Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
jscodeshift
Advanced tools
jscodeshift is a toolkit for running codemods over multiple JavaScript or TypeScript files. It provides a runner as well as a wrapper around the recast AST toolkit, making it easier to write codemods that can transform code and assist in large-scale codebase refactors or migrations.
Transforming Syntax
This feature allows you to transform the syntax of JavaScript code. For example, the code sample provided changes all variable declarations to use 'const' instead of 'var' or 'let'.
const jscodeshift = require('jscodeshift');
const transform = (fileInfo, api) => {
const j = api.jscodeshift;
return j(fileInfo.source)
.find(j.VariableDeclaration)
.forEach(path => {
j(path).replaceWith(
j.variableDeclaration('const', path.node.declarations)
);
})
.toSource();
};
Code Analysis
jscodeshift can be used to analyze code and extract information. In this example, the code collects all the identifiers from a JavaScript file.
const jscodeshift = require('jscodeshift');
const analyze = (fileInfo, api) => {
const j = api.jscodeshift;
const root = j(fileInfo.source);
const identifiers = [];
root.find(j.Identifier).forEach(path => {
identifiers.push(path.node.name);
});
return identifiers;
};
Refactoring
The package can be used to perform refactoring tasks, such as renaming functions across a codebase. The provided code sample renames all function declarations to 'newFunctionName'.
const jscodeshift = require('jscodeshift');
const refactor = (fileInfo, api) => {
const j = api.jscodeshift;
return j(fileInfo.source)
.find(j.FunctionDeclaration)
.renameTo('newFunctionName')
.toSource();
};
babel-codemod rewrites JavaScript and TypeScript using Babel plugins. It is similar to jscodeshift but leverages the Babel ecosystem, which might be more familiar to some developers. It also supports the latest JavaScript features and TypeScript out of the box.
lebab is a tool that transforms legacy JavaScript code into modern, readable, and maintainable code using ES6+ syntax. It is similar to jscodeshift in its goals but is more opinionated and focused on upgrading to modern JavaScript syntax.
jscodeshift is a toolkit for running codemods over multiple JavaScript or TypeScript files. It provides:
Get jscodeshift from npm:
$ npm install -g jscodeshift
This will install the runner as jscodeshift
.
Configure VSCode to debug codemods
See the website for full documentation.
The CLI provides the following options:
$ jscodeshift --help
Usage: jscodeshift [OPTION]... PATH...
or: jscodeshift [OPTION]... -t TRANSFORM_PATH PATH...
or: jscodeshift [OPTION]... -t URL PATH...
or: jscodeshift [OPTION]... --stdin < file_list.txt
Apply transform logic in TRANSFORM_PATH (recursively) to every PATH.
If --stdin is set, each line of the standard input is used as a path.
Options:
"..." behind an option means that it can be supplied multiple times.
All options are also passed to the transformer, which means you can supply custom options that are not listed here.
--(no-)babel apply babeljs to the transform file
(default: true)
-c, --cpus=N start at most N child processes to process source files
(default: max(all - 1, 1))
-d, --(no-)dry dry run (no changes are made to files)
(default: false)
--extensions=EXT transform files with these file extensions (comma separated list)
(default: js)
-h, --help print this help and exit
--ignore-config=FILE ... ignore files if they match patterns sourced from a configuration file (e.g. a .gitignore)
--ignore-pattern=GLOB ... ignore files that match a provided glob expression
--(no-)gitignore adds entries the current directory's .gitignore file
(default: false)
--parser=babel|babylon|flow|ts|tsx the parser to use for parsing the source files
(default: babel)
--parser-config=FILE path to a JSON file containing a custom parser configuration for flow or babylon
-p, --(no-)print print transformed files to stdout, useful for development
(default: false)
--(no-)run-in-band run serially in the current process
(default: false)
-s, --(no-)silent do not write to stdout or stderr
(default: false)
--(no-)stdin read file/directory list from stdin
(default: false)
-t, --transform=FILE path to the transform file. Can be either a local path or url
(default: ./transform.js)
-v, --verbose=0|1|2 show more information about the transform process
(default: 0)
--version print version and exit
--fail-on-error return a 1 exit code when errors were found during execution of codemods
This passes the source of all passed through the transform module specified
with -t
or --transform
(defaults to transform.js
in the current
directory). The next section explains the structure of the transform module.
const {run: jscodeshift} = require('jscodeshift/src/Runner')
const path = require('node:path');
const transformPath = path.resolve('transform.js')
const paths = ['foo.js', 'bar']
const options = {
dry: true,
print: true,
verbose: 1,
// ...
