@nodesecure/scanner

import type { Warning } from "@nodesecure/js-x-ray"; import * as Vulnera from "@nodesecure/vulnera"; import type { PackageModuleType } from "@nodesecure/mama"; import type { SpdxFileLicenseConformance } from "@nodesecure/conformance"; import type { IlluminatedContact } from "@nodesecure/contact"; import type { Contact } from "@nodesecure/npm-types"; export type Maintainer = Contact & { /** * Path to publisher's avatar on "https://www.npmjs.com" * @example /npm-avatar/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.LwimMJA3puF3ioGeS-tfczR3370GXBZMIL-bdpu4hOU */ npmAvatar?: string; }; export type Publisher = Omit<Maintainer, "url"> & { /** * First version published. */ version: string; /** * Date of the first publication * @example 2021-08-10T20:45:08.342Z */ at: string; }; export interface DependencyLinks { /** NPM Registry page */ npm: string; /** Homepage URL */ homepage?: string; /** VCS repository URL */ repository?: string; } export interface Engines { node?: string; npm?: string; } export interface Repository { type: string; url: string; } export interface DependencyVersion { /** Id of the package (useful for usedBy relation) */ id: number; type: PackageModuleType; isDevDependency: boolean; /** * Tell if the given package exist on the configured remote registry (npm by default) * @default true */ existOnRemoteRegistry: boolean; /** By whom (id) is used the package */ usedBy: Record<string, string>; /** Size on disk of the extracted tarball (in bytes) */ size: number; /** Count of dependencies */ dependencyCount: number; /** Package description */ description: string; /** Author of the package. This information is not trustable and can be empty. */ author: Maintainer | null; engines: Engines; repository?: Repository; scripts: Record<string, string>; /** * JS-X-Ray warnings * * @see https://github.com/NodeSecure/js-x-ray/blob/master/WARNINGS.md */ warnings: Warning[]; alias: Record<string, string>; /** Tarball composition (files and dependencies) */ composition: { /** Files extensions (.js, .md, .exe etc..) */ extensions: string[]; files: string[]; /** Minified files (foo.min.js etc..) */ minified: string[]; required_files: string[]; required_thirdparty: string[]; required_nodejs: string[]; required_subpath: string[]; unused: string[]; missing: string[]; }; /** * All Licenses with their SPDX conformance */ licenses: SpdxFileLicenseConformance[]; uniqueLicenseIds: string[]; /** * Flags (Array of string) * * @see https://github.com/NodeSecure/flags/blob/main/FLAGS.md */ flags: string[]; /** * If the dependency is a GIT repository */ gitUrl: null | string; /** * Version MD5 integrity hash * Generated by the scanner to verify manifest/tarball confusion * * (Not supported on GIT dependency) */ integrity?: string; links?: DependencyLinks; deprecated?: string; } export interface Dependency { /** NPM Registry metadata */ metadata: { /** Number of releases published on npm */ publishedCount: number; lastUpdateAt: Date; /** Last version SemVer */ lastVersion: string; hasChangedAuthor: boolean; hasManyPublishers: boolean; hasReceivedUpdateInOneYear: boolean; /** Author of the package. This information is not trustable and can be empty. */ author: Maintainer | null; /** Package home page */ homepage: string | null; /** * List of maintainers (list of people in the organization related to the package) */ maintainers: Maintainer[]; /** * List of people who published this package */ publishers: Publisher[]; /** * Version MD5 integrity hash * Generated by the scanner to verify manifest/tarball confusion */ integrity: Record<string, string>; }; /** List of versions of this package available in the dependency tree (In the payload) */ versions: Record<string, DependencyVersion>; /** * Vulnerabilities fetched dependending on the selected vulnerabilityStrategy * * @see https://github.com/NodeSecure/vuln */ vulnerabilities: Vulnera.StandardVulnerability[]; } export type Dependencies = Record<string, Dependency>; export interface Payload { /** Payload unique id */ id: string; /** Name of the analyzed package */ rootDependencyName: string; /** Global warnings list */ warnings: string[]; highlighted: { contacts: IlluminatedContact[]; }; /** All the dependencies of the package (flattened) */ dependencies: Dependencies; /** Version of the scanner used to generate the result */ scannerVersion: string; /** Vulnerability strategy name (npm, snyk, node) */ vulnerabilityStrategy: Vulnera.Kind; } export interface Options { /** * Maximum tree depth * * @default 4 */ readonly maxDepth?: number; readonly registry?: string | URL; /** * Enables the use of Arborist for rapidly walking over the dependency tree. * When enabled, it triggers different methods based on the presence of `node_modules`: * - `loadActual()` if `node_modules` is available. * - `loadVirtual()` otherwise. * * When disabled, it will iterate on all dependencies by using pacote */ packageLock?: { /** * Fetches all manifests for additional metadata. * This option is useful only when `usePackageLock` is enabled. * * @default false */ fetchManifest?: boolean; /** * Specifies the location of the manifest file for Arborist. * This is typically the path to the `package.json` file. */ location: string; }; highlight?: { contacts: Contact[]; }; /** * Include project devDependencies (only available for cwd command) * * @default false */ readonly includeDevDeps?: boolean; /** * Vulnerability strategy name (npm, snyk, node) * * @default NONE */ readonly vulnerabilityStrategy?: Vulnera.Kind; /** * Analyze root package. * * @default false for from() API * @default true for cwd() API */ readonly scanRootNode?: boolean; } //# sourceMappingURL=types.d.ts.map