diachedelic · June 30, 2022 02:54
diff --git a/fatdeps.sh b/fatdeps.sh
 #!/bin/bash

 # fatdeps.sh is a script that counts the number of subdependencies of every
 # dependency found in a package.json file. It can be used to discover bloat,
 # which is a major security risk in Node.js and browser applications.

 # fatdeps.sh depends on the 'jq' and 'npx' commands.

 # USAGE

 #       $ ./fatdeps.sh /path/to/package.json

 # EXAMPLE OUTPUT

 #       Nr. deps    Package                         Size
 #       2           [email protected]                447.79kb
 #       44          [email protected]                  2.63mb
 #       0           [email protected]                    72.93kb
 #       1           [email protected]                    393.63kb
 #       0           [email protected]                  216.21kb
 #       7           [email protected]                      931.86kb
 #       0           [email protected]                     15.51kb
 #       0           [email protected]                    16.43kb
 #       2           [email protected]          358.24kb
 #       1           [email protected]        22.34kb
 #       0           [email protected]  169.34kb
 #       0           [email protected]           92.69kb
 #       1           [email protected]               50.11kb
 #       0           [email protected]                 90.01kb
 #       0           [email protected]                     5.23mb
 #       0           [email protected]                 23.31kb
 #       9           [email protected]                      409.57kb
 #       99          [email protected]              2.79mb
 #       0           [email protected]                      50.53kb
 #       86          [email protected]                     6.01mb

 # You can help protect your application from supply chain attacks by removing
 # excessively bloated dependencies, which disproportionately increase your
 # application's attack surface.

 package_json=${1:-package.json}

 # We parse the output of howfat with this horrendous regular expression, so that
 # we can print the data like the table above.

 rx_output="^([@a-zA-Z][^@]+)@([^@]+)@([^ ]+) \((([^,]+) deps?, )?(([^,]+), )[^,]+\)"

 # Capturing groups:
 #   [1] package name
 #   [2] version specifier
 #   [3] fetched version
 #   [5] number of subdependencies
 #   [7] size

 jq -r '
    .dependencies + .devDependencies
    | to_entries
    | map(.key + "@" + .value)
    | .[]
 ' "$package_json" \
 | xargs npx [email protected] \
    --no-colors \
    --reporter tree \
 | while read -r line; do

 # Loop thru each line, looking for top level dependencies. Print the relevant
 # portions.

    if [[ $line =~ $rx_output ]]
    then
        name="${BASH_REMATCH[1]}"
        version="${BASH_REMATCH[3]}"
        subdeps="${BASH_REMATCH[5]:-0}"
        size="${BASH_REMATCH[7]}"
        echo -e "$subdeps\t$name@$version\t$size"
    fi
 done
	#!/bin/bash

	# fatdeps.sh is a script that counts the number of subdependencies of every
	# dependency found in a package.json file. It can be used to discover bloat,
	# which is a major security risk in Node.js and browser applications.

	# fatdeps.sh depends on the 'jq' and 'npx' commands.

	# USAGE

	# $ ./fatdeps.sh /path/to/package.json

	# EXAMPLE OUTPUT

	# Nr. deps Package Size
	# 2 [email protected] 447.79kb
	# 44 [email protected] 2.63mb
	# 0 [email protected] 72.93kb
	# 1 [email protected] 393.63kb
	# 0 [email protected] 216.21kb
	# 7 [email protected] 931.86kb
	# 0 [email protected] 15.51kb
	# 0 [email protected] 16.43kb
	# 2 [email protected] 358.24kb
	# 1 [email protected] 22.34kb
	# 0 [email protected] 169.34kb
	# 0 [email protected] 92.69kb
	# 1 [email protected] 50.11kb
	# 0 [email protected] 90.01kb
	# 0 [email protected] 5.23mb
	# 0 [email protected] 23.31kb
	# 9 [email protected] 409.57kb
	# 99 [email protected] 2.79mb
	# 0 [email protected] 50.53kb
	# 86 [email protected] 6.01mb

	# You can help protect your application from supply chain attacks by removing
	# excessively bloated dependencies, which disproportionately increase your
	# application's attack surface.

	package_json=${1:-package.json}

	# We parse the output of howfat with this horrendous regular expression, so that
	# we can print the data like the table above.

	rx_output="^([@a-zA-Z][^@]+)@([^@]+)@([^ ]+) \((([^,]+) deps?, )?(([^,]+), )[^,]+\)"

	# Capturing groups:
	# [1] package name
	# [2] version specifier
	# [3] fetched version
	# [5] number of subdependencies
	# [7] size

	jq -r '
	.dependencies + .devDependencies
	\| to_entries
	\| map(.key + "@" + .value)
	\| .[]
	' "$package_json" \
	\| xargs npx [email protected] \
	--no-colors \
	--reporter tree \
	\| while read -r line; do

	# Loop thru each line, looking for top level dependencies. Print the relevant
	# portions.

	if [[ $line =~ $rx_output ]]
	then
	name="${BASH_REMATCH[1]}"
	version="${BASH_REMATCH[3]}"
	subdeps="${BASH_REMATCH[5]:-0}"
	size="${BASH_REMATCH[7]}"
	echo -e "$subdeps\t$name@$version\t$size"
	fi
	done