}
const res = await jscodeshift(transformPath, paths, options)
console.log(res)
/*
{
stats: {},
timeElapsed: '0.001',
error: 0,
ok: 0,
nochange: 0,
skip: 0
}
*/
The transform is simply a module that exports a function of the form:
module.exports = function(fileInfo, api, options) {
// transform `fileInfo.source` here
// ...
// return changed source
return source;
};
As of v0.6.1, this module can also be written in TypeScript.
fileInfo
Holds information about the currently processed file.
Property | Description |
---|---|
path | File path |
source | File content |
api
This object exposes the jscodeshift
library and helper functions from the
runner.
Property | Description |
---|---|
jscodeshift | A reference to the jscodeshift library |
stats | A function to collect statistics during --dry runs |
report | Prints the passed string to stdout |
jscodeshift
is a reference to the wrapper around recast and provides a
jQuery-like API to navigate and transform the AST. Here is a quick example,
a more detailed description can be found below.
/**
* This replaces every occurrence of variable "foo".
*/
module.exports = function(fileInfo, api, options) {
return api.jscodeshift(fileInfo.source)
.findVariableDeclarators('foo')
.renameTo('bar')
.toSource();
}
Note: This API is exposed for convenience, but you don't have to use it. You can use any tool to modify the source.
stats
is a function that only works when the --dry
options is set. It accepts
a string, and will simply count how often it was called with that value.
At the end, the CLI will report those values. This can be useful while developing the transform, e.g. to find out how often a certain construct appears in the source(s).
report
allows you to print arbitrary strings to stdout. This can be
useful when other tools consume the output of jscodeshift. The reason to not
directly use process.stdout
in transform code is to avoid mangled output when
many files are processed.
options
Contains all options that have been passed to runner. This allows you to pass additional options to the transform. For example, if the CLI is called with
$ jscodeshift -t myTransforms fileA fileB --foo=bar
options
would contain {foo: 'bar'}
.
The return value of the function determines the status of the transformation:
The CLI provides a summary of the transformation at the end. You can get more
detailed information by setting the -v
option to 1
or 2
.
You can collect even more stats via the stats
function as explained above.
The transform file can let jscodeshift know with which parser to parse the source files (and features like templates).
To do that, the transform module can export parser
, which can either be one
of the strings "babel"
, "babylon"
, "flow"
, "ts"
, or "tsx"
,
or it can be a parser object that is compatible with recast and follows the estree spec.
Example: specifying parser type string in the transform file
module.exports = function transformer(file, api, options) {
const j = api.jscodeshift;
const rootSource = j(file.source);
// whatever other code...
return rootSource.toSource();
}
// use the flow parser
module.exports.parser = 'flow';
Example: specifying a custom parser object in the transform file
module.exports = function transformer(file, api, options) {
const j = api.jscodeshift;
const rootSource = j(file.source);
// whatever other code...
return rootSource.toSource();
}
module.exports.parser = {
parse: function(source) {
// return estree compatible AST
},
};
$ jscodeshift -t myTransform.js src
Processing 10 files...
Spawning 2 workers with 5 files each...
All workers done.
Results: 0 errors 2 unmodified 3 skipped 5 ok
As already mentioned, jscodeshift also provides a wrapper around recast. In order to properly use the jscodeshift API, one has to understand the basic building blocks of recast (and ASTs) as well.
An AST node is a plain JavaScript object with a specific set of fields, in
accordance with the Mozilla Parser API. The primary way to identify nodes
is via their type
.
For example, string literals are represented via Literal
nodes, which
have the structure
// "foo"
{
type: 'Literal',
value: 'foo',
raw: '"foo"'
}
It's OK to not know the structure of every AST node type. The (esprima) AST explorer is an online tool to inspect the AST for a given piece of JS code.
Recast itself relies heavily on ast-types which defines methods to traverse the AST, access node fields and build new nodes. ast-types wraps every AST node into a path object. Paths contain meta-information and helper methods to process AST nodes.
For example, the child-parent relationship between two nodes is not explicitly
defined. Given a plain AST node, it is not possible to traverse the tree up.
Given a path object however, the parent can be traversed to via path.parent
.
For more information about the path object API, please have a look at ast-types.
To make creating AST nodes a bit simpler and "safer", ast-types defines a couple
of builder methods, which are also exposed on jscodeshift
.
