Security News
crates.io Ships Security Tab and Tightens Publishing Controls
crates.io adds a Security tab backed by RustSec advisories and narrows trusted publishing paths to reduce common CI publishing risks.
By Sarah Gooding -  Jan 27, 2026
🚀 Launch Week Day 5:Introducing Immutable Scans.Learn More →
token-scope
Advanced tools
token-scope
A very fast approximation of lexical-scope. It takes the source code and returns a list of all identifiers that have the potential to be references to global variables. This just parses the token stream, so it is much less thorough than lexical-scope or using uglify-js to do the same thing. It has the advantage of being vastly faster though. It is good enough to detect that jQuery does not contain require or any of the node.js globals.
Installation
npm install token-scope
Usage
var detect = require('token-scope')
var inspectForRequire = detect(src)
if (inspectForRequire.indexOf('require') != -1) {
// do more time consuming checks to search for require properly
}
Tests:
var detect = require('token-scope')
describe('detect(src, identifiers)', function () {
it('returns an array of identifiers that might represent global variable references', function () {
assert(detect('var x = require("foo")').indexOf('require') != -1)
assert(detect('var x = foo("require")').indexOf('require') == -1)
})
})
Benchmarking
To run the benchmarks, download this repository then do:
$ npm install
$ node bench/run.js
This runs 3 different scoping mechanisms on a minified copy of jQuery and report the total time for 10 iterations. They then also check that the result does not include any of the node.js globals. On my machine, this results in the output (note how token-scope results in a lot more potential globals, but still turns out to be good enough to rule out node.js globals):
| name | time | output |
|---|---|---|
| token-scope | 747ms | a,b,cy,f,cv,ck,… |
| ugly-scope | 1457ms | setTimeout,par… |
| lexical-scope | 2252ms | setTimeout,par… |
License
MIT
FAQs
A very fast approximation of lexical-scope
The npm package token-scope receives a total of 2 weekly downloads. As such, token-scope popularity was classified as not popular.
We found that token-scope demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 27 Jun 2013
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
Malicious Chrome Extension Performs Hidden Affiliate Hijacking
A Chrome extension claiming to hide Amazon ads was found secretly hijacking affiliate links, replacing creators’ tags with its own without user consent.
By Kush Pandya -  Jan 27, 2026
Security News
curl Shuts Down Bug Bounty Program After Flood of AI Slop Reports
A surge of AI-generated vulnerability reports has pushed open source maintainers to rethink bug bounties and tighten security disclosure processes.
By Sarah Gooding -  Jan 23, 2026