@vercel/nft - npm Package Compare versions

Comparing version 1.0.0 to 1.1.0

out/resolve-dependency.js

@@ -140,3 +140,21 @@ "use strict";
 }
-function resolveExportsImports(pkgPath, obj, subpath, job, isImports, cjsResolve) {
+async function validateAndResolvePaths(paths, parent, job, cjsResolve) {
+    const validatedPaths = [];
+    for (const path of paths) {
+        if (cjsResolve) {
+            const resolved = (await resolveFile(path, parent, job)) ||
+                (await resolveDir(path, parent, job));
+            if (!resolved)
+                throw new NotFoundError(path, parent);
+            validatedPaths.push(resolved);
+        }
+        else {
+            if (!(await job.isFile(path)))
+                throw new NotFoundError(path, parent);
+            validatedPaths.push(path);
+        }
+    }
+    return validatedPaths;
+}
+async function resolveExportsImports(pkgPath, obj, subpath, job, isImports, cjsResolve, parent) {
     let matchObj;
@@ -161,4 +179,23 @@ if (isImports) {
         const target = getExportsTarget(matchObj[subpath], job.conditions, cjsResolve);
-        if (typeof target === 'string' && target.startsWith('./'))
-            return pkgPath + target.slice(1);
+        if (typeof target === 'string' && target.startsWith('./')) {
+            const resolvedPath = pkgPath + target.slice(1);
+            const paths = [resolvedPath];
+            const exportsForSubpath = matchObj[subpath];
+            if (typeof exportsForSubpath === 'object' &&
+                exportsForSubpath !== null &&
+                !Array.isArray(exportsForSubpath) &&
+                'module-sync' in exportsForSubpath &&
+                (0, node_version_1.getNodeMajorVersion)() >= 22) {
+                const fallbackCondition = 'require' in exportsForSubpath ? 'require' : 'default';
+                const fallbackTarget = exportsForSubpath[fallbackCondition];
+                if (typeof fallbackTarget === 'string' &&
+                    fallbackTarget.startsWith('./')) {
+                    const fallbackPath = pkgPath + fallbackTarget.slice(1);
+                    if (fallbackPath !== resolvedPath) {
+                        paths.push(fallbackPath);
+                    }
+                }
+            }
+            return await validateAndResolvePaths(paths, parent, job, cjsResolve);
+        }
     }
@@ -168,5 +205,7 @@ for (const match of Object.keys(matchObj).sort((a, b) => b.length - a.length)) {
             const target = getExportsTarget(matchObj[match], job.conditions, cjsResolve);
-            if (typeof target === 'string' && target.startsWith('./'))
-                return (pkgPath +
-                    target.slice(1).replace(/\*/g, subpath.slice(match.length - 1)));
+            if (typeof target === 'string' && target.startsWith('./')) {
+                const resolvedPath = pkgPath +
+                    target.slice(1).replace(/\*/g, subpath.slice(match.length - 1));
+                return await validateAndResolvePaths([resolvedPath], parent, job, cjsResolve);
+            }
         }
@@ -179,4 +218,6 @@ if (!match.endsWith('/'))
                 target.endsWith('/') &&
-                target.startsWith('./'))
-                return pkgPath + target.slice(1) + subpath.slice(match.length);
+                target.startsWith('./')) {
+                const resolvedPath = pkgPath + target.slice(1) + subpath.slice(match.length);
+                return await validateAndResolvePaths([resolvedPath], parent, job, cjsResolve);
+            }
         }
@@ -220,14 +261,6 @@ }
             if (pkgCfg && pkgImports !== null && pkgImports !== undefined) {
-                let importsResolved = resolveExportsImports(pjsonBoundary, pkgImports, name, job, true, cjsResolve);
+                const importsResolved = await resolveExportsImports(pjsonBoundary, pkgImports, name, job, true, cjsResolve, parent);
                 if (importsResolved) {
-                    if (cjsResolve)
-                        importsResolved =
-                            (await resolveFile(importsResolved, parent, job)) ||
-                                (await resolveDir(importsResolved, parent, job));
-                    else if (!(await job.isFile(importsResolved)))
-                        throw new NotFoundError(importsResolved, parent);
-                    if (importsResolved) {
