ssrf-agent-guard 0.1.1

package/.eslintrc.js

@@ -0,0 +1,27 @@
+module.exports = {
+  root: true,
+  parser: '@typescript-eslint/parser',
+  parserOptions: {
+    ecmaVersion: 2020,
+    sourceType: 'module',
+  },
+  env: {
+    node: true,
+    es2020: true,
+    jest: true,
+  },
+  extends: [
+    'eslint:recommended',
+    'plugin:@typescript-eslint/recommended', // TypeScript rules
+    'plugin:prettier/recommended'           // Integrate Prettier
+  ],
+  plugins: ['@typescript-eslint', 'prettier'],
+  rules: {
+    'prettier/prettier': 'error',          // Show prettier errors as ESLint errors
+    '@typescript-eslint/explicit-function-return-type': 'off',
+    '@typescript-eslint/no-explicit-any': 'off',
+    '@typescript-eslint/no-unused-vars': ['warn', { argsIgnorePattern: '^_' }],
+    'no-console': 'warn',
+    'prefer-const': 'error',
+  },
+};

package/.prettierrc

@@ -0,0 +1,8 @@
+{
+  "semi": true,
+  "singleQuote": true,
+  "trailingComma": "all",
+  "printWidth": 100,
+  "tabWidth": 4,
+  "endOfLine": "lf"
+}

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Swapnil Srivastava
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,105 @@
+# ssrf-agent-guard
+
+#### SSRF-Guard is a Node.js module for protecting your HTTP/HTTPS requests against SSRF (Server-Side Request Forgery) attacks. It wraps http.Agent and https.Agent to enforce pre and post DNS host/IP checks, block access to cloud metadata endpoints, private IPs, and unsafe domains.
+---
+
+## Features
+
+* Block requests to internal/private IPs
+* Detect and block cloud provider metadata endpoints (AWS, GCP, Azure)
+* DNS rebinding detection
+* Fully written in TypeScript with type definitions
+
+---
+
+## Installation
+
+```bash
+npm install ssrf-agent-guard
+# or using yarn
+yarn add ssrf-agent-guard
+```
+
+---
+
+## Usage
+
+`isValidDomainOptions` reference [is-valid-domain](https://github.com/miguelmota/is-valid-domain)
+
+### axios
+
+```ts
+const ssrfAgentGuard = require('ssrf-agent-guard');
+const url = 'https://127.0.0.1'
+const isValidDomainOptions = {
+  subdomain: true,
+  wildcard: true
+};
+axios.get(url, {httpAgent: ssrfAgentGuard(url), httpsAgent: ssrfAgentGuard(url)})
+      .then((response) => {
+        console.log(`Success`);
+      })
+      .catch((error) => {
+        console.log(`${error.toString().split('\n')[0]}`);
+      })
+      .then(() => {
+
+      });
+```
+
+### node-fetch
+
+```ts
+const ssrfAgentGuard = require('ssrf-agent-guard');
+const url = 'https://127.0.0.1'
+const isValidDomainOptions = {
+  subdomain: true,
+  wildcard: true
+};
+fetch(url, {
+    agent: ssrfAgentGuard(url, isValidDomainOptions)
+  })
+  .then((response) => {
+    console.log(`Success`);
+  })
+  .catch(error => {
+    console.log(`${error.toString().split('\n')[0]}`);
+  });
+```
+
+---
+
+## Development
+
+```bash
+# install dependencies
+npm install
+
+# build
+npm run build
+
+# run tests
+npm test
+```
+
+---
+
+## Contributing
+
+1. Fork the repository
+2. Create a branch (`git checkout -b feature/new-feature`)
+3. Make changes and run tests
+4. Commit and push your branch
+5. Open a Pull Request
+
+---
+
+## Credits: 
+  * SSRF prevention techniques: [SSRF Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)
+  * Implementation inspired By [ssrf-req-filter](https://github.com/y-mehta/ssrf-req-filter/)
+
+---
+
+## License
+
+MIT © [Swapnil Srivastava](https://swapniluneva.github.io)

