Gathering detailed insights and metrics for @vercel/nft
Installations
npm install @vercel/nftDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS
Min. Node Version
>=18
Node Version
18.20.5
NPM Version
10.2.5
Releases
100
Contributors
104
Languages
3
JavaScript
TypeScript
CSS
JavaScript (89.78%)
TypeScript (10.21%)
Developer
Download Statistics
Total Downloads
134,241,095
Last Day
115,904
Last Week
786,125
Last Month
6,335,208
Last Year
74,243,449
GitHub Statistics
1,379 Stars
412 Commits
150 Forks
54 Watching
7 Branches
104 Contributors
Maintainers
9
Package Meta Information
Latest Version
0.29.0
Package Id
@vercel/nft@0.29.0
Unpacked Size
323.43 kB
Size
58.46 kB
File Count
42
NPM Version
10.2.5
Node Version
18.20.5
Publised On
02 Jan 2025
Total Downloads
Cumulative downloads
Total Downloads
134,241,095
Last day
-17.7%
115,904
Compared to previous day
Last week
-50.1%
786,125
Compared to previous week
Last month
-4.4%
6,335,208
Compared to previous month
Last year
93.7%
74,243,449
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
12
Dev Dependencies
104
@azure/cosmos@bugsnag/js@datadog/pprof@ffmpeg-installer/ffmpeg@google-cloud/bigquery@google-cloud/firestore@opentelemetry/api@sentry/node@tpluscode/sparql-builder@types/bindings@types/estree@types/glob@types/graceful-fs@types/node@types/picomatch@vercel/git-hooks@vercel/style-guideanalytics-nodeapollo-server-expressargon2auth0axiosazure-storagebcryptbrowserify-middlewarebullbullmqcamarochromelessconsolidatecopycowsayes-get-iteratoresbuildesmexpressfast-globfetch-h2firebasefirebase-adminfluent-ffmpeggeo-tzgeoip-litegraphqlhighlightshot-shotsioredisisomorphic-unfetchjestjimpjugglingdbkoaleveldownlighthouseloopbackmailgunmariadbmemcachedmicrotimemongoosemysqloracledbparaphrasepassportpassport-google-oauthpassport-traktpath-platformpdf2jsonpdfkitpgphantomjs-prebuiltpixelmatchplaywright-corepolyfill-libraryprettierprismjspugreactreact-domredisremark-parseremark-prismrimrafrxjssaslprepsemversequelizeserialportsharpshikisocket.iosocket.io-clientstripeswigtiny-json-httptwiliotypescriptuglify-jsunifiedvm2vuevue-server-rendererwhenzeromq
Versions
Node File Trace
Used to determine exactly which files (including node_modules) are necessary for the application runtime.
This is similar to @vercel/ncc except there is no bundling performed and therefore no reliance on webpack. This achieves the same tree-shaking benefits without moving any assets or binaries.
Usage
Installation
1npm i @vercel/nft
Usage
Provide the list of source files as input:
1const { nodeFileTrace } = require('@vercel/nft'); 2const files = ['./src/main.js', './src/second.js']; 3const { fileList } = await nodeFileTrace(files);
The list of files will include all node_modules modules and assets that may be needed by the application code.
Options
Base
The base path for the file list - all files will be provided as relative to this base.
By default the process.cwd() is used:
1const { fileList } = await nodeFileTrace(files, {
2 base: process.cwd(),
3});Any files/folders above the base are ignored in the listing and analysis.
Process Cwd
When applying analysis certain functions rely on the process.cwd() value, such as path.resolve('./relative') or even a direct process.cwd()
invocation.
Setting the processCwd option allows this analysis to be guided to the right path to ensure that assets are correctly detected.
1const { fileList } = await nodeFileTrace(files, {
2 processCwd: path.resolve(__dirname),
3});By default processCwd is the same as base.
Exports & Imports
By default tracing of the Node.js "exports" and "imports" fields is supported, with the "node", "require", "import" and "default" conditions traced as defined.
