Security News
CVE Volume Surges Past 48,000 in 2025 as WordPress Plugin Ecosystem Drives Growth
CVE disclosures hit a record 48,185 in 2025, driven largely by vulnerabilities in third-party WordPress plugins.
By Sarah Gooding - Jan 09, 2026
espurify
Clone AST without extra properties
API
const purifiedAstClone = espurify.purifyAst(originalAst)
Returns new clone of originalAst but without extra properties.
Leaves properties defined in The ESTree Spec (formerly known as Mozilla SpiderMonkey Parser API) only. Also note that extra informations (such as loc, range and raw) are eliminated too.
(note: using espurify as a default exported function is deprecated in favor of named exports aiming ESM era, and will be removed in future major releases)
Supported ECMAScript versions
const customizedCloneFunctionWithAllowList = espurify.cloneWithAllowlist(allowList)
Returns customized function for cloning AST, with user-provided allowList.
(note: espurify.cloneWithWhitelist is still exported but deprecated in favor of more inclusive language and will be removed in future major releases)
const purifiedAstClone = customizedCloneFunctionWithAllowList(originalAst)
Returns new clone of originalAst by customized function.
allowList
| type | default value |
|---|---|
object | N/A |
allowList is an object containing NodeType as keys and properties as values.
{
ArrayExpression: ['type', 'elements'],
ArrayPattern: ['type', 'elements'],
ArrowFunctionExpression: ['type', 'id', 'params', 'body', 'generator', 'expression'],
AssignmentExpression: ['type', 'operator', 'left', 'right'],
...
const customizedCloneFunction = espurify.customize(options)
Returns customized function for cloning AST, configured by custom options.
const purifiedAstClone = customizedCloneFunction(originalAst)
Returns new clone of originalAst by customized function.
options
| type | default value |
|---|---|
object | {} |
Configuration options. If not passed, default options will be used.
options.ecmaVersion
| type | default value |
|---|---|
string or number | 2025 |
Indicates the ECMAScript version to clone. Must be either 5, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023, 2024, 2025.
options.extra
| type | default value |
|---|---|
array of string | null |
List of extra properties to be left in result AST. For example, functions returned by espurify.customize({extra: ['raw']}) will preserve raw properties of Literal. Functions return by espurify.customize({extra: ['loc', 'range']}) will preserve loc and range properties of each Node.
EXAMPLE
const espurify = require('espurify');
const estraverse = require('estraverse');
const acorn = require('acorn');
const syntax = estraverse.Syntax;
const assert = require('assert');
const jsCode = 'assert("foo")';
// Adding extra informations to AST
const originalAst = acorn.parse(jsCode, { locations: true, ranges: true, ecmaVersion: 2022 });
estraverse.replace(originalAst, {
leave: function (currentNode, parentNode) {
if (currentNode.type === syntax.Literal && typeof currentNode.raw !== 'undefined') {
currentNode['x-verbatim-bar'] = {
content : currentNode.raw,
precedence : 18 // escodegen.Precedence.Primary
};
return currentNode;
} else {
return undefined;
}
}
});
// purify AST
const purifiedClone = espurify.purifyAst(originalAst);
// Extra properties are eliminated from cloned AST
assert.deepEqual(purifiedClone, {
type: 'Program',
body: [
{
type: 'ExpressionStatement',
expression: {
type: 'CallExpression',
callee: {
type: 'Identifier',
name: 'assert'
},
arguments: [
{
type: 'Literal',
value: 'foo'
}
],
optional: false
}
}
],
sourceType: 'script'
});
// original AST is not modified
assert.deepEqual(originalAst,{
type: 'Program',
start: 0,
end: 13,
loc: {
start: {
line: 1,
column: 0
},
end: {
line: 1,
column: 13
}
},
range: [
0,
13
],
body: [
{
type: 'ExpressionStatement',
start: 0,
end: 13,
loc: {
start: {
line: 1,
column: 0
},
end: {
line: 1,
column: 13
}
},
range: [
0,
13
],
expression: {
type: 'CallExpression',
start: 0,
end: 13,
loc: {
start: {
line: 1,
column: 0
},
end: {
line: 1,
column: 13
}
},
range: [
0,
13
],
callee: {
type: 'Identifier',
start: 0,
end: 6,
loc: {
start: {
line: 1,
column: 0
},
end: {
line: 1,
column: 6
}
},
range: [
0,
6
],
name: 'assert'
},
arguments: [
{
type: 'Literal',
start: 7,
end: 12,
loc: {
start: {
line: 1,
column: 7
},
end: {
line: 1,
column: 12
}
},
range: [
7,
12
],
value: 'foo',
raw: '"foo"',
"x-verbatim-bar": {
content: '"foo"',
precedence: 18
}
}
],
optional: false
}
}
],
sourceType: 'script'
});
INSTALL
via npm
Install
$ npm install --save espurify
Use
const espurify = require('espurify');
AUTHOR
CONTRIBUTORS
LICENSE
Licensed under the MIT license.
Other packages similar to espurify
estraverse
Estraverse is a package for traversing and manipulating ESTree-compliant ASTs. While it does not specifically purify ASTs by removing non-standard properties, it provides powerful traversal and manipulation capabilities that can be used in conjunction with espurify.
escodegen
Escodegen is a package for generating JavaScript code from an ESTree-compliant AST. It focuses on code generation rather than purification, but it can be used to regenerate code from a purified AST created by espurify.
esprima
Esprima is a high-performance, standard-compliant JavaScript parser that produces ESTree-compliant ASTs. While it does not purify ASTs, it can be used to generate the initial AST that can then be purified using espurify.
Keywords
FAQs
Clone AST without extra properties
The npm package espurify receives a total of 281,683 weekly downloads. As such, espurify popularity was classified as popular.
We found that espurify demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 22 Dec 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Insecure Agents Podcast: Certified Patches, Supply Chain Security, and AI Agents
Socket CEO Feross Aboukhadijeh joins Insecure Agents to discuss CVE remediation and why supply chain attacks require a different security approach.
By Sarah Gooding - Jan 08, 2026
Security News
Tailwind CSS Announces 75% Layoffs as LLMs Reshape OSS Business Models
Tailwind Labs laid off 75% of its engineering team after revenue dropped 80%, as LLMs redirect traffic away from documentation where developers discover paid products.
By Sarah Gooding - Jan 08, 2026