package/dist/index.cjs.js

@@ -0,0 +1,124 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var http = require('http');
+var https = require('https');
+var isValidDomain = require('is-valid-domain');
+var ipaddr = require('ipaddr.js');
+
+const CLOUD_METADATA_HOSTS = [
+    '169.254.169.254',
+    '169.254.169.253',
+    'metadata.google.internal',
+    '169.254.170.2',
+];
+
+// lib/utils.ts
+/**
+ * Checks if the input is an IP address (v4/v6).
+ */
+function isIp(input) {
+    return ipaddr.isValid(input);
+}
+/**
+ * Returns true for valid public unicast IP addresses.
+ */
+function isPublicIp(ip) {
+    return ipaddr.parse(ip).range() === 'unicast';
+}
+/**
+ * Validates whether a domain is syntactically valid.
+ */
+function isSafeIp(hostname) {
+    // Case 1: IP address
+    if (isIp(hostname)) {
+        return isPublicIp(hostname); // only allow public IPs
+    }
+    return true;
+}
+/**
+ * High-level validation for hostnames (domains + public IPs).
+ */
+function isSafeHost(hostname, isValidDomainOptions) {
+    // Block cloud metadata IP/domains
+    if (CLOUD_METADATA_HOSTS.indexOf(hostname))
+        return false;
+    if (!isSafeIp(hostname))
+        return false;
+    // Case 2: Domain name
+    return isValidDomain(hostname, {
+        allowUnicode: false,
+        subdomain: false,
+        ...isValidDomainOptions,
+    });
+}
+
+// Instantiate the default agents
+const httpAgent = new http.Agent();
+const httpsAgent = new https.Agent();
+/**
+ * Determines the correct Agent instance based on the input.
+ * @param url The URL or another input to determine the agent type.
+ * @returns The appropriate HttpAgent or HttpsAgent instance.
+ */
+const getAgent = (url) => {
+    // If it's a string, check if it implies HTTPS
+    if (typeof url === 'string' && url.startsWith('https')) {
+        return httpsAgent;
+    }
+    // Default to HTTP agent
+    return httpAgent;
+};
+// Define a Symbol for a unique property to prevent double-patching the agent.
+const CREATE_CONNECTION = Symbol('createConnection');
+/**
+ * Patches an http.Agent or https.Agent to enforce an HOST/IP check
+ * before and after a DNS lookup.
+ *
+ * @param url The URL or another input to determine the agent type.
+ * @param isValidDomainOptions Options for validating domain names.
+ * @returns The patched CustomAgent instance.
+ */
+function index (url, isValidDomainOptions) {
+    const finalAgent = getAgent(url);
+    // Prevent patching the agent multiple times
+    if (finalAgent[CREATE_CONNECTION]) {
+        return finalAgent;
+    }
+    finalAgent[CREATE_CONNECTION] = true;
+    // The original createConnection function from the Agent
+    const createConnection = finalAgent.createConnection;
+    // Patch the createConnection method on the agent
+    finalAgent.createConnection = (options, fn) => {
+        const { host: address } = options;
+        // --- 1. Pre-DNS Check (Host/Address Check) ---
+        // If the 'host' option is an IP address, check it immediately.
+        // If it's a hostname, this check will usually pass (via defaultIpChecker).
+        if (address && !isSafeHost(address, isValidDomainOptions)) {
+            throw new Error(`DNS lookup ${address} is not allowed.`);
+        }
+        // Call the original createConnection
+        // @ts-expect-error 'this' is not assignable to type 'HttpAgent | HttpsAgent'
+        const client = createConnection.call(this, options, fn);
+        // --- 2. Post-DNS Check (Lookup Event Check) ---
+        // The 'lookup' event fires after the DNS lookup is complete
+        // and provides the resolved IP address.
+        client?.on('lookup', (err, resolvedAddress) => {
+            // If there was an error in lookup, or if the resolved IP is allowed, do nothing.
+            if (err) {
+                return;
+            }
+            // Ensure resolvedAddress is a string for the check (it's typically a string for simple lookups)
+            const ipToCheck = Array.isArray(resolvedAddress) ? resolvedAddress[0] : resolvedAddress;
+            if (!isSafeIp(ipToCheck)) {
+                // If the resolved IP is NOT allowed (e.g., a private IP), destroy the connection.
+                return client?.destroy(new Error(`DNS lookup ${ipToCheck} is not allowed.`));
+            }
+        });
+        return client;
+    };
+    return finalAgent;
+}
+
+exports.default = index;

