Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

hashing out static analysis of npm packages #6

chrisdickinson opened this issue Apr 7, 2015 · 0 comments

hashing out static analysis of npm packages #6

chrisdickinson opened this issue Apr 7, 2015 · 0 comments


Copy link

@chrisdickinson chrisdickinson commented Apr 7, 2015

Both io.js and Node core have a desire for deeper insight into how core APIs are being used across the ecosystem. Given that, I set out to build a tool to answer some questions:

  1. What external APIs does a given package use?
  2. How does it use those APIs?
    1. What types are sent?
    2. How are return values used?
    3. Are calls wrapped in try/catch blocks?

The result of that work is a package called estoc. It uses a stack machine + spies to statically analyze individual packages. As a package, it exposes a readable stream of "Usage" data, where that usage (currently) contains:

  1. Type of usage (load: x, lookup, x.y, and call x()).
  2. Path of usage (x = require('url'); x.y.z yields a path like so ['url (as x)', 'y', 'z'])
    1. return value segments will contain <return value (from $funcname $filename:$line)>
    2. "inversion of control" segments will contain <ioc-arg #$argpos>
  3. args, if a call.
  4. exception destination, if any

estoc evaluates full packages – it accepts directories or gzipped tarballs as arguments. It can successfully analyze the contents of my local npm cache. An average package takes about 500-600ms to analyze. I'm at a point now where I need input from others on how to make this as useful as possible, and especially from folks involved with npm to see if there are any high-value ways of exposing this to the community.

Here is the result of running estoc against request 2.53.0. Of note: these lines are being generated by these calls to this function.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.