Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The ts-morph package is a TypeScript compiler API wrapper that provides a simpler way to programmatically navigate, analyze, and manipulate TypeScript and JavaScript code. It abstracts the complexity of the underlying TypeScript compiler API, making it more accessible and easier to use for tasks such as code analysis, transformation, and generation.
Navigating the AST
This feature allows users to navigate the Abstract Syntax Tree (AST) of a TypeScript file. The code sample demonstrates how to load a TypeScript file into a project, retrieve all classes from it, and log their names.
const project = new Project();
const sourceFile = project.addSourceFileAtPath('example.ts');
const classes = sourceFile.getClasses();
console.log(classes.map(c => c.getName()));
Modifying code
This feature enables users to programmatically modify TypeScript code. The code sample shows how to create a new TypeScript file, change the initializer of a variable declaration, and then log the updated source code.
const project = new Project();
const sourceFile = project.createSourceFile('example.ts', 'const a = 1;');
sourceFile.getVariableDeclaration('a').setInitializer('2');
console.log(sourceFile.getText());
Code generation
This feature is used for generating new code, such as classes, interfaces, or functions. The code sample illustrates how to create a new TypeScript file and add a new class to it.
const project = new Project();
const sourceFile = project.createSourceFile('example.ts');
sourceFile.addClass({ name: 'NewClass' });
console.log(sourceFile.getText());
The 'typescript' package is the core TypeScript compiler itself. While ts-morph is built on top of it and provides a higher-level API for easier manipulation of TypeScript code, using the 'typescript' package directly requires more in-depth knowledge of the TypeScript compiler API.
jscodeshift is a toolkit for running codemods over multiple JavaScript or TypeScript files. It provides a more scriptable interface for transforming code. Compared to ts-morph, jscodeshift is more focused on code transformations and less on detailed AST navigation or code generation.
Babel is a widely used JavaScript compiler that allows developers to use next-generation JavaScript, today. It can be used for code transformations similar to ts-morph, but it's more focused on compiling modern JavaScript syntax to backwards-compatible versions. Babel's plugin system allows for powerful code transformations but requires more setup compared to ts-morph for TypeScript-specific tasks.
TypeScript Compiler API wrapper. Provides an easier way to programmatically navigate and manipulate TypeScript and JavaScript code.
Formerly ts-simple-ast
.
classDeclaration.compilerNode
or typeChecker.compilerObject
).This library is still under active development. Most common code manipulation/generation use cases are implemented, but there's still a lot of work to do. Please open an issue if you find a feature missing, bug, or question that isn't in the issue tracker.
import { Project, StructureKind } from "ts-morph";
// initialize
const project = new Project({
// Optionally specify compiler options, tsconfig.json, in-memory file system, and more here.
// If you initialize with a tsconfig.json, then it will automatically populate the project
// with the associated source files.
// Read more: https://ts-morph.com/setup/
});
// add source files
project.addSourceFilesAtPaths("src/**/*.ts");
const myClassFile = project.createSourceFile("src/MyClass.ts", "export class MyClass {}");
const myEnumFile = project.createSourceFile("src/MyEnum.ts", {
statements: [{
kind: StructureKind.Enum,
name: "MyEnum",
isExported: true,
members: [{ name: "member" }],
}],
});
// get information
const myClass = myClassFile.getClassOrThrow("MyClass");
myClass.getName(); // returns: "MyClass"
myClass.hasExportKeyword(); // returns: true
myClass.isDefaultExport(); // returns: false
// manipulate
const myInterface = myClassFile.addInterface({
name: "IMyInterface",
isExported: true,
properties: [{
name: "myProp",
type: "number",
}],
});
myClass.rename("NewName");
myClass.addImplements(myInterface.getName());
myClass.addProperty({
name: "myProp",
initializer: "5",
});
project.getSourceFileOrThrow("src/ExistingFile.ts").delete();
// asynchronously save all the changes above
await project.save();
// get underlying compiler node from the typescript AST from any node
const compilerNode = myClassFile.compilerNode;
Or navigate existing compiler nodes created with the TypeScript compiler (the ts
named export is the TypeScript compiler):
import { createWrappedNode, ClassDeclaration, ts } from "ts-morph";
// some code that creates a class declaration using the ts object
const classNode: ts.ClassDeclaration = ...;
// create and use a wrapped node
const classDec = createWrappedNode(classNode) as ClassDeclaration;
const firstProperty = classDec.getProperties()[0];
// ... do more stuff here ...
FAQs
TypeScript compiler wrapper for static analysis and code manipulation.
We found that ts-morph demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.