Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Lightweight AST traversal tools for Babel ASTs.
Babel supplies the wonderful babel-traverse module for walking Babel ASTs. Problem is, babel-traverse is very heavyweight, as it is designed to supply utilities to make all sorts of AST transformations possible. For simple AST walking without transformation, babel-traverse brings a lot of overhead.
This module loosely implements the API of Acorn parser's walk module, which is a lightweight AST walker for the ESTree AST format.
In my tests, babel-walk's ancestor walker (the most complex walker provided by this module) is about 8 times faster than babel-traverse, if the visitors are cached and the same AST is used for all runs. It is about 16 times faster if a fresh AST is used every run.
$ npm install babel-walk
var walk = require('babel-walk');
Do a simple walk over the AST. node
should be the AST node to walk, and visitors
an object containing Babel visitors. Each visitor function will be called as (node, state)
, where node
is the AST node, and state
is the same state
passed to walk.simple
.
When walk.simple
is called with a fresh set of visitors, it will first "explode" the visitors (e.g. expanding Visitor(node, state) {}
to Visitor() { enter(node, state) {} }
). This exploding process can take some time, so it is recommended to cache the result of calling walk.simple(visitors)
and communicate state leveraging the state
parameter.
All babel-types aliases (e.g. Expression
) work, but the union syntax (e.g. 'Identifier|AssignmentPattern'(node, state) {}
) does not.
Do a simple walk over the AST, but memoizing the ancestors of the node and making them available to the visitors. node
should be the AST node to walk, and visitors
an object containing Babel visitors. Each visitor function will be called as (node, state, ancestors)
, where node
is the AST node, state
is the same state
passed to walk.ancestor
, and ancestors
is an array of ancestors to the node (with the outermost node being [0]
and the current node being [ancestors.length - 1]
). If state
is not specified in the call to walk.ancestor
, the state
parameter will be set to ancestors
.
When walk.ancestor
is called with a fresh set of visitors, it will first "explode" the visitors (e.g. expanding Visitor(node, state) {}
to Visitor() { enter(node, state) {} }
). This exploding process can take some time, so it is recommended to cache the result of calling walk.ancestor(visitors)
and communicate state leveraging the state
parameter.
All babel-types aliases (e.g. Expression
) work, but the union syntax (e.g. 'Identifier|AssignmentPattern'(node, state) {}
) does not.
Do a recursive walk over the AST, where the visitors are responsible for continuing the walk on the child nodes of their target node. node
should be the AST node to walk, and visitors
an object containing Babel visitors. Each visitor function will be called as (node, state, c)
, where node
is the AST node, state
is the same state
passed to walk.recursive
, and c
is a function that takes a single node as argument and continues walking that node. If no visitor for a node is provided, the default walker algorithm will still be used.
When walk.recursive
is called with a fresh set of visitors, it will first "explode" the visitors (e.g. expanding Visitor(node, state) {}
to Visitor() { enter(node, state) {} }
). This exploding process can take some time, so it is recommended to cache the result of calling walk.recursive(visitors)
and communicate state leveraging the state
parameter.
Unlike other babel-walk walkers, walk.recursive
does not call the exit
visitor, only the enter
(the default) visitor, of a specific node type.
All babel-types aliases (e.g. Expression
) work, but the union syntax (e.g. 'Identifier|AssignmentPattern'(node, state) {}
) does not.
In the following example, we are trying to count the number of functions in the outermost scope. This means, that we can simply walk all the statements and increment a counter if it is a function declaration or expression, and then stop walking. Note that we do not specify a visitor for the Program
node, and the default algorithm for walking Program
nodes is used (which is what we want). Also of note is how I bring the visitors
object outside of countFunctions
so that the object can be cached to improve performance.
import * as t from 'babel-types';
import {parse} from 'babel';
import * as walk from 'babel-walk';
const visitors = walk.recursive({
Statement(node, state, c) {
if (t.isVariableDeclaration(node)) {
for (let declarator of node.declarations) {
// Continue walking the declarator
c(declarator);
}
} else if (t.isFunctionDeclaration(node)) {
state.counter++;
}
},
VariableDeclarator(node, state) {
if (t.isFunction(node.init)) {
state.counter++;
}
},
});
function countFunctions(node) {
const state = {
counter: 0,
};
visitors(node, state);
return state.counter;
}
const ast = parse(`
// Counts
var a = () => {};
// Counts
function b() {
// Doesn't count
function c() {
}
}
// Counts
const c = function d() {};
`);
countFunctions(ast);
// = 3
For those of you migrating from Acorn to Babel, there are a few things to be aware of.
The visitor caching suggestions do not apply to Acorn's walk module, but do for babel-walk.
babel-walk does not provide any of the other functions Acorn's walk module provides (e.g. make
, findNode*
).
babel-walk does not use a base
variable. The walker algorithm is the same as what babel-traverse uses.
property
property of a non-computed MemberExpression
, are walked by babel-walk.MIT
FAQs
Lightweight Babel AST traversal
The npm package babel-walk receives a total of 1,011,221 weekly downloads. As such, babel-walk popularity was classified as popular.
We found that babel-walk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.