-                        await job.emitFile(pjsonBoundary + path_1.sep + 'package.json', 'resolve', parent);
-                        return importsResolved;
-                    }
+                    await job.emitFile(pjsonBoundary + path_1.sep + 'package.json', 'resolve', parent);
+                    return importsResolved;
                 }
@@ -258,11 +291,3 @@ }
                 pkgExports !== undefined) {
-                selfResolved = resolveExportsImports(pjsonBoundary, pkgExports, '.' + name.slice(pkgName.length), job, false, cjsResolve);
-                if (selfResolved) {
-                    if (cjsResolve)
-                        selfResolved =
-                            (await resolveFile(selfResolved, parent, job)) ||
-                                (await resolveDir(selfResolved, parent, job));
-                    else if (!(await job.isFile(selfResolved)))
-                        throw new NotFoundError(selfResolved, parent);
-                }
+                selfResolved = await resolveExportsImports(pjsonBoundary, pkgExports, '.' + name.slice(pkgName.length), job, false, cjsResolve, parent);
                 if (selfResolved)
@@ -295,15 +320,7 @@ await job.emitFile(pjsonBoundary + path_1.sep + 'package.json', 'resolve', parent);
                         (await resolveDir(nodeModulesDir + path_1.sep + name, parent, job));
-            let resolved = resolveExportsImports(nodeModulesDir + path_1.sep + pkgName, pkgExports, '.' + name.slice(pkgName.length), job, false, cjsResolve);
+            const resolved = await resolveExportsImports(nodeModulesDir + path_1.sep + pkgName, pkgExports, '.' + name.slice(pkgName.length), job, false, cjsResolve, parent);
             if (resolved) {
-                if (cjsResolve)
-                    resolved =
-                        (await resolveFile(resolved, parent, job)) ||
-                            (await resolveDir(resolved, parent, job));
-                else if (!(await job.isFile(resolved)))
-                    throw new NotFoundError(resolved, parent);
-            }
-            if (resolved) {
                 await job.emitFile(nodeModulesDir + path_1.sep + pkgName + path_1.sep + 'package.json', 'resolve', parent);
-                if (legacyResolved && legacyResolved !== resolved)
-                    return [resolved, legacyResolved];
+                if (legacyResolved && !resolved.includes(legacyResolved))
+                    return [...resolved, legacyResolved];
                 return resolved;
@@ -318,4 +335,12 @@ }
             if (resolved) {
-                if (selfResolved && selfResolved !== resolved)
-                    return [resolved, selfResolved];
+                if (selfResolved) {
+                    if (Array.isArray(selfResolved)) {
+                        if (!selfResolved.includes(resolved))
+                            return [resolved, ...selfResolved];
+                        return selfResolved;
+                    }
+                    else if (selfResolved !== resolved) {
+                        return [resolved, selfResolved];
+                    }
+                }
                 return resolved;
@@ -322,0 +347,0 @@ }

package.json

 {
   "name": "@vercel/nft",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "repository": "vercel/nft",
@@ -142,3 +142,3 @@ "license": "MIT",
   },
-  "packageManager": "npm@10.2.5",
+  "packageManager": "npm@11.6.3",
   "engines": {
@@ -145,0 +145,0 @@ "node": ">=20"

New alerts

Uses eval

Supply chain risk

Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Debug access

Supply chain risk

Uses debug, reflection and dynamic code execution features.

Found 1 instance in 1 package

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Long strings

Supply chain risk

Contains long string literals, which may be a sign of obfuscated or packed code.

Found 1 instance in 1 package

Fixed alerts

Uses eval

Supply chain risk

Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Debug access

Supply chain risk

Uses debug, reflection and dynamic code execution features.

Found 1 instance in 1 package

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Long strings

Supply chain risk

Contains long string literals, which may be a sign of obfuscated or packed code.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

334283

0.61%

Lines of code

3992

0.63%

No dependency changes