hashing out static analysis of npm packages #6

chrisdickinson opened this Issue Apr 7, 2015 · 0 comments


None yet
2 participants

Both io.js and Node core have a desire for deeper insight into how core APIs are being used across the ecosystem. Given that, I set out to build a tool to answer some questions:

  1. What external APIs does a given package use?
  2. How does it use those APIs?
    1. What types are sent?
    2. How are return values used?
    3. Are calls wrapped in try/catch blocks?

The result of that work is a package called estoc. It uses a stack machine + spies to statically analyze individual packages. As a package, it exposes a readable stream of "Usage" data, where that usage (currently) contains:

  1. Type of usage (load: x, lookup, x.y, and call x()).
  2. Path of usage (x = require('url'); x.y.z yields a path like so ['url (as x)', 'y', 'z'])
    1. return value segments will contain <return value (from $funcname $filename:$line)>
    2. "inversion of control" segments will contain <ioc-arg #$argpos>
  3. args, if a call.
  4. exception destination, if any

estoc evaluates full packages – it accepts directories or gzipped tarballs as arguments. It can successfully analyze the contents of my local npm cache. An average package takes about 500-600ms to analyze. I'm at a point now where I need input from others on how to make this as useful as possible, and especially from folks involved with npm to see if there are any high-value ways of exposing this to the community.

Here is the result of running estoc against request 2.53.0. Of note: these lines are being generated by these calls to this function.

@thomblake thomblake closed this Jun 13, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment