ||
+                    path.node.name === "window" ||
+                    path.node.name === "self"
+                ) {
+                    return;
+                } else if (path.node.name === "arguments") {
+                    return;
+                }
+
+                pool.add(
+                    path.node.name,
+
+                    t.isAssignmentExpression(path.parent) &&
+                        path.parent.left === path.node
+                        ? "rw"
+                        : "r"
+                );
+            }
+        },
+    });
+
+    const obj: GlobalUsageMap = Object.create(null);
+    for (const [name, perm] of pool.globals.entries()) {
+        obj[name] = perm;
+    }
+
+    return obj;
+}

package/src/util/memory-archive.ts

@@ -0,0 +1,184 @@
+import tarStream from 'tar-stream';
+import gunzip from 'gunzip-maybe';
+import { Readable } from 'stream';
+import got from 'got';
+
+export interface ExtractedFile {
+    path: string;
+    content: Buffer;
+    size: number;
+    type: 'file' | 'directory' | 'symlink';
+    mode: number;
+    mtime: Date;
+}
+
+export interface ExtractionOptions {
+    /** 只解压匹配的文件路径 */
+    filter?: (path: string) => boolean;
+    /** 最大文件大小限制 (bytes) */
+    maxFileSize?: number;
+    /** 最大总解压大小限制 (bytes) */
+    maxTotalSize?: number;
+}
+
+/**
+ * 在内存中解压 .tar.gz Buffer
+ */
+export async function extractTarGzFromBuffer(
+    tarGzBuffer: Buffer,
+    options: ExtractionOptions = {}
+): Promise<ExtractedFile[]> {
+    const { filter, maxFileSize = 50 * 1024 * 1024, maxTotalSize = 500 * 1024 * 1024 } = options;
+    const files: ExtractedFile[] = [];
+    let totalSize = 0;
+    
+    return new Promise((resolve, reject) => {
+        const extract = tarStream.extract();
+        
+        extract.on('entry', (header, stream, next) => {
+            // 应用过滤器
+            if (filter && !filter(header.name)) {
+                stream.on('end', next);
+                stream.resume();
+                return;
+            }
+            
+            // 检查文件大小限制
+            if (header.size && header.size > maxFileSize) {
+                stream.on('end', next);
+                stream.resume();
+                console.warn(`File ${header.name} exceeds size limit, skipping`);
+                return;
+            }
+            
+            const chunks: Buffer[] = [];
+            let fileSize = 0;
+            
+            stream.on('data', (chunk: Buffer) => {
+                fileSize += chunk.length;
+                totalSize += chunk.length;
+                
+                // 检查总大小限制
+                if (totalSize > maxTotalSize) {
+                    reject(new Error('Total extraction size limit exceeded'));
+                    return;
+                }
+                
+                chunks.push(chunk);
+            });
+            
+            stream.on('end', () => {
+                if (header.type === 'file') {
+                    files.push({
+                        path: header.name,
+                        content: Buffer.concat(chunks),
+                        size: fileSize,
+                        type: 'file',
+                        mode: header.mode || 0,
+                        mtime: header.mtime || new Date()
+                    });
+                } else if (header.type === 'directory') {
+                    files.push({
+                        path: header.name,
+                        content: Buffer.alloc(0),
+                        size: 0,
+                        type: 'directory',
+                        mode: header.mode || 0,
+                        mtime: header.mtime || new Date()
+                    });
+                }
+                next();
+            });
+            
+            stream.on('error', reject);
+        });
+        
+        extract.on('finish', () => {
+            resolve(files);
+        });
+        
+        extract.on('error', reject);
+        
+        // 处理压缩流
+        Readable.from(tarGzBuffer)
+            .pipe(gunzip())
+            .pipe(extract);
+    });
+}
+
+
+/**
+ * 从URL下载并在内存中解压
+ */
+export async function extractTarGzFromUrl(
+    url: string,
+    options: ExtractionOptions = {}
+): Promise<ExtractedFile[]> {
+    const response = await got(url);
+    if (response.statusCode !== 200) {
+        throw new Error(`Failed to download: ${response.statusMessage}`);
+    }
+
+    const buffer = response.rawBody;
+    return extractTarGzFromBuffer(buffer, options);
+}
+
+/**
+ * 获取特定文件内容
+ */
+export async function getFileFromTarGz(
+    tarGzBuffer: Buffer,
+    filePath: string
+): Promise<Buffer | null> {
+    const files = await extractTarGzFromBuffer(tarGzBuffer, {
+        filter: (path) => path === filePath
+    });
+    
+    return files.length > 0 ? files[0]!.content : null;
+}
+
+/**
+ * 只获取文件列表，不提取内容
+ */
+export async function listTarGzContents(tarGzBuffer: Buffer): Promise<string[]> {
+    const fileList: string[] = [];
+    
+    return new Promise((resolve, reject) => {
+        const extract = tarStream.extract();
+        
+        extract.on('entry', (header, stream, next) => {
+            fileList.push(header.name);
+            stream.on('end', next);
+            stream.resume(); // 跳过内容读取
+        });
+        
+        extract.on('finish', () => {
+            resolve(fileList);
+        });
+        
+        extract.on('error', reject);
+        
+        Readable.from(tarGzBuffer)
+            .pipe(gunzip())
+            .pipe(extract);
+    });
+}
+
+/**
+ * 按文件扩展名过滤提取
+ */
+export async function extractByExtensions(
+    tarGzBuffer: Buffer,
+    extensions: string[]
+): Promise<ExtractedFile[]> {
+    const normalizedExts = extensions.map(ext => 
+        ext.startsWith('.') ? ext.toLowerCase() : `.${ext.toLowerCase()}`
+    );
+    
+    return extractTarGzFromBuffer(tarGzBuffer, {
+        filter: (path) => {
+            const ext = path.toLowerCase().substring(path.lastIndexOf('.'));
+            return normalizedExts.includes(ext);
+        }
+    });
+}

