Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
detective-amd
Advanced tools
Find all dependencies within a JavaScript file using AMD module syntax
The detective-amd package is designed for analyzing AMD (Asynchronous Module Definition) style modules. It allows developers to parse AMD module definitions to extract dependencies, providing a way to understand and manipulate the dependency tree of projects using this module format.
Extracting dependencies from AMD modules
This feature allows you to pass AMD module source code as a string to the detective function, which returns an array of the module's dependencies. It's useful for analyzing and understanding module dependencies.
const detective = require('detective-amd');
const src = "define(['a', 'b'], function (a, b) {});";
const dependencies = detective(src);
// dependencies would be ['a', 'b']
Madge is a tool for generating a visual graph of module dependencies, or finding circular dependencies in JavaScript and TypeScript projects. It supports AMD, CommonJS, and ES6 module formats. Compared to detective-amd, Madge offers a broader range of functionalities including visualization and support for multiple module formats.
dependency-tree is a utility for generating a tree of dependencies for a given file. It supports various module formats including AMD, CommonJS, and ES6. Unlike detective-amd, which focuses on AMD modules, dependency-tree provides a more general approach to dependency analysis across different module types.
Returns a list of dependencies for a given JavaScript file or AST using any of the AMD module syntaxes.
Inspired by substack/node-detective but built for AMD.
npm install detective-amd
Let's say we have the following file definitions:
// a.js
define(['./b', './c'], function (b, c) {
console.log(b, c);
});
// b.js
define({
name: 'foo'
});
// c.js
define(function () {
return 'bar';
});
Here's how you can grab the list of dependencies of a.js
synchronously.
const fs = require('fs');
const detective = require('detective-amd');
const srcA = fs.readFileSync('a.js', 'utf8');
// Pass in the source code or an AST (if you've already parsed the file)
console.log(detective(srcA)); // prints ['./b', './c']
You may also (optionally) configure the detective via a second object argument detective(src, options)
that supports the following options:
skipLazyLoaded
: (Boolean) whether or not to omit inner requires in the list of extracted dependencies.
Supports the 4 forms of AMD module syntax:
define('name', [deps], func)
define([deps], func)
define(func(require))
define({})
Extra forms:
require([deps], func)
define(function(require, exports, module) {})
.Also handles dynamically loaded dependencies (ex: inner requires).
Supports driver scripts
You can also find the dependencies from a script that has a top-level require (an app initialization/driver/entry-point script):
require([
'./a'
], function (a) {
// My app will get booted up from here
});
Expression-based requires
If there's a require call that doesn't have a string literal but an expression, a string (escodegen-generated) representation will be returned.
For example, if a.js
was of the "factory" form and contained a dynamic module name:
// a.js
define(function (require) {
// Assume str is some variable that gets set to a string dynamically
// const str = ...
const b = require('./' + str);
const c = require('./c');
console.log(b, c);
});
The dependency list will be: [ '\'./\' + str', './c' ]
FAQs
Find all dependencies within a JavaScript file using AMD module syntax
The npm package detective-amd receives a total of 1,338,823 weekly downloads. As such, detective-amd popularity was classified as popular.
We found that detective-amd demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.