Alternatively the explicit list of conditions can be provided:
1const { fileList } = await nodeFileTrace(files, { 2 conditions: ['node', 'production'], 3});
Only the "node" export should be explicitly included (if needed) when specifying the exact export condition list. The "require", "import" and "default" conditions will always be traced as defined, no matter what custom conditions are set.
Exports Only
When tracing exports the "main" / index field will still be traced for Node.js versions without "exports" support.
This can be disabled with the exportsOnly option:
1const { fileList } = await nodeFileTrace(files, { 2 exportsOnly: true, 3});
Any package with "exports" will then only have its exports traced, and the main will not be included at all. This can reduce the output size when targeting Node.js 12.17.0 or newer.
Paths
Status: Experimental. May change at any time.
Custom resolution path definitions to use.
1const { fileList } = await nodeFileTrace(files, {
2 paths: {
3 'utils/': '/path/to/utils/',
4 },
5});Trailing slashes map directories, exact paths map exact only.
Hooks
The following FS functions can be hooked by passing them as options:
readFile(path): Promise<string>stat(path): Promise<FS.Stats>readlink(path): Promise<string>resolve(id: string, parent: string): Promise<string | string[]>
Advanced Resolving
When providing a custom resolve hook you are responsible for returning one or more absolute paths to resolved files based on the id input. However it may be the case that you only want to augment or override the resolve behavior in certain cases. You can use nft's underlying resolver by importing it. The builtin resolve function expects additional arguments that need to be forwarded from the hook
resolve(id: string, parent: string, job: Job, isCjs: boolean): Promise<string | string[]>
Here is an example showing one id being resolved to a bespoke path while all other paths being resolved by the built-in resolver
1const { nodeFileTrace, resolve } = require('@vercel/nft'); 2const files = ['./src/main.js', './src/second.js']; 3const { fileList } = await nodeFileTrace(files, { 4 resolve: async (id, parent, job, isCjs) => { 5 if (id === './src/main.js') { 6 return '/path/to/some/resolved/main/file.js'; 7 } else { 8 return resolve(id, parent, job, isCjs); 9 } 10 }, 11});
TypeScript
The internal resolution supports resolving .ts files in traces by default.
By its nature of integrating into existing build systems, the TypeScript
compiler is not included in this project - rather the TypeScript transform
layer requires separate integration into the readFile hook.
File IO Concurrency
In some large projects, the file tracing logic may process many files at the same time. In this case, if you do not limit the number of concurrent files IO, OOM problems are likely to occur.
We use a default of 1024 concurrency to balance performance and memory usage for fs operations. You can increase this value to a higher number for faster speed, but be aware of the memory issues if the concurrency is too high.
1const { fileList } = await nodeFileTrace(files, { 2 fileIOConcurrency: 2048, 3});
Analysis
Analysis options allow customizing how much analysis should be performed to exactly work out the dependency list.
By default as much analysis as possible is done to ensure no possibly needed files are left out of the trace.
To disable all analysis, set analysis: false. Alternatively, individual analysis options can be customized via:
1const { fileList } = await nodeFileTrace(files, {
2 // default
3 analysis: {
4 // whether to glob any analysis like __dirname + '/dir/' or require('x/' + y)
5 // that might output any file in a directory
6 emitGlobs: true,
7 // whether __filename and __dirname style
8 // expressions should be analyzed as file references
9 computeFileReferences: true,
10 // evaluate known bindings to assist with glob and file reference analysis
11 evaluatePureExpressions: true,
12 },
13});Ignore
Custom ignores can be provided to skip file inclusion (and consequently analysis of the file for references in turn as well).
1const { fileList } = await nodeFileTrace(files, {
2 ignore: ['./node_modules/pkg/file.js'],
3});Ignore will also accept a function or globs.
Note that the path provided to ignore is relative to base.