For example, the following creates an AST equivalent to foo(bar)
:
// inside a module transform
var j = jscodeshift;
// foo(bar);
var ast = j.callExpression(
j.identifier('foo'),
[j.identifier('bar')]
);
The signature of each builder function is best learned by having a look at the definition files or in the babel/types docs.
In order to transform the AST, you have to traverse it and find the nodes that need to be changed. jscodeshift is built around the idea of collections of paths and thus provides a different way of processing an AST than recast or ast-types.
A collection has methods to process the nodes inside a collection, often resulting in a new collection. This results in a fluent interface, which can make the transform more readable.
Collections are "typed" which means that the type of a collection is the
"lowest" type all AST nodes in the collection have in common. That means you
cannot call a method for a FunctionExpression
collection on an Identifier
collection.
Here is an example of how one would find/traverse all Identifier
nodes with
jscodeshift and with recast:
// recast
var ast = recast.parse(src);
recast.visit(ast, {
visitIdentifier: function(path) {
// do something with path
return false;
}
});
// jscodeshift
jscodeshift(src)
.find(jscodeshift.Identifier)
.forEach(function(path) {
// do something with path
});
To learn about the provided methods, have a look at the Collection.js and its extensions.
jscodeshift provides an API to extend collections. By moving common operators into helper functions (which can be stored separately in other modules), a transform can be made more readable.
There are two types of extensions: generic extensions and type-specific extensions. Generic extensions are applicable to all collections. As such, they typically don't access specific node data, but rather traverse the AST from the nodes in the collection. Type-specific extensions work only on specific node types and are not callable on differently typed collections.
// Adding a method to all Identifiers
jscodeshift.registerMethods({
logNames: function() {
return this.forEach(function(path) {
console.log(path.node.name);
});
}
}, jscodeshift.Identifier);
// Adding a method to all collections
jscodeshift.registerMethods({
findIdentifiers: function() {
return this.find(jscodeshift.Identifier);
}
});
jscodeshift(ast).findIdentifiers().logNames();
jscodeshift(ast).logNames(); // error, unless `ast` only consists of Identifier nodes
Sometimes there are files and directories that you want to avoid running transforms on. For example, the node_modules/ directory, where the project's installed local npm packages reside, can introduce bugs if any files in it are accidentally transformed by jscodeshift.
The simplest way to avoid many of these unwanted transforms is to pass jscodeshift the --gitignore flag, which uses the glob patterns specified in your project’s .gitignore file to avoid transforming anything in directories such as node_modules/, dist/, etc. In most cases anything you want git to ignore you proabably are also going to want jscodeshift to ignore as well. Please note that the .gitignore file use will be taken from the current working directory from which jscodeshift is being run.
jscodeshift --gitignore mytransform.js
For more custom ignore functionality, the --ignore-pattern and the --ignore-config arguments can be used.
--ignore-pattern takes a .gitignore format glob pattern that specifies file and directory patterns to ignore
jscodeshift --ignore-pattern="js_configuration_files/**/*” mytransform.js
// More than one ignore
jscodeshift --ignore-pattern="first_ignored_dir/**/*” -—ignore-pattern="second_ignored_dir/**/*” mytransform.js
--ignore-config takes one or more paths to files containing lines with .gitignore format glob patterns.
// note: .gitignore is a random made-up filename extension for this example
jscodeshift --ignore-config="MyIgnoreFile.gitignore" mytransform.js
// More than one ignore file
jscodeshift --ignore-pattern="first_ignore_file.gitignore” --ignore-pattern="second_ignore_file.gitignore” mytransform.js
You may want to change some of the output settings (like setting '
instead of "
).
This can be done by passing config options to recast.
.toSource({quote: 'single'}); // sets strings to use single quotes in transformed code.
You can also pass options to recast's parse
method by passing an object to
jscodeshift as second argument:
jscodeshift(source, {...})
More on config options here
jscodeshift comes with a simple utility to allow easy unit testing with Jest, without having to write a lot of boilerplate code. This utility makes some assumptions in order to reduce the amount of configuration required:
__tests__
)__testfixtures__
directoryThis results in a directory structure like this:
/MyTransform.js
/__tests__/MyTransform-test.js
/__testfixtures__/MyTransform.input.js
/__testfixtures__/MyTransform.output.js
A simple example of unit tests is bundled in the sample directory.
The testUtils
module exposes a number of useful helpers for unit testing.
defineTest
Defines a Jest/Jasmine test for a jscodeshift transform which depends on fixtures
jest.autoMockOff();
const defineTest = require('jscodeshift/dist/testUtils').defineTest;
defineTest(__dirname, 'MyTransform');
An alternate fixture filename can be provided as the fourth argument to defineTest
.
