
Research
Malicious npm Packages Impersonate Flashbots SDKs, Targeting Ethereum Wallet Credentials
Four npm packages disguised as cryptographic tools steal developer credentials and send them to attacker-controlled Telegram infrastructure.
@jpmorganchase/depcom
Advanced tools
A Go package that extracts imported dependencies from Javascript / Typescript / CSS source files. It uses concurrency and [internal APIs](https://github.com/ije/esbuild-internal/) from the [Esbuild project](https://esbuild.github.io/) for blazing performa
A Go package that extracts imported dependencies from Javascript / Typescript / CSS source files. It uses concurrency and internal APIs from the Esbuild project for blazing performance.
npm install depcom --save
or
yarn add depcom
import { analyzeRuntimeDependencies } from "depcom";
const { ImportArray, Time, FileCount, Logs } = analyzeRuntimeDependencies({
path: "path/to/package",
options: {
match: "**/*.{tsx,jsx,mjs,cjs,ts,js,css}",
exclude: ["node_modules/**/*"],
},
});
go build
go test ./...
-d
Set a base directory (default: ./
)-a
Select multiple files using a glob pattern, starting from the base directory (default: **/*.{tsx,jsx,mjs,cjs,ts,js,css}
)-x
Exclude files using a glob pattern, starting from the base directory. This option can be specified multiple times (default: none)Target files will be matched by evaluating the glob patterns separately, then calculating the difference between the allowed matches and all the excluded ones.
node_modules
directory (note the quotes, to avoid shell globbing):./depcom -d path/to/package -a "**/*.{tsx,jsx,mjs,cjs,ts,js,css}" -x "node_modules/**/*"
src
that aren't external dependencies (note the double usage of the -x argument):./depcom -d path/to/package -a "**/*.{tsx,jsx,mjs,cjs,ts,js,css}" -x "node_modules/**/*" -x "src/**/*"
./depcom
./depcom ../path/to/directory/file1.js ../another/path/to/directory/file1.js
./depcom -h
require
and require.resolve
, if the argument is a string literal are supported.import
statement and operator. The latter, commonly known as dynamic import, is supported only if the argument is a string literal.@import
rules are supported.import type
statements are not supported..js
- Javascript files. All unrecognized extensions will fall back to .js
(so, for example, you can safely pass .mjs
or .cjs
files to depcom).ts
- Typescript files..jsx
- Javascript files with React JSX code. Please note that a file with extension .js
containing JSX code will not be parsed correctly and will terminate parsing at the first JSX expression. This will emit an error in the logs but won't interrupt parsing of the remaining files..tsx
- Typescript files with React JSX code. Please note that a file with extension .ts
containing JSX code will not be parsed correctly and will terminate parsing at the first JSX expression. This will emit an error in the logs but won't interrupt parsing of the remaining files..css
- CSS filesTime
- Time elapsed parsingLogs
- Array of logs, grouped by log levelImportArray
- An array of all the unique dependencies extracted from the files. No subpaths.FileCount
- The number of files processedjson {"Time":"15.961751ms","ImportArray":["rollup-plugin-esbuild","jest-config","react-native-web",...],"Logs":{"Verbose":null,"Debug":["../modular/packages/modular-scripts/src/check/index.ts: This \"import\" expression will not be bundled because the argument is not a string literal\n","../modular/packages/modular-scripts/src/esbuild-scripts/start/index.ts: This call to \"require\" will not be bundled because the argument is not a string literal\n"],"Info":null,"Err":null,"Warning":null},"FileCount":119}
FAQs
A Go package that extracts imported dependencies from Javascript / Typescript / CSS source files. It uses concurrency and [internal APIs](https://github.com/ije/esbuild-internal/) from the [Esbuild project](https://esbuild.github.io/) for blazing performa
We found that @jpmorganchase/depcom demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Four npm packages disguised as cryptographic tools steal developer credentials and send them to attacker-controlled Telegram infrastructure.
Security News
Ruby maintainers from Bundler and rbenv teams are building rv to bring Python uv's speed and unified tooling approach to Ruby development.
Security News
Following last week’s supply chain attack, Nx published findings on the GitHub Actions exploit and moved npm publishing to Trusted Publishers.