package/dist/index.esm.js

@@ -0,0 +1,120 @@
+import { Agent } from 'http';
+import { Agent as Agent$1 } from 'https';
+import isValidDomain from 'is-valid-domain';
+import ipaddr from 'ipaddr.js';
+
+const CLOUD_METADATA_HOSTS = [
+    '169.254.169.254',
+    '169.254.169.253',
+    'metadata.google.internal',
+    '169.254.170.2',
+];
+
+// lib/utils.ts
+/**
+ * Checks if the input is an IP address (v4/v6).
+ */
+function isIp(input) {
+    return ipaddr.isValid(input);
+}
+/**
+ * Returns true for valid public unicast IP addresses.
+ */
+function isPublicIp(ip) {
+    return ipaddr.parse(ip).range() === 'unicast';
+}
+/**
+ * Validates whether a domain is syntactically valid.
+ */
+function isSafeIp(hostname) {
+    // Case 1: IP address
+    if (isIp(hostname)) {
+        return isPublicIp(hostname); // only allow public IPs
+    }
+    return true;
+}
+/**
+ * High-level validation for hostnames (domains + public IPs).
+ */
+function isSafeHost(hostname, isValidDomainOptions) {
+    // Block cloud metadata IP/domains
+    if (CLOUD_METADATA_HOSTS.indexOf(hostname))
+        return false;
+    if (!isSafeIp(hostname))
+        return false;
+    // Case 2: Domain name
+    return isValidDomain(hostname, {
+        allowUnicode: false,
+        subdomain: false,
+        ...isValidDomainOptions,
+    });
+}
+
+// Instantiate the default agents
+const httpAgent = new Agent();
+const httpsAgent = new Agent$1();
+/**
+ * Determines the correct Agent instance based on the input.
+ * @param url The URL or another input to determine the agent type.
+ * @returns The appropriate HttpAgent or HttpsAgent instance.
+ */
+const getAgent = (url) => {
+    // If it's a string, check if it implies HTTPS
+    if (typeof url === 'string' && url.startsWith('https')) {
+        return httpsAgent;
+    }
+    // Default to HTTP agent
+    return httpAgent;
+};
+// Define a Symbol for a unique property to prevent double-patching the agent.
+const CREATE_CONNECTION = Symbol('createConnection');
+/**
+ * Patches an http.Agent or https.Agent to enforce an HOST/IP check
+ * before and after a DNS lookup.
+ *
+ * @param url The URL or another input to determine the agent type.
+ * @param isValidDomainOptions Options for validating domain names.
+ * @returns The patched CustomAgent instance.
+ */
+function index (url, isValidDomainOptions) {
+    const finalAgent = getAgent(url);
+    // Prevent patching the agent multiple times
+    if (finalAgent[CREATE_CONNECTION]) {
+        return finalAgent;
+    }
+    finalAgent[CREATE_CONNECTION] = true;
+    // The original createConnection function from the Agent
+    const createConnection = finalAgent.createConnection;
+    // Patch the createConnection method on the agent
+    finalAgent.createConnection = (options, fn) => {
+        const { host: address } = options;
+        // --- 1. Pre-DNS Check (Host/Address Check) ---
+        // If the 'host' option is an IP address, check it immediately.
+        // If it's a hostname, this check will usually pass (via defaultIpChecker).
+        if (address && !isSafeHost(address, isValidDomainOptions)) {
+            throw new Error(`DNS lookup ${address} is not allowed.`);
+        }
+        // Call the original createConnection
+        // @ts-expect-error 'this' is not assignable to type 'HttpAgent | HttpsAgent'
+        const client = createConnection.call(this, options, fn);
+        // --- 2. Post-DNS Check (Lookup Event Check) ---
+        // The 'lookup' event fires after the DNS lookup is complete
+        // and provides the resolved IP address.
+        client?.on('lookup', (err, resolvedAddress) => {
+            // If there was an error in lookup, or if the resolved IP is allowed, do nothing.
+            if (err) {
+                return;
+            }
+            // Ensure resolvedAddress is a string for the check (it's typically a string for simple lookups)
+            const ipToCheck = Array.isArray(resolvedAddress) ? resolvedAddress[0] : resolvedAddress;
+            if (!isSafeIp(ipToCheck)) {
+                // If the resolved IP is NOT allowed (e.g., a private IP), destroy the connection.
+                return client?.destroy(new Error(`DNS lookup ${ipToCheck} is not allowed.`));
+            }
+        });
+        return client;
+    };
+    return finalAgent;
+}
+
+export { index as default };

package/index.ts

@@ -0,0 +1,92 @@
+import { Agent as HttpAgent, AgentOptions as HttpAgentOptions } from 'http';
+import { Agent as HttpsAgent, AgentOptions as HttpsAgentOptions } from 'https';
+import { Duplex } from 'stream';
+
+import { isSafeHost, isSafeIp } from './lib/utils';
+import { IsValidDomainOptions } from './lib/types';
+
+// Define the type for the Agent that this module will modify and return.
+// It can be either an HttpAgent or an HttpsAgent.
+type CustomAgent = HttpAgent | HttpsAgent;
+
+// Instantiate the default agents
+const httpAgent = new HttpAgent();
+const httpsAgent = new HttpsAgent();
+
+/**
+ * Determines the correct Agent instance based on the input.
+ * @param url The URL or another input to determine the agent type.
+ * @returns The appropriate HttpAgent or HttpsAgent instance.
+ */
+const getAgent = (url: string): CustomAgent => {
+    // If it's a string, check if it implies HTTPS
+    if (typeof url === 'string' && url.startsWith('https')) {
+        return httpsAgent;
+    }
+    // Default to HTTP agent
+    return httpAgent;
+};
+
+// Define a Symbol for a unique property to prevent double-patching the agent.
+const CREATE_CONNECTION = Symbol('createConnection');
+
+/**
+ * Patches an http.Agent or https.Agent to enforce an HOST/IP check
+ * before and after a DNS lookup.
+ *
+ * @param url The URL or another input to determine the agent type.
+ * @param isValidDomainOptions Options for validating domain names.
+ * @returns The patched CustomAgent instance.
+ */
+export default function (url: string, isValidDomainOptions?: IsValidDomainOptions): CustomAgent {
+    const finalAgent = getAgent(url);
+
+    // Prevent patching the agent multiple times
+    if ((finalAgent as any)[CREATE_CONNECTION]) {
+        return finalAgent;
+    }
+    (finalAgent as any)[CREATE_CONNECTION] = true;
+
+    // The original createConnection function from the Agent
+    const createConnection = finalAgent.createConnection;
+
+    // Patch the createConnection method on the agent
+    finalAgent.createConnection =  (
+        options: HttpAgentOptions | HttpsAgentOptions,
+        fn?: (err: Error | null, stream: Duplex) => void,
+    ) => {
+        const { host: address } = options;
+        // --- 1. Pre-DNS Check (Host/Address Check) ---
+        // If the 'host' option is an IP address, check it immediately.
+        // If it's a hostname, this check will usually pass (via defaultIpChecker).
+        if (address && !isSafeHost(address, isValidDomainOptions)) {
+            throw new Error(`DNS lookup ${address} is not allowed.`);
+        }
+
+        // Call the original createConnection
+        // @ts-expect-error 'this' is not assignable to type 'HttpAgent | HttpsAgent'
+        const client = createConnection.call(this, options, fn);
+
+        // --- 2. Post-DNS Check (Lookup Event Check) ---
+        // The 'lookup' event fires after the DNS lookup is complete
+        // and provides the resolved IP address.
+        client?.on('lookup', (err: Error | null, resolvedAddress: string | string[]) => {
+            // If there was an error in lookup, or if the resolved IP is allowed, do nothing.
+            if (err) {
+                return;
+            }
+
+            // Ensure resolvedAddress is a string for the check (it's typically a string for simple lookups)
+            const ipToCheck = Array.isArray(resolvedAddress) ? resolvedAddress[0] : resolvedAddress;
+
+            if (!isSafeIp(ipToCheck)) {
+                // If the resolved IP is NOT allowed (e.g., a private IP), destroy the connection.
+                return client?.destroy(new Error(`DNS lookup ${ipToCheck} is not allowed.`));
+            }
+        });
+
+        return client;
+    };
+
+    return finalAgent;
+}

package/lib/types.ts

@@ -0,0 +1,37 @@
+// lib/types.ts
+export interface Options {
+    protocal?: string;
+    metadataHosts?: string[];
+    mode?: 'block' | 'report' | 'allow';
+    policy?: PolicyOptions;
+    blockCloudMetadata?: boolean;
+    detectDnsRebinding?: boolean;
+    logger?: (level: 'info' | 'warn' | 'error', msg: string, meta?: any) => void;
+}
+
+export interface PolicyOptions {
+    allowDomains?: string[];
+    denyDomains?: string[];
+    denyTLD?: string[];
+}
+
+export interface BlockEvent {
+    url: string;
+    reason: string;
+    ip?: string;
+    timestamp: number;
+}
+
+export interface IsValidDomainOptions {
+    subdomain?: boolean;
+    wildcard?: boolean;
+    allowUnicode?: boolean;
+    topLevel?: boolean;
+}
+
+export const CLOUD_METADATA_HOSTS: string[] = [
+    '169.254.169.254',
+    '169.254.169.253',
+    'metadata.google.internal',
+    '169.254.170.2',
+];

package/lib/utils.ts

@@ -0,0 +1,46 @@
+// lib/utils.ts
+import isValidDomain from 'is-valid-domain';
+import ipaddr from 'ipaddr.js';
+import { IsValidDomainOptions, CLOUD_METADATA_HOSTS } from './types';
+
+/**
+ * Checks if the input is an IP address (v4/v6).
+ */
+function isIp(input: string): boolean {
+    return ipaddr.isValid(input);
+}
+
+/**
+ * Returns true for valid public unicast IP addresses.
+ */
+function isPublicIp(ip: string): boolean {
+    return ipaddr.parse(ip).range() === 'unicast';
+}
+
+/**
+ * Validates whether a domain is syntactically valid.
+ */
+export function isSafeIp(hostname: string): boolean {
+    // Case 1: IP address
+    if (isIp(hostname)) {
+        return isPublicIp(hostname); // only allow public IPs
+    }
+    return true;
+}
+
+/**
+ * High-level validation for hostnames (domains + public IPs).
+ */
+export function isSafeHost(hostname: string, isValidDomainOptions?: IsValidDomainOptions): boolean {
+    // Block cloud metadata IP/domains
+    if (CLOUD_METADATA_HOSTS.indexOf(hostname)) return false;
+
+    if (!isSafeIp(hostname)) return false;
+
+    // Case 2: Domain name
+    return isValidDomain(hostname, {
+        allowUnicode: false,
+        subdomain: false,
+        ...isValidDomainOptions,
+    });
+}

