		@@ -304,3 +304,6 @@ "use strict";
		throw new Error('invariant - depth option cannot be negative');
		if (this.processed.has(path)) {
		// Resolve symlinks so that dependencies are resolved relative to the real
		// file location, not the symlink location
		const realPath = await this.realpath(path, parent);
		if (this.processed.has(realPath)) {
		if (parent) {
		@@ -311,7 +314,7 @@ await this.emitFile(path, 'dependency', parent);
		}
		this.processed.add(path);
		this.processed.add(realPath);
		// Additional dependencies.
		const additionalDeps = this.remappings.get(path);
		const additionalDeps = this.remappings.get(realPath);
		if (additionalDeps) {
		await Promise.all([...additionalDeps].map(async (dep) => this.emitDependency(dep, path, depth)));
		await Promise.all([...additionalDeps].map(async (dep) => this.emitDependency(dep, realPath, depth)));
		}
		@@ -321,6 +324,6 @@ const emitted = await this.emitFile(path, 'dependency', parent);
		return;
		if (path.endsWith('.json'))
		if (realPath.endsWith('.json'))
		return;
		if (path.endsWith('.node'))
		return await (0, sharedlib_emit_1.sharedLibEmit)(path, this);
		if (realPath.endsWith('.node'))
		return await (0, sharedlib_emit_1.sharedLibEmit)(realPath, this);
		// .js and .ts files can change behavior based on { "type": "module" }
		@@ -330,6 +333,6 @@ // in the nearest package.json so we must emit it too. We don't need to
		// depend on package.json
		if (path.endsWith('.js') \|\| path.endsWith('.ts')) {
		const pjsonBoundary = await this.getPjsonBoundary(path);
		if (realPath.endsWith('.js') \|\| realPath.endsWith('.ts')) {
		const pjsonBoundary = await this.getPjsonBoundary(realPath);
		if (pjsonBoundary)
		await this.emitFile(pjsonBoundary + path_1.sep + 'package.json', 'resolve', path);
		await this.emitFile(pjsonBoundary + path_1.sep + 'package.json', 'resolve', realPath);
		}
		@@ -339,3 +342,3 @@ if (depth === 0)
		let analyzeResult;
		const cachedAnalysis = this.analysisCache.get(path);
		const cachedAnalysis = this.analysisCache.get(realPath);
		if (cachedAnalysis) {
		@@ -345,14 +348,14 @@ analyzeResult = cachedAnalysis;
		else {
		const source = await this.readFile(path);
		const source = await this.readFile(realPath);
		if (source === null)
		throw new Error('File ' + path + ' does not exist.');
		throw new Error('File ' + realPath + ' does not exist.');
		// analyze should not have any side-effects e.g. calling `job.emitFile`
		// directly as this will not be included in the cachedAnalysis and won't
		// be emit for successive runs that leverage the cache
		analyzeResult = await (0, analyze_1.default)(path, source.toString(), this);
		this.analysisCache.set(path, analyzeResult);
		analyzeResult = await (0, analyze_1.default)(realPath, source.toString(), this);
		this.analysisCache.set(realPath, analyzeResult);
		}
		const { deps, imports, assets, isESM } = analyzeResult;
		if (isESM) {
		this.esmFileList.add((0, path_1.relative)(this.base, path));
		this.esmFileList.add((0, path_1.relative)(this.base, realPath));
		}
		@@ -372,8 +375,8 @@ await Promise.all([
		.indexOf(path_1.sep + 'node_modules' + path_1.sep) === -1))
		await this.emitDependency(asset, path, depth - 1);
		await this.emitDependency(asset, realPath, depth - 1);
		else
		await this.emitFile(asset, 'asset', path);
		await this.emitFile(asset, 'asset', realPath);
		}),
		...[...deps].map(async (dep) => this.maybeEmitDep(dep, path, !isESM, depth - 1)),
		...[...imports].map(async (dep) => this.maybeEmitDep(dep, path, false, depth - 1)),
		...[...deps].map(async (dep) => this.maybeEmitDep(dep, realPath, !isESM, depth - 1)),
		...[...imports].map(async (dep) => this.maybeEmitDep(dep, realPath, false, depth - 1)),
		]);
		@@ -380,0 +383,0 @@ }

+1

-1

package.json

		{
		"name": "@vercel/nft",
		"version": "1.3.0",
		"version": "1.3.1",
		"repository": "vercel/nft",
		@@ -5,0 +5,0 @@ "license": "MIT",

out/node-file-trace.js.map

Sorry, the diff of this file is not supported yet

New alerts

Uses eval

Supply chain risk

Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Debug access

Supply chain risk

Uses debug, reflection and dynamic code execution features.

Found 1 instance in 1 package

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Long strings

Supply chain risk

Contains long string literals, which may be a sign of obfuscated or packed code.

Found 1 instance in 1 package

Fixed alerts

Uses eval

Supply chain risk

Found 1 instance in 1 package

Debug access

Supply chain risk

Uses debug, reflection and dynamic code execution features.

Found 1 instance in 1 package

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Long strings

Supply chain risk

Contains long string literals, which may be a sign of obfuscated or packed code.

Found 1 instance in 1 package

@vercel/nft - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics