Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
@cronvel/falafel
Advanced tools
falafel
(Fork to make it up to date.)
Transform the ast on a recursive walk.
This modules uses acorn to create an AST from source code.
example
array.js
Put a function wrapper around all array literals.
var falafel = require('falafel');
var src = '(' + function () {
var xs = [ 1, 2, [ 3, 4 ] ];
var ys = [ 5, 6 ];
console.dir([ xs, ys ]);
} + ')()';
var output = falafel(src, function (node) {
if (node.type === 'ArrayExpression') {
node.update('fn(' + node.source() + ')');
}
});
console.log(output);
output:
(function () {
var xs = fn([ 1, 2, fn([ 3, 4 ]) ]);
var ys = fn([ 5, 6 ]);
console.dir(fn([ xs, ys ]));
})()
methods
var falafel = require('falafel')
falafel(src, opts={}, fn)
Transform the string source src with the function fn, returning a
string-like transformed output object.
For every node in the ast, fn(node) fires. The recursive walk is a
pre-traversal, so children get called before their parents.
Performing a pre-traversal makes it easier to write nested transforms since transforming parents often requires transforming all its children first.
The return value is string-like (it defines .toString() and .inspect()) so
that you can call node.update() asynchronously after the function has
returned and still capture the output.
Instead of passing a src you can also use opts.source.
All of the opts will be passed directly to
acorn.
custom parser
You may pass in an instance of acorn to the opts as opts.parser to use that
version instead of the version of acorn packaged with this library.
var acorn = require('acorn-jsx');
falafel(src, {parser: acorn, plugins: { jsx: true }}, function(node) {
// this will parse jsx
});
nodes
Aside from the regular esprima data, you can also call some inserted methods on nodes.
Aside from updating the current node, you can also reach into sub-nodes to call update functions on children from parent nodes.
node.source()
Return the source for the given node, including any modifications made to children nodes.
node.update(s)
Transform the source for the present node to the string s.
Note that in 'ForStatement' node types, there is an existing subnode called
update. For those nodes all the properties are copied over onto the
node.update() function.
node.parent
Reference to the parent element or null at the root element.
install
With npm do:
npm install falafel
license
MIT
FAQs
transform the ast on a recursive walk
The npm package @cronvel/falafel receives a total of 1 weekly downloads. As such, @cronvel/falafel popularity was classified as not popular.
We found that @cronvel/falafel demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 06 Sep 2019
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025