NodeSecure · fraxken · Dec 21, 2025 · Dec 21, 2025
diff --git a/.changeset/shaggy-carpets-cough.md b/.changeset/shaggy-carpets-cough.md
@@ -0,0 +1,5 @@
+---
+"@nodesecure/scanner": minor
+---
+
+feat(scanner): support more formats for highlight.packages
diff --git a/workspaces/scanner/src/depWalker.ts b/workspaces/scanner/src/depWalker.ts
@@ -38,6 +38,7 @@ import type {
   Options,
   Payload
 } from "./types.ts";
+import { parseSemverRange } from "./utils/parseSemverRange.ts";
 
 // CONSTANTS
 const kDefaultDependencyVersionFields = {
@@ -300,9 +301,10 @@ export async function depWalker(
         });
       }
     }
+    const semverRanges = parseSemverRange(options.highlight?.packages ?? {});
     for (const version of Object.entries(dependency.versions)) {
       const [verStr, verDescriptor] = version as [string, DependencyVersion];
-      const range = options.highlight?.packages?.[packageName];
+      const range = semverRanges?.[packageName];
       if (range && semver.satisfies(verStr, range)) {
         highlightedPackages.add(`${packageName}@${verStr}`);
       }

diff --git a/workspaces/scanner/src/types.ts b/workspaces/scanner/src/types.ts
@@ -221,7 +221,7 @@ export interface Payload {
 
 export type SemverRange = string | "*";
 
-export type HighlightPackages = Record<string, SemverRange>;
+export type HighlightPackages = string[] | Record<string, string[] | SemverRange>;
 
 export interface Options {
   /**

diff --git a/workspaces/scanner/src/utils/parseSemverRange.ts b/workspaces/scanner/src/utils/parseSemverRange.ts
@@ -0,0 +1,40 @@
+// Import Third-party Dependencies
+import { parseNpmSpec } from "@nodesecure/mama";
+
+// Import Internal Dependencies
+import { type HighlightPackages } from "../types.ts";
+
+export function parseSemverRange(packages: HighlightPackages) {
+  const pkgs = Array.isArray(packages) ? parseSpecs(packages) : packages;
+
+  return Object.entries(pkgs).reduce((acc, [name, semverRange]) => {
+    if (Array.isArray(semverRange)) {
+      acc[name] = semverRange.join(" || ");
+    }
+    else {
+      acc[name] = semverRange;
+    }
+
+    return acc;
+  }, {});
+}
+
+function parseSpecs(specs: string[]) {
+  return specs.reduce((acc, spec) => {
+    const parsedSpec = parseNpmSpec(spec);
+    if (!parsedSpec) {
+      return acc;
+    }
+    const { name, semver } = parsedSpec;
+    const version = semver || "*";
+    if (name in acc) {
+      acc[name].push(version);
+    }
+    else {
+      acc[name] = [version];
+    }
+
+    return acc;
+  }, {});
+}
+
diff --git a/workspaces/scanner/test/depWalker.spec.ts b/workspaces/scanner/test/depWalker.spec.ts
@@ -256,6 +256,33 @@ test("should highlight the given packages", async() => {
   );
 });
 
+test("should support multiple formats for packages highlighted", async() => {
+  const { logger } = errorLogger();
+  test.after(() => logger.removeAllListeners());
+
+  const hightlightPackages = ["zen-observable@0.8.14 || 0.8.15", "nanoid"];
+
+  const result = await depWalker(
+    pkgHighlightedPackages,
+    structuredClone({
+      ...kDefaultWalkerOptions,
+      highlight: {
+        packages: hightlightPackages,
+        contacts: []
+      }
+    }),
+    logger
+  );
+
+  assert.deepStrictEqual(
+    result.highlighted.packages.sort(),
+    [
+      "nanoid@5.1.6",
+      "zen-observable@0.8.15"
+    ]
+  );
+});
+
 test("fetch payload of pacote on the npm registry", async() => