Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
The ts-morph package is a TypeScript compiler API wrapper that provides a simpler way to programmatically navigate, analyze, and manipulate TypeScript and JavaScript code. It abstracts the complexity of the underlying TypeScript compiler API, making it more accessible and easier to use for tasks such as code analysis, transformation, and generation.
Navigating the AST
This feature allows users to navigate the Abstract Syntax Tree (AST) of a TypeScript file. The code sample demonstrates how to load a TypeScript file into a project, retrieve all classes from it, and log their names.
const project = new Project();
const sourceFile = project.addSourceFileAtPath('example.ts');
const classes = sourceFile.getClasses();
console.log(classes.map(c => c.getName()));
Modifying code
This feature enables users to programmatically modify TypeScript code. The code sample shows how to create a new TypeScript file, change the initializer of a variable declaration, and then log the updated source code.
const project = new Project();
const sourceFile = project.createSourceFile('example.ts', 'const a = 1;');
sourceFile.getVariableDeclaration('a').setInitializer('2');
console.log(sourceFile.getText());
Code generation
This feature is used for generating new code, such as classes, interfaces, or functions. The code sample illustrates how to create a new TypeScript file and add a new class to it.
const project = new Project();
const sourceFile = project.createSourceFile('example.ts');
sourceFile.addClass({ name: 'NewClass' });
console.log(sourceFile.getText());
The 'typescript' package is the core TypeScript compiler itself. While ts-morph is built on top of it and provides a higher-level API for easier manipulation of TypeScript code, using the 'typescript' package directly requires more in-depth knowledge of the TypeScript compiler API.
jscodeshift is a toolkit for running codemods over multiple JavaScript or TypeScript files. It provides a more scriptable interface for transforming code. Compared to ts-morph, jscodeshift is more focused on code transformations and less on detailed AST navigation or code generation.
Babel is a widely used JavaScript compiler that allows developers to use next-generation JavaScript, today. It can be used for code transformations similar to ts-morph, but it's more focused on compiling modern JavaScript syntax to backwards-compatible versions. Babel's plugin system allows for powerful code transformations but requires more setup compared to ts-morph for TypeScript-specific tasks.
TypeScript Compiler API wrapper. Provides an easier way to programmatically navigate and manipulate TypeScript and JavaScript code.
Formerly ts-simple-ast
.
classDeclaration.compilerNode
or typeChecker.compilerObject
).This library is still under active development. Most common code manipulation/generation use cases are implemented, but there's still a lot of work to do. Please open an issue if you find a feature missing, bug, or question that isn't in the issue tracker.
import { Project, StructureKind } from "ts-morph";
// initialize
const project = new Project({
// Optionally specify compiler options, tsconfig.json, in-memory file system, and more here.
// If you initialize with a tsconfig.json, then it will automatically populate the project
// with the associated source files.
// Read more: https://ts-morph.com/setup/
});
// add source files
project.addSourceFilesAtPaths("src/**/*.ts");
const myClassFile = project.createSourceFile("src/MyClass.ts", "export class MyClass {}");
const myEnumFile = project.createSourceFile("src/MyEnum.ts", {
statements: [{
kind: StructureKind.Enum,
name: "MyEnum",
isExported: true,
members: [{ name: "member" }],
}],
});
// get information
const myClass = myClassFile.getClassOrThrow("MyClass");
myClass.getName(); // returns: "MyClass"
myClass.hasExportKeyword(); // returns: true
myClass.isDefaultExport(); // returns: false
// manipulate
const myInterface = myClassFile.addInterface({
name: "IMyInterface",
isExported: true,
properties: [{
name: "myProp",
type: "number",
}],
});
myClass.rename("NewName");
myClass.addImplements(myInterface.getName());
myClass.addProperty({
name: "myProp",
initializer: "5",
});
project.getSourceFileOrThrow("src/ExistingFile.ts").delete();
// asynchronously save all the changes above
await project.save();
// get underlying compiler node from the typescript AST from any node
const compilerNode = myClassFile.compilerNode;
Or navigate existing compiler nodes created with the TypeScript compiler (the ts
named export is the TypeScript compiler):
import { createWrappedNode, ClassDeclaration, ts } from "ts-morph";
// some code that creates a class declaration using the ts object
const classNode: ts.ClassDeclaration = ...;
// create and use a wrapped node
const classDec = createWrappedNode(classNode) as ClassDeclaration;
const firstProperty = classDec.getProperties()[0];
// ... do more stuff here ...
FAQs
TypeScript compiler wrapper for static analysis and code manipulation.
The npm package ts-morph receives a total of 2,752,603 weekly downloads. As such, ts-morph popularity was classified as popular.
We found that ts-morph demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.