NodeSecure · fraxken · Feb 12, 2023 · Aug 14, 2022 · Aug 14, 2022 · Aug 31, 2022
diff --git a/__snapshots__/depWalker.spec.js.snapshot.js b/__snapshots__/depWalker.spec.js.snapshot.js
@@ -1,4 +1,4 @@
-exports['walk @slimio/is 1'] = {
+exports['walk @slimio/is 1'] ={
   "@slimio/is": {
     "versions": {
       "1.5.1": {
@@ -7,6 +7,7 @@ exports['walk @slimio/is 1'] = {
         "isDevDependency": false,
         "existOnRemoteRegistry": true,
         "flags": [
+          "isOutdated",
           "hasManyPublishers"
         ],
         "description": "SlimIO is (JavaScript Primitives &amp; Objects type checker)",
@@ -89,11 +90,11 @@ exports['walk @slimio/is 1'] = {
     "vulnerabilities": [],
     "metadata": {
       "dependencyCount": 0,
-      "publishedCount": 7,
-      "lastUpdateAt": "2019-06-11T06:41:41.590Z",
-      "lastVersion": "1.5.1",
+      "publishedCount": 8,
+      "lastUpdateAt": "2023-01-23T02:15:37.203Z",
+      "lastVersion": "2.0.0",
       "hasManyPublishers": true,
-      "hasReceivedUpdateInOneYear": false,
+      "hasReceivedUpdateInOneYear": true,
       "homepage": "https://github.com/SlimIO/is#readme",
       "author": {
         "name": "SlimIO"
@@ -102,20 +103,22 @@ exports['walk @slimio/is 1'] = {
         {
           "name": "fraxken",
           "email": "[email protected]",
-          "version": "1.5.1",
-          "at": "2019-06-11T06:41:41.590Z"
+          "version": "2.0.0",
+          "at": "2023-01-23T02:15:37.203Z"
         }
       ],
       "maintainers": [
-				{
-					"email": "[email protected]",
-					"name": "fraxken"
-				},
-				{
-					"email": "[email protected]",
-					"name": "alexandre.malaj"
-				}
-			]
+        {
+          "name": "fraxken",
+          "email": "[email protected]",
+          "at": "2023-01-23T02:15:37.203Z",
+          "version": "2.0.0"
+        },
+        {
+          "name": "alexandre.malaj",
+          "email": "[email protected]"
+        }
+      ]
     }
   }
 }
@@ -126,5 +129,6 @@ exports['from pacote 1'] = [
   "scannerVersion",
   "vulnerabilityStrategy",
   "warnings",
+  "flaggedAuthors",
   "dependencies"
 ]
diff --git a/jest.setup.js b/jest.setup.js
diff --git a/package.json b/package.json
@@ -64,6 +64,7 @@
     "tape": "^5.6.1"
   },
   "dependencies": {
+    "@nodesecure/authors": "^1.0.1",
     "@nodesecure/flags": "^2.4.0",
     "@nodesecure/fs-walk": "^1.0.0",
     "@nodesecure/i18n": "^2.1.1",

diff --git a/src/depWalker.js b/src/depWalker.js
@@ -350,7 +350,9 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
   }
 
   try {
-    payload.warnings = getDependenciesWarnings(dependencies);
+    const { warnings, flaggedAuthors } = await getDependenciesWarnings(dependencies);
+    payload.warnings = warnings;
+    payload.flaggedAuthors = flaggedAuthors;
     payload.dependencies = Object.fromEntries(dependencies);
 
     return payload;

diff --git a/src/utils/warnings.js b/src/utils/warnings.js
@@ -1,5 +1,6 @@
 // Import Third-party Dependencies
 import { getToken, taggedString } from "@nodesecure/i18n";
+import { extractAllAuthors } from "@nodesecure/authors";
 
 // CONSTANTS
 const kDetectedDep = taggedString`The dependency '${0}' has been detected in the dependency Tree.`;
@@ -8,29 +9,30 @@ const kWarningsMessages = Object.freeze({
   iohook: getToken("warnings.keylogging")
 });
 const kPackages = new Set(Object.keys(kWarningsMessages));
-const kAuthors = new Set(["marak", "[email protected]"]);
+const kFlaggedAuthors = [{
+  name: "marak",
+  email: "[email protected]"
+}];
 
 function getWarning(depName) {
   return `${kDetectedDep(depName)} ${kWarningsMessages[depName]}`;
 }
 