Cache
To persist the file cache between builds, pass an empty cache object:
1const cache = Object.create(null);
2const { fileList } = await nodeFileTrace(['index.ts'], { cache });
3// later:
4{
5 const { fileList } = await nodeFileTrace(['index.ts'], { cache });
6}Note that cache invalidations are not supported so the assumption is that the file system is not changed between runs.
Reasons
To get the underlying reasons for individual files being included, a reasons object is also provided by the output:
1const { fileList, reasons } = await nodeFileTrace(files);
The reasons output will then be an object of the following form:
1{ 2 [file: string]: { 3 type: 'dependency' | 'asset' | 'sharedlib', 4 ignored: true | false, 5 parents: string[] 6 } 7}
reasons also includes files that were ignored as ignored: true, with their ignoreReason.
Every file is included because it is referenced by another file. The parents list will contain the list of all files that caused this file to be included.
No vulnerabilities found.
Reason
all changesets reviewed
Reason
12 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/vercel/.github/SECURITY.md:1
- Info: Found linked content: github.com/vercel/.github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/vercel/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/vercel/.github/SECURITY.md:1
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/ci.yml:16
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/nft/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/nft/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/nft/ci.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:45
- Info: 0 out of 3 GitHub-owned GitHubAction dependencies pinned
- Info: 1 out of 1 third-party GitHubAction dependencies pinned
- Info: 0 out of 1 npmCommand dependencies pinned
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Warn: no topLevel permission defined: .github/workflows/pr.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 30 are checked with a SAST tool
Reason
55 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-fpm5-vv97-jfwg
- Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
- Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-gp2j-mg4w-2rh5
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
- Warn: Project is vulnerable to: GHSA-wm7h-9275-46v2
- Warn: Project is vulnerable to: GHSA-phwq-j96m-2c2q
- Warn: Project is vulnerable to: GHSA-ghr5-ch3p-vcr6
- Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h
- Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
- Warn: Project is vulnerable to: GHSA-mpg4-rc92-vx8v
- Warn: Project is vulnerable to: GHSA-3wf4-68gx-mph8
- Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
- Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
- Warn: Project is vulnerable to: GHSA-w7q9-p3jq-fmhm
- Warn: Project is vulnerable to: GHSA-xvf7-4v9q-58w6
- Warn: Project is vulnerable to: GHSA-wgfq-7857-4jcc
- Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m / GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-m7xq-9374-9rvx
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
- Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g
- Warn: Project is vulnerable to: GHSA-5rrq-pxf6-6jx5
- Warn: Project is vulnerable to: GHSA-8fr3-hfg3-gpgp
- Warn: Project is vulnerable to: GHSA-gf8q-jrpm-jvxq
- Warn: Project is vulnerable to: GHSA-2r2c-g63r-vccr
- Warn: Project is vulnerable to: GHSA-cfm4-qjh2-4765
- Warn: Project is vulnerable to: GHSA-x4jg-mjrx-434g
- Warn: Project is vulnerable to: GHSA-9h6g-pr28-7cqp
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
- Warn: Project is vulnerable to: GHSA-3965-hpx2-q597
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
- Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
- Warn: Project is vulnerable to: GHSA-25hc-qcg6-38wj
- Warn: Project is vulnerable to: GHSA-2rq5-699j-x7p6
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-c9f4-xj24-8jqx
- Warn: Project is vulnerable to: GHSA-cf4h-3jhx-xvhq
- Warn: Project is vulnerable to: GHSA-cchq-frgv-rjh5
- Warn: Project is vulnerable to: GHSA-g644-9gfx-q4q4
- Warn: Project is vulnerable to: GHSA-5j4c-8p2g-v4jx
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
- Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc
- Warn: Project is vulnerable to: GHSA-h6q6-9hqw-rwfv
- Warn: Project is vulnerable to: GHSA-5fg8-2547-mr8q
- Warn: Project is vulnerable to: GHSA-crh6-fp67-6883
- Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp
Score
6
/10
Last Scanned on 2025-01-06
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More