@nodesecure/tarball

Utilities to extract and deeply analyze NPM tarball

Requirements

- Node.js v24 or higher

Getting Started

This package is available in the Node Package Repository and can be easily installed with npm or yarn.

``bash
$ npm i @nodesecure/tarball


or


$ yarn add @nodesecure/tarball
`

Usage example

`ts
import * as tarball from "@nodesecure/tarball";

const scanResult = await tarball.scanPackage(
process.cwd()
);
console.log(scanResult);
`

> [!NOTE]
> This package has been designed to be used by the Scanner package/workspace.

API

- SourceCode
- NpmTarball

---

> [!CAUTION]
> The following APIs are considered legacy and are waiting for deprecation in future releases.

$3

Scan a given local project or tarball (by providing the path or directly the ManifestManager instance).

options allow to customize the behavior of JS-X-Ray

`ts
export interface ScanOptions {
astAnalyserOptions?: AstAnalyserOptions;
}
`

$3

Scan a given local project containing a Manifest (package.json).

`ts
interface ScannedPackageResult {
files: {
/* Complete list of files for the given package /
list: string[];
/* Complete list of extensions (.js, .md etc.) /
extensions: string[];
/* List of minified javascript files /
minified: string[];
};
/* Size of the directory in bytes /
directorySize: number;
/* Unique license contained in the tarball (MIT, ISC ..) /
uniqueLicenseIds: string[];
/* All licenses with their SPDX /
licenses: conformance.SpdxFileLicenseConformance[];
ast: {
dependencies: Record>;
warnings: Warning[];
};
}
``

$3

Extract a given remote package.

License

MIT