-export function getDependenciesWarnings(dependencies) {
+export async function getDependenciesWarnings(dependenciesMap) {
   const warnings = [];
   for (const depName of kPackages) {
-    if (dependencies.has(depName)) {
+    if (dependenciesMap.has(depName)) {
       warnings.push(getWarning(depName));
     }
   }
+  // TODO: add support for RC configuration
+  const res = await extractAllAuthors(
+    { dependencies: Object.fromEntries(dependenciesMap) },
+    { flags: kFlaggedAuthors, domainInformations: false }
+  );
 
-  // TODO: optimize with @nodesecure/author later
-  for (const [packageName, dependency] of dependencies) {
-    for (const { name, email } of dependency.metadata.maintainers) {
-      if (kAuthors.has(name) || kAuthors.has(email)) {
-        warnings.push(`'Marak Squires' package '${packageName}' has been detected in the dependency tree`);
-      }
-    }
-  }
-
-  return warnings;
+  return {
+    warnings,
+    flaggedAuthors: res.flaggedAuthors
+  };
 }
-
diff --git a/test/__snapshots__/depWalker.spec.js.snapshot.js b/test/__snapshots__/depWalker.spec.js.snapshot.js
@@ -109,7 +109,9 @@ exports['walk @slimio/is 1'] = {
       "maintainers": [
         {
           "email": "[email protected]",
-          "name": "fraxken"
+          "name": "fraxken",
+          "at": "2019-06-11T06:41:41.590Z",
+          "version": "1.5.1"
         },
         {
           "email": "[email protected]",
@@ -126,5 +128,6 @@ exports['from pacote 1'] = [
   "scannerVersion",
   "vulnerabilityStrategy",
   "warnings",
+  "flaggedAuthors",
   "dependencies"
 ]
diff --git a/test/depWalker.spec.js b/test/depWalker.spec.js
@@ -96,6 +96,7 @@ test("execute depWalker on pkg.gitdeps", async(tape) => {
     "@nodesecure/estree-ast-utils",
     "@nodesecure/js-x-ray",
     "@nodesecure/sec-literal",
+    "@types/estree",
     "eastasianwidth",
     "emoji-regex",
     "estree-walker",

diff --git a/test/utils/warnings.spec.js b/test/utils/warnings.spec.js
@@ -5,25 +5,29 @@ import test from "tape";
 // Require Internal Dependencies
 import { getDependenciesWarnings } from "../../src/utils/index.js";
 
-function createDependency(maintainers = []) {
+function createDependency(maintainers = [], publishers = []) {
   return {
     metadata: {
-      maintainers
+      authors: {
+        name: "John Doe",
+        email: "[email protected]"
+      },
+      maintainers,
+      publishers
     }
   };
 }
 
-test("getDependenciesWarnings for '@scarf/scarf'", (tape) => {
+test("getDependenciesWarnings for '@scarf/scarf'", async(tape) => {
   const deps = new Map([
     ["@scarf/scarf", createDependency()]
   ]);
 
-  const warnsArray = getDependenciesWarnings(deps);
-  tape.true(is.array(warnsArray));
-  tape.strictEqual(warnsArray.length, 1);
+  const warnsArray = await getDependenciesWarnings(deps);
+  tape.strictEqual(warnsArray.warnings.length, 1);
 
   tape.strictEqual(
-    warnsArray[0],
+    warnsArray.warnings[0],
     // eslint-disable-next-line max-len
     "The dependency '@scarf/scarf' has been detected in the dependency Tree. This dependency could collect data against your will so think to disable it with the env var: SCARF_ANALYTICS"
   );

diff --git a/types/scanner.d.ts b/types/scanner.d.ts
@@ -132,6 +132,7 @@ declare namespace Scanner {
   }
 
   export type GlobalWarning = string[];
+  export type FlaggedAuthors = extractedAuthor[];
   export type Dependencies = Record<string, Dependency>;
 
   export interface Payload {
@@ -141,6 +142,8 @@ declare namespace Scanner {
     rootDependencyName: string;
     /** Global warnings list */
     warnings: GlobalWarning[];
+    /** List of flagged authors */
+    flaggedAuthors: FlaggedAuthors[];
     /** All the dependencies of the package (flattened) */
     dependencies: Dependencies;
     /** Version of the scanner used to generate the result */

diff --git a/types/walker.d.ts b/types/walker.d.ts
@@ -5,4 +5,4 @@ export {
   depWalker
 }
 
-declare function depWalker(manifest: Manifest, options?: Scanner.Options);
+declare function depWalker(manifest: Manifest, options?: Scanner.Options): Promise<Scanner.Payload>;