Gathering detailed insights and metrics for es-module-lexer
Gathering detailed insights and metrics for es-module-lexer
Gathering detailed insights and metrics for es-module-lexer
Gathering detailed insights and metrics for es-module-lexer
Low-overhead lexer dedicated to ES module parsing for fast analysis
npm install es-module-lexer
99.8
Supply Chain
100
Quality
80.5
Maintenance
100
Vulnerability
100
License
Module System
Min. Node Version
Typescript Support
Node Version
NPM Version
933 Stars
237 Commits
48 Forks
8 Watching
6 Branches
22 Contributors
Updated on 26 Nov 2024
JavaScript (96.01%)
C (3.26%)
TypeScript (0.73%)
Cumulative downloads
Total Downloads
Last day
-5.9%
4,280,863
Compared to previous day
Last week
3.2%
24,291,641
Compared to previous week
Last month
8.8%
99,799,808
Compared to previous month
Last year
37.9%
1,033,325,263
Compared to previous year
A JS module syntax lexer used in es-module-shims.
Outputs the list of exports and locations of import specifiers, including dynamic import and import meta handling.
Supports new syntax features including import attributes and source phase imports.
A very small single JS file (4KiB gzipped) that includes inlined Web Assembly for very fast source analysis of ECMAScript module syntax only.
For an example of the performance, Angular 1 (720KiB) is fully parsed in 5ms, in comparison to the fastest JS parser, Acorn which takes over 100ms.
Comprehensively handles the JS language grammar while remaining small and fast. - ~10ms per MB of JS cold and ~5ms per MB of JS warm, see benchmarks for more info.
npm install es-module-lexer
See src/lexer.ts for the type definitions.
For use in CommonJS:
1const { init, parse } = require('es-module-lexer'); 2 3(async () => { 4 // either await init, or call parse asynchronously 5 // this is necessary for the Web Assembly boot 6 await init; 7 8 const source = 'export var p = 5'; 9 const [imports, exports] = parse(source); 10 11 // Returns "p" 12 source.slice(exports[0].s, exports[0].e); 13 // Returns "p" 14 source.slice(exports[0].ls, exports[0].le); 15})();
An ES module version is also available:
1import { init, parse } from 'es-module-lexer'; 2 3(async () => { 4 await init; 5 6 const source = ` 7 import { name } from 'mod\\u1011'; 8 import json from './json.json' assert { type: 'json' } 9 export var p = 5; 10 export function q () { 11 12 }; 13 export { x as 'external name' } from 'external'; 14 15 // Comments provided to demonstrate edge cases 16 import /*comment!*/ ( 'asdf', { assert: { type: 'json' }}); 17 import /*comment!*/.meta.asdf; 18 19 // Source phase imports: 20 import source mod from './mod.wasm'; 21 import.source('./mod.wasm'); 22 `; 23 24 const [imports, exports] = parse(source, 'optional-sourcename'); 25 26 // Returns "modထ" 27 imports[0].n 28 // Returns "mod\u1011" 29 source.slice(imports[0].s, imports[0].e); 30 // "s" = start 31 // "e" = end 32 33 // Returns "import { name } from 'mod'" 34 source.slice(imports[0].ss, imports[0].se); 35 // "ss" = statement start 36 // "se" = statement end 37 38 // Returns "{ type: 'json' }" 39 source.slice(imports[1].a, imports[1].se); 40 // "a" = assert, -1 for no assertion 41 42 // Returns "external" 43 source.slice(imports[2].s, imports[2].e); 44 45 // Returns "p" 46 source.slice(exports[0].s, exports[0].e); 47 // Returns "p" 48 source.slice(exports[0].ls, exports[0].le); 49 // Returns "q" 50 source.slice(exports[1].s, exports[1].e); 51 // Returns "q" 52 source.slice(exports[1].ls, exports[1].le); 53 // Returns "'external name'" 54 source.slice(exports[2].s, exports[2].e); 55 // Returns -1 56 exports[2].ls; 57 // Returns -1 58 exports[2].le; 59 60 // Import type is provided by `t` value 61 // (1 for static, 2, for dynamic) 62 // Returns true 63 imports[2].t == 2; 64 65 // Returns "asdf" (only for string literal dynamic imports) 66 imports[2].n 67 // Returns "import /*comment!*/ ( 'asdf', { assert: { type: 'json' } })" 68 source.slice(imports[3].ss, imports[3].se); 69 // Returns "'asdf'" 70 source.slice(imports[3].s, imports[3].e); 71 // Returns "( 'asdf', { assert: { type: 'json' } })" 72 source.slice(imports[3].d, imports[3].se); 73 // Returns "{ assert: { type: 'json' } }" 74 source.slice(imports[3].a, imports[3].se - 1); 75 76 // For non-string dynamic import expressions: 77 // - n will be undefined 78 // - a is currently -1 even if there is an assertion 79 // - e is currently the character before the closing ) 80 81 // For nested dynamic imports, the se value of the outer import is -1 as end tracking does not 82 // currently support nested dynamic immports 83 84 // import.meta is indicated by imports[3].d === -2 85 // Returns true 86 imports[4].d === -2; 87 // Returns "import /*comment!*/.meta" 88 source.slice(imports[4].s, imports[4].e); 89 // ss and se are the same for import meta 90 91 // Returns "'./mod.wasm'" 92 source.slice(imports[5].s, imports[5].e); 93 94 // Import type 4 and 5 for static and dynamic source phase 95 imports[5].t === 4; 96 imports[6].t === 5; 97})();
The default version of the library uses Wasm and (safe) eval usage for performance and a minimal footprint.
Neither of these represent security escalation possibilities since there are no execution string injection vectors, but that can still violate existing CSP policies for applications.
For a version that works with CSP eval disabled, use the es-module-lexer/js
build:
1import { parse } from 'es-module-lexer/js';
Instead of Web Assembly, this uses an asm.js build which is almost as fast as the Wasm version (see benchmarks below).
To handle escape sequences in specifier strings, the .n
field of imported specifiers will be provided where possible.
For dynamic import expressions, this field will be empty if not a valid JS string.
Facade modules that only use import / export syntax can be detected via the third return value:
1const [,, facade] = parse(` 2 export * from 'external'; 3 import * as ns from 'external2'; 4 export { a as b } from 'external3'; 5 export { ns }; 6`); 7facade === true;
Modules that uses ESM syntaxes can be detected via the fourth return value:
1const [,,, hasModuleSyntax] = parse(` 2 export {} 3`); 4hasModuleSyntax === true;
Dynamic imports are ignored since they can be used in Non-ESM files.
1const [,,, hasModuleSyntax] = parse(` 2 import('./foo.js') 3`); 4hasModuleSyntax === false;
Node.js 10+, and all browsers with Web Assembly support.
The lexing approach is designed to deal with the full language grammar including RegEx / division operator ambiguity through backtracking and paren / brace tracking.
The only limitation to the reduced parser is that the "exports" list may not correctly gather all export identifiers in the following edge cases:
1// Only "a" is detected as an export, "q" isn't 2export var a = 'asdf', q = z; 3 4// "b" is not detected as an export 5export var { a: b } = asdf;
The above cases are handled gracefully in that the lexer will keep going fine, it will just not properly detect the export names above.
Benchmarks can be run with npm run bench
.
Current results for a high spec machine:
Module load time
> 5ms
Cold Run, All Samples
test/samples/*.js (3123 KiB)
> 18ms
Warm Runs (average of 25 runs)
test/samples/angular.js (739 KiB)
> 3ms
test/samples/angular.min.js (188 KiB)
> 1ms
test/samples/d3.js (508 KiB)
> 3ms
test/samples/d3.min.js (274 KiB)
> 2ms
test/samples/magic-string.js (35 KiB)
> 0ms
test/samples/magic-string.min.js (20 KiB)
> 0ms
test/samples/rollup.js (929 KiB)
> 4.32ms
test/samples/rollup.min.js (429 KiB)
> 2.16ms
Warm Runs, All Samples (average of 25 runs)
test/samples/*.js (3123 KiB)
> 14.16ms
Module load time
> 2ms
Cold Run, All Samples
test/samples/*.js (3123 KiB)
> 34ms
Warm Runs (average of 25 runs)
test/samples/angular.js (739 KiB)
> 3ms
test/samples/angular.min.js (188 KiB)
> 1ms
test/samples/d3.js (508 KiB)
> 3ms
test/samples/d3.min.js (274 KiB)
> 2ms
test/samples/magic-string.js (35 KiB)
> 0ms
test/samples/magic-string.min.js (20 KiB)
> 0ms
test/samples/rollup.js (929 KiB)
> 5ms
test/samples/rollup.min.js (429 KiB)
> 3.04ms
Warm Runs, All Samples (average of 25 runs)
test/samples/*.js (3123 KiB)
> 17.12ms
This project uses Chomp for building.
With Chomp installed, download the WASI SDK 12.0 from https://github.com/WebAssembly/wasi-sdk/releases/tag/wasi-sdk-12.
Locate the WASI-SDK as a sibling folder, or customize the path via the WASI_PATH
environment variable.
Emscripten emsdk is also assumed to be a sibling folder or via the EMSDK_PATH
environment variable.
Example setup:
git clone https://github.com:guybedford/es-module-lexer
git clone https://github.com/emscripten-core/emsdk
cd emsdk
git checkout 1.40.1-fastcomp
./emsdk install 1.40.1-fastcomp
cd ..
wget https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-12/wasi-sdk-12.0-linux.tar.gz
gunzip wasi-sdk-12.0-linux.tar.gz
tar -xf wasi-sdk-12.0-linux.tar
mv wasi-sdk-12.0-linux.tar wasi-sdk-12.0
cargo install chompbuild
cd es-module-lexer
chomp test
For the asm.js
build, git clone emsdk
from is assumed to be a sibling folder as well.
MIT
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
Reason
binaries present in source code
Details
Reason
Found 8/30 approved changesets -- score normalized to 2
Reason
2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Reason
detected GitHub workflow tokens with excessive permissions
Details
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
Reason
project is not fuzzed
Details
Reason
branch protection not enabled on development/release branches
Details
Reason
security policy file not detected
Details
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
Score
Last Scanned on 2024-11-25
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More