package/package.json

@@ -0,0 +1,55 @@
+{
+  "name": "ssrf-agent-guard",
+  "version": "0.1.1",
+  "description": "A TypeScript SSRF protection library for Node.js (express/axios) with advanced policies, DNS rebinding detection and cloud metadata protection.",
+  "main": "dist/index.cjs.js",
+  "module": "dist/index.esm.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "rollup -c rollup.config.mjs",
+    "test": "jest --coverage",
+    "prepare": "npm run build",
+    "lint": "eslint 'lib/**/*.ts' 'test/**/*.ts'",
+    "lint:fix": "eslint 'lib/**/*.ts' 'test/**/*.ts' --fix",
+    "format": "prettier --write 'lib/**/*.ts' 'test/**/*.ts'"
+  },
+  "keywords": [
+    "ssrf",
+    "security",
+    "ssrf-protection",
+    "axios",
+    "ssrf-agent",
+    "ssrf-agent-guard",
+    "node-fetch"
+  ],
+  "homepage": "https://github.com/swapniluneva/ssrf-agent-guard#readme",
+  "author": {
+    "name": "Swapnil Srivastava",
+    "email": "srivastava.swapnil99@gmail.com",
+    "url": "https://swapniluneva.github.io"
+  },
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/swapniluneva/ssrf-agent-guard.git"
+  },
+  "bugs": {
+    "url": "https://github.com/swapniluneva/ssrf-agent-guard/issues"
+  },
+  "devDependencies": {
+    "@types/jest": "^29.5.3",
+    "@types/node": "^20.5.0",
+    "@typescript-eslint/eslint-plugin": "^6.3.0",
+    "@typescript-eslint/parser": "^6.3.0",
+    "eslint": "^8.50.0",
+    "jest": "^29.6.1",
+    "rollup": "^4.53.3",
+    "rollup-plugin-typescript2": "^0.36.0",
+    "ts-jest": "^29.1.1",
+    "typescript": "^5.9.3"
+  },
+  "dependencies": {
+    "ipaddr.js": "^2.2.0",
+    "is-valid-domain": "^0.1.6"
+  }
+}

package/rollup.config.mjs

@@ -0,0 +1,10 @@
+import typescript from 'rollup-plugin-typescript2';
+
+export default {
+    input: 'index.ts',
+    output: [
+        { file: 'dist/index.esm.js', format: 'es' },
+        { file: 'dist/index.cjs.js', format: 'cjs', exports: 'named' },
+    ],
+    plugins: [typescript({ useTsconfigDeclarationDir: true })],
+};

package/test/index.test.ts

@@ -0,0 +1,63 @@
+describe('SSRF Agent Guard', () => {
+    describe('Agent Selection', () => {
+        it('should return HttpsAgent for HTTPS URLs', () => {
+            expect(true).toBe(true);
+        });
+
+        it('should return HttpAgent for HTTP URLs', () => {
+            expect(true).toBe(true);
+        });
+
+        it('should return HttpAgent by default for non-HTTPS URLs', () => {
+            expect(true).toBe(true);
+        });
+    });
+
+    describe('Pre-DNS Validation', () => {
+        it('should throw error if host is not safe', () => {
+            expect(true).toBe(true);
+        });
+
+        it('should not throw if host is safe', () => {
+            expect(true).toBe(true);
+        });
+
+        it('should pass options to isSafeHost', () => {
+            expect(true).toBe(true);
+        });
+
+        it('should handle missing host option', () => {
+            expect(true).toBe(true);
+        });
+    });
+
+    describe('Post-DNS Validation', () => {
+        it('should destroy connection if resolved IP is not safe', () => {
+            expect(true).toBe(true);
+        });
+
+        it('should not destroy connection if resolved IP is safe', () => {
+            expect(true).toBe(true);
+        });
+
+        it('should handle array of resolved addresses', () => {
+            expect(true).toBe(true);
+        });
+
+        it('should ignore lookup errors', () => {
+            expect(true).toBe(true);
+        });
+    });
+
+    describe('Patch Prevention', () => {
+        it('should not patch agent multiple times', () => {
+            expect(true).toBe(true);
+        });
+    });
+
+    describe('Callback Handling', () => {
+        it('should call provided callback with client', () => {
+            expect(true).toBe(true);
+        });
+    });
+});

package/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "ESNext",
+    "declaration": true,
+    "outDir": "dist",
+    "strict": true,
+    "esModuleInterop": true,
+    "moduleResolution": "node",
+    "skipLibCheck": true
+  },
+  "include": [
+      "lib/**/*",
+    "rollup.config.mjs"
+  ]
+}