The espurify npm package is used to create a deep copy of an ESTree-compliant AST (Abstract Syntax Tree) while removing extra properties that are not part of the ESTree specification. This is useful for ensuring that ASTs are standardized and can be used in various tools and libraries that expect a clean, compliant AST.
Deep Copy of ESTree AST
This feature allows you to create a deep copy of an ESTree-compliant AST while removing any extra properties that are not part of the ESTree specification. The code sample demonstrates parsing JavaScript code into an AST using Acorn, and then purifying that AST using espurify.
const espurify = require('espurify');
const acorn = require('acorn');
const code = 'const x = 42;';
const ast = acorn.parse(code, { ecmaVersion: 2020 });
const purifiedAst = espurify(ast);
console.log(JSON.stringify(purifiedAst, null, 2));Estraverse is a package for traversing and manipulating ESTree-compliant ASTs. While it does not specifically purify ASTs by removing non-standard properties, it provides powerful traversal and manipulation capabilities that can be used in conjunction with espurify.
Escodegen is a package for generating JavaScript code from an ESTree-compliant AST. It focuses on code generation rather than purification, but it can be used to regenerate code from a purified AST created by espurify.
Esprima is a high-performance, standard-compliant JavaScript parser that produces ESTree-compliant ASTs. While it does not purify ASTs, it can be used to generate the initial AST that can then be purified using espurify.
Clone AST without extra properties
Returns new clone of originalAst but without extra properties.
Leaves properties defined in The ESTree Spec (formerly known as Mozilla SpiderMonkey Parser API) only. Also note that extra informations (such as loc, range and raw) are eliminated too.
(note: using espurify as a default exported function is deprecated in favor of named exports aiming ESM era, and will be removed in future major releases)
Returns customized function for cloning AST, with user-provided allowList.
(note: espurify.cloneWithWhitelist is still exported but deprecated in favor of more inclusive language and will be removed in future major releases)
Returns new clone of originalAst by customized function.
| type | default value |
|---|---|
object | N/A |
allowList is an object containing NodeType as keys and properties as values.
{
ArrayExpression: ['type', 'elements'],
ArrayPattern: ['type', 'elements'],
ArrowFunctionExpression: ['type', 'id', 'params', 'body', 'generator', 'expression'],
AssignmentExpression: ['type', 'operator', 'left', 'right'],
...
Returns customized function for cloning AST, configured by custom options.
Returns new clone of originalAst by customized function.
| type | default value |
|---|---|
object | {} |
Configuration options. If not passed, default options will be used.
| type | default value |
|---|---|
string or number | 2022 |
Indicates the ECMAScript version to clone. Must be either 5, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023, 2024.
| type | default value |
|---|---|
array of string | null |
List of extra properties to be left in result AST. For example, functions returned by espurify.customize({extra: ['raw']}) will preserve raw properties of Literal. Functions return by espurify.customize({extra: ['loc', 'range']}) will preserve loc and range properties of each Node.
const espurify = require('espurify');
const estraverse = require('estraverse');
const acorn = require('acorn');
const syntax = estraverse.Syntax;
const assert = require('assert');
const jsCode = 'assert("foo")';
// Adding extra informations to AST
const originalAst = acorn.parse(jsCode, { locations: true, ranges: true, ecmaVersion: 2022 });
estraverse.replace(originalAst, {
leave: function (currentNode, parentNode) {
if (currentNode.type === syntax.Literal && typeof currentNode.raw !== 'undefined') {
currentNode['x-verbatim-bar'] = {
content : currentNode.raw,
precedence : 18 // escodegen.Precedence.Primary
};
return currentNode;
} else {
return undefined;
}
}
});
// purify AST
const purifiedClone = espurify.purifyAst(originalAst);
// Extra properties are eliminated from cloned AST
assert.deepEqual(purifiedClone, {
type: 'Program',
body: [
{
type: 'ExpressionStatement',
expression: {
type: 'CallExpression',
callee: {
type: 'Identifier',
name: 'assert'
},
arguments: [
{
type: 'Literal',
value: 'foo'
}
],
optional: false
}
}
],
sourceType: 'script'
});
// original AST is not modified
assert.deepEqual(originalAst,{
type: 'Program',
start: 0,
end: 13,
loc: {
start: {
line: 1,
column: 0
},
end: {
line: 1,
column: 13
}
},
range: [
0,
13
],
body: [
{
type: 'ExpressionStatement',
start: 0,
end: 13,
loc: {
start: {
line: 1,
column: 0
},
end: {
line: 1,
column: 13
}
},
range: [
0,
13
],
expression: {
type: 'CallExpression',
start: 0,
end: 13,
loc: {
start: {
line: 1,
column: 0
},
end: {
line: 1,
column: 13
}
},
range: [
0,
13
],
callee: {
type: 'Identifier',
start: 0,
end: 6,
loc: {
start: {
line: 1,
column: 0
},
end: {
line: 1,
column: 6
}
},
range: [
0,
6
],
name: 'assert'
},
arguments: [
{
type: 'Literal',
start: 7,
end: 12,
loc: {
start: {
line: 1,
column: 7
},
end: {
line: 1,
column: 12
}
},
range: [
7,
12
],
value: 'foo',
raw: '"foo"',
"x-verbatim-bar": {
content: '"foo"',
precedence: 18
}
}
],
optional: false
}
}
],
sourceType: 'script'
});
Install
$ npm install --save espurify
Use
const espurify = require('espurify');
Licensed under the MIT license.
FAQs
Clone AST without extra properties
We found that espurify demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.