package/src/util/npm.ts

@@ -0,0 +1,100 @@
+import got from "got";
+
+export interface NpmPackageInfo {
+    _id: string;
+    _rev: string;
+    bugs: {
+        url: string;
+    };
+    description: string;
+    "dist-tags": {
+        latest: string;
+        beta: string;
+    };
+    homepage: string;
+    keywords: string[];
+    license: string;
+    name: string;
+    repository: {
+        type: string;
+        url: string;
+    };
+    time: Record<string, string>;
+    versions: Record<
+        string,
+        {
+            _id: string;
+            version: string;
+            name: string;
+            license: string;
+            keywords: string[];
+            homepage: string;
+            description: string;
+            dist: {
+                fileCount: number;
+                unpackedSize: number;
+                tarball: string;
+                shasum: string;
+                integrity: string;
+            };
+        }
+    >;
+}
+
+export interface NpmDownloadStats {
+    downloads: number;
+    start: string;
+    end: string;
+    package: string;
+}
+
+const maxRetries = 3;
+
+export async function getNpmPackageInfo(
+    packageName: string
+): Promise<NpmPackageInfo | null> {
+    for (let i = 0; i < maxRetries; i++) {
+        try {
+            const response = await got(
+                `https://registry.npmjs.org/${packageName}`
+            );
+
+            if (response.statusCode !== 200) {
+                throw new Error(
+                    `HTTP ${response.statusCode}: ${response.statusMessage}`
+                );
+            }
+
+            const packageData = JSON.parse(response.body) as NpmPackageInfo;
+            return packageData;
+        } catch (error) {
+            continue;
+        }
+    }
+    return null;
+}
+
+export async function getNpmPackageDownloadStats(
+    packageName: string,
+    period: "last-day" | "last-week" | "last-month" | "last-year" = "last-month"
+): Promise<NpmDownloadStats | null> {
+    for (let i = 0; i < maxRetries; i++) {
+        try {
+            const response = await got(
+                `https://api.npmjs.org/downloads/point/${period}/${packageName}`
+            );
+
+            if (response.statusCode !== 200) {
+                throw new Error(
+                    `HTTP ${response.statusCode}: ${response.statusMessage}`
+                );
+            }
+
+            const data = JSON.parse(response.body) as NpmDownloadStats;
+            return data || null;
+        } catch (error) {
+            continue;
+        }
+    }
+    return null;
+}

package/src/util/parse.ts

@@ -0,0 +1,103 @@
+import { parseSyml } from "@yarnpkg/parsers";
+import * as yaml from "js-yaml";
+
+abstract class LockParser {
+    abstract getDependencies(): Record<string, string[]>;
+    constructor(content: string) {}
+
+    public static deps2Set(deps: Record<string, string[]>): Set<string> {
+        const r = new Set<string>();
+        for (const key in deps) {
+            const versions = deps[key]!;
+            for (let i = 0; i < versions.length; i++) {
+                r.add(`${key}@${versions[i]}`);
+            }
+        }
+        return r;
+    }
+}
+
+export class PnpmLockParser extends LockParser {
+    private yaml: any;
+    constructor(content: string) {
+        super(content);
+        this.yaml = yaml.load(content) as any;
+    }
+
+    public getDependencies(): Record<string, string[]> {
+        const r: Record<string, string[]> = Object.create(null);
+        if (!this.yaml.packages) {
+            return r;
+        }
+        Object.entries(this.yaml.packages).forEach(([pkgKey, pkgInfo]) => {
+            // 解析包键，格式如: "/lodash/4.17.21" 或 "lodash@4.17.21"
+            let name, version;
+
+            if (pkgKey.startsWith("/")) {
+                // 旧格式: /lodash/4.17.21
+                const parts = pkgKey.split("/");
+                name = parts[1];
+                version = parts[2];
+            } else {
+                // 新格式: lodash@4.17.21
+                const match = pkgKey.match(/^(.+?)@(.+)$/);
+                if (match) {
+                    name = match[1];
+                    version = match[2];
+                }
+            }
+
+            if (name && version) {
+                // 处理 peer dependency 后缀，如 "babel-jest@27.5.1(@babel/core@7.23.6)"
+                let cleanVersion = version.split("(")[0];
+                if (cleanVersion == null) {
+                    cleanVersion = version;
+                }
+                if (!r[name]) {
+                    r[name] = [];
+                }
+                if (r[name]!.indexOf(cleanVersion) === -1) {
+                    r[name]!.push(cleanVersion);
+                }
+            }
+        });
+        return r;
+    }
+}
+
+export class YarnLockParser extends LockParser {
+    private syml: any;
+
+    constructor(content: string) {
+        super(content);
+        this.syml = parseSyml(content);
+    }
+    private static getPackageName(key: string): string {
+        key = key.split(",")[0]!.trim();
+        key = key.split(":")[0]!.trim();
+        return key.lastIndexOf("@") > 0
+            ? key.slice(0, key.lastIndexOf("@"))
+            : key;
+    }
+
+    public getDependencies(): Record<string, string[]> {
+        const r: Record<string, string[]> = Object.create(null);
+        for (const key in this.syml) {
+            const entry = this.syml[key];
+            if (entry === "__metadata") {
+                continue;
+            }
+
+            const pkgName = YarnLockParser.getPackageName(key);
+            if (!r[pkgName]) {
+                r[pkgName] = [];
+            }
+
+            if (r[pkgName].indexOf(entry.version) === -1) {
+                r[pkgName].push(entry.version);
+            }
+        }
+
+        return r;
+    }
+}