This also means that multiple test fixtures can be provided:
defineTest(__dirname, 'MyTransform', null, 'FirstFixture');
defineTest(__dirname, 'MyTransform', null, 'SecondFixture');
This will run two tests:
__testfixtures__/FirstFixture.input.js
__testfixtures__/SecondFixture.input.js
defineInlineTest
Defines a Jest/Jasmine test suite for a jscodeshift transform which accepts inline values
This is a more flexible alternative to defineTest
, as this allows to also provide options to your transform
const defineInlineTest = require('jscodeshift/dist/testUtils').defineInlineTest;
const transform = require('../myTransform');
const transformOptions = {};
defineInlineTest(transform, transformOptions, 'input', 'expected output', 'test name (optional)');
defineSnapshotTest
Similar to defineInlineTest
but instead of requiring an output value, it uses Jest's toMatchSnapshot()
const defineSnapshotTest = require('jscodeshift/dist/testUtils').defineSnapshotTest;
const transform = require('../myTransform');
const transformOptions = {};
defineSnapshotTest(transform, transformOptions, 'input', 'test name (optional)');
For more information on snapshots, check out Jest's docs
defineSnapshotTestFromFixture
Similar to defineSnapshotTest
but will load the file using same file-directory defaults as defineTest
const defineSnapshotTestDefault = require('jscodeshift/dist/testUtils').defineSnapshotTestDefault;
const transform = require('../myTransform');
const transformOptions = {};
defineSnapshotTestFromFixture(__dirname, transform, transformOptions, 'FirstFixture', 'test name (optional)');
applyTransform
Executes your transform using the options and the input given and returns the result. This function is used internally by the other helpers, but it can prove useful in other cases.
const applyTransform = require('jscodeshift/dist/testUtils').applyTransform;
const transform = require('../myTransform');
const transformOptions = {};
const output = applyTransform(transform, transformOptions, 'input');
If you're authoring your transforms and tests using ES modules, make sure to import the transform's parser (if specified) in your tests:
// MyTransform.js
export const parser = 'flow'
export default function MyTransform(fileInfo, api, options) {
// ...
}
// __tests__/MyTransform-test.js
import { defineInlineTest } from 'jscodeshift/dist/testUtils
import * as transform from '../MyTransform
console.log(transform.parser) // 'flow'
defineInlineTest(transform, /* ... */)
To update docs in /docs
, use npm run docs
.
To view these docs locally, use npx http-server ./docs
It's recommended that you set up your codemod project to all debugging via the VSCode IDE. When you open your project in VSCode, add the following configuration to your launch.json debugging configuration.
{
// Use IntelliSense to learn about possible attributes.
// Hover to view descriptions of existing attributes.
// For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
"version": "0.2.0",
"configurations": [
{
"type": "pwa-node",
"request": "launch",
"name": "Debug Transform",
"skipFiles": [
"<node_internals>/**"
],
"program": "${workspaceRoot}/node_modules/.bin/jscodeshift",
"stopOnEntry": false,
"args": ["--dry", "--print", "-t", "${input:transformFile}", "--parser", "${input:parser}", "--run-in-band", "${file}"],
"preLaunchTask": null,
"runtimeExecutable": null,
"runtimeArgs": [
"--nolazy"
],
"console": "internalConsole",
"sourceMaps": true,
"outFiles": []
},
{
"name": "Debug All JSCodeshift Jest Tests",
"type": "node",
"request": "launch",
"runtimeArgs": [
"--inspect-brk",
"${workspaceRoot}/node_modules/jest/bin/jest.js",
"--runInBand",
"--testPathPattern=${fileBasenameNoExtension}"
],
"console": "integratedTerminal",
"internalConsoleOptions": "neverOpen",
"port": 9229
}
],
"inputs": [
{
"type": "pickString",
"id": "parser",
"description": "jscodeshift parser",
"options": [
"babel",
"babylon",
"flow",
"ts",
"tsx",
],
"default": "babel"
},
{
"type": "promptString",
"id": "transformFile",
"description": "jscodeshift transform file",
"default": "transform.js"
}
]
}
Once this has been added to the configuration
[17.1.1] 2024-10-31
temp
dependency properly removed (#638, thanks @trivikr for reporting)FAQs
A toolkit for JavaScript codemods
The npm package jscodeshift receives a total of 4,857,613 weekly downloads. As such, jscodeshift popularity was classified as popular.
We found that jscodeshift demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.