npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@thesherwood/reconjs

v0.0.4

Published

check arbitrary javascipt code for security threats

Downloads

5

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

thesherwoodthesherwood

Keywords

staticsecurity

Readme

Intro to Recon beta

Reconjs is a module for statically analyzing arbitrary javascript code for security threats. This is can be useful when you wish to run user-generated code on your app and provide that code with access to certain functions/objects/data, or when you wish to install a plugin that you might not trust.

Recon is not a replacement for unsafe software. It is simply an aid to flag dangerous code before it is run and to help the user/developer identify which lines of code pose the threat.

Usage

Recon exposes a few methods, but the primary one is check.

import Recon from "reconjs";

const r = new Recon()
r.check(codeToCheck /*, options, allowedIdentifiers */)

Calling check on a string will return an array of illicit nodes with location information, or false if reconjs finds no threats.

import Recon from "reconjs";

const dangerousCode = "console.log(privateData)";
const safeCode = "1 + 1";

const r = new Recon()
r.check(dangerousCode)
// => [{"illicit":"privateData","line":1,"startColumn":12,"endColumn":18}]

r.check(safeCode)
// => false

Recon also makes use of a whitelist of identifiers that are deemed safe (currently). You can add and/or remove identifiers from that whitelist.

const r = new Recon()
r.addToWhitelist("example1");
r.addToWhitelist(["example2", "example3"])

r.removeFromWhitelist(["debugger", "console"])
r.removeFromWhitelist("yield")

Options

Recon passes on any options passed to check to the Acorn parser. If you wish to affect the parser's behavior, this is the way to do that, though I would keep it simple. I won't cover all Acorn options here.

| Option | Values | Behavior | | ------------ | ---------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | sourceType | "module" (default)or "script" | This is an Acorn configuration. "script" will throw errors if import or export are used. Recon will not catch these errors. | | locations | true (default)or false | true will cause Recon to return line location data on illicit words. | | allowThis | false (default)or true | false will cause Recon to consider all usage of the this keyword to be illicit. It is recommended that you use the default. If not, please consider using "use script"; in your code and take other security precautions as necessary. |

Allowed Identifiers

check can take a third argument of allowedIdentifiers. These are variable, class, and function identifiers that you wish the checked code to have access to. Recon will not flag these identifiers as illicit should they appear anywhere in the code.

Dependencies

Recon has a hard dependency on Acorn. However, it only uses Acorn's parser, and walks the resulting AST with custom walkers.

Recon will not attempt to catch errors thrown by Acorn. If you're checking arbitrary code, you should be sure to implement that yourself.

Limitations

Modern Language Features

At present, reconjs does not support some cutting edge features of javascript, including but not limited to the following:

  • class fields
  • complex destructuring (either nested or with default values)

It will be overly sensitive, rather than too lax, on features it does not support.

Property Restrictions

At present, granting Recon access to an identifier means granting it access to any and all properties on that object. This may change in the future, but at present, if you can't allow access to a property, you must disallow the entire object.

Acorn Config

Not all options that can be passed into Acorn will be supported by Recon. I recommend keeping it simple. There's probably no reason to check code that can't run even if Acorn can be configured to parse it.