Security News
Nightmares on npm: How Two Malicious Packages Facilitate Data Theft and Destruction
Our threat research team breaks down two malicious npm packages designed to exploit developer trust, steal your data, and destroy data on your machine.
AST visitors for Typescript.
Typescript transpilation is usually source -> AST -> target
. Tspoon uses Typescript's compiler API to allow pluggable pieces of logic (called visitor
) to modify the AST before invoking the Typescript transpiler. The process will look like this source -> AST -visitors-> AST -> target
. This technique enables early optimizations and error detection for custom language features.
In addition, Tspoon's validation api supports pre-validation code changes, allowing the developer to bypass otherwise unavoidable TypeScript diagnostics.
Simple examples can be found here and here.
Install tspoon using npm.
npm install tspoon
Currently, Tspoon exposes only a programmatic API. Meaning, it is used by other javacript code invoking it's transpile
and validate
methods.
content is a string containing the code to transpile, and config defines the visitors and transpilation parameters. The result is an instance of the TranspilerOutput interface, containing the transpiled code, a source map describing all changes done to the code, the diagnostics generated by the visitors and Typescript, and whether the operation failed or not.
// from src/transpile.ts
interface TranspilerOutput {
code: string,
sourceMap: RawSourceMap,
diags: ts.Diagnostic[],
halted: boolean
}
var tspoon = require('tspoon');
// from examples/poc/build.js
var config = {
sourceFileName: 'src.ts',
visitors: ... // insert visitors here
};
var sourceCode = fs.readFileSync(...);
var transpilerOut = tspoon.transpile(sourceCode, config);
...
fs.writeFileSync(path.join(__dirname, 'src.js'), transpilerOut.code, {encoding:'utf8'});
Documentation pending writing
A visitor is an instance of the visitor interface:
// from src/visitor.ts
interface Visitor {
filter(node: ts.Node) : boolean;
visit(node: ts.Node, context: VisitorContext): void;
}
Consider for example the following visitor:
// from examples/poc/deletePrivate.js
{
filter : function filter(node){
return node.kind === ts.SyntaxKind.PropertyDeclaration
&& node.modifiers
&& node.modifiers.some(function(m){
return m.kind === ts.SyntaxKind.PrivateKeyword;
});
},
visit: function visit(node, context) {
context.replace(node.getStart(), node.getEnd(), '');
context.reportDiag(node, ts.DiagnosticCategory.Message, 'deleted field "' + node.getText()+'"', false);
}
}
This visitor only operates on nodes representing property declarations which have the private
modifier. When such a node is encountered, it is deleted from the source code, and a diagnostic message notifying the delete action is emitted.
Clone this project locally. Then, at the root folder of the project, run:
npm install
npm run build
npm test
At the root folder of the project, run:
npm start
Then, open your browser at http://localhost:8080/webtest.bundle and see any changes you make in tests or code reflected in the browser
Currently Tspoon is in alpha mode. As such, it does not respect semver.
We use a custom license, see LICENSE.md
FAQs
AST visitors for TypeScript
The npm package tspoon receives a total of 8 weekly downloads. As such, tspoon popularity was classified as not popular.
We found that tspoon demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 10 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Our threat research team breaks down two malicious npm packages designed to exploit developer trust, steal your data, and destroy data on your machine.
Security News
A senior white house official is urging insurers to stop covering ransomware payments, indicating possible stricter regulations to deter cybercrime.
Security News
ESLint has added JSON and Markdown linting support with new officially-supported plugins, expanding its versatility beyond JavaScript.