search

RetireJS / retire.js

scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.
https://retirejs.github.io/retire.js/
Other
3.66k stars 414 forks source link

Modules with `.cjs` and '.mjs' extensions are ignored. #339

Closed jfparadis closed 1 year ago

jfparadis commented 3 years ago

Retire.js version: v2.2.3

node version: v14.5.0

Type: Bug: module files (.cjs and .mjs) are not scanned. Feature: command-line parameter to list which extensions are scanned.

Description: Currently, only .js files are detected: https://github.com/RetireJS/retire.js/blob/master/node/lib/resolve.js#L73

More and more libraries ship under the UMD format which can be loaded as modules or as "old style" global definition. Some developers do rename them as .cjs'.mjs` within their project, as both extension are supported natively by node.

Currently, retire.js can scan .cjs and .mjs files only if those are renamed as .js (or if they are symlinked).

Expected behaviour: Option 1: One approach could be to update the regexp to cover all cases by default, and ensure nobody gets into the situation where javascript files are ignored:

        if (file.match(/\.[cm]?js$/)) {

https://github.com/RetireJS/retire.js/blob/master/node/lib/resolve.js#L73

Option 2: Alternatively, a list of extensions could be provided via a command-line argument, following what eslint is allowing:

$ eslint -h
...
  --ext [String]                  Specify JavaScript file extensions
        // If `--ext` option is present, use it.
        if (extensionRegExp) {
            return extensionRegExp.test(filePath);
        }

        // `.js` file is target by default.
        if (filePath.endsWith(".js")) {
            return true;
        }

https://github.com/eslint/eslint/blob/master/lib/cli-engine/file-enumerator.js#L240

The second option is more desirable:

eoftedal commented 3 years ago

Yeah, I agree the second option is the best. Would you care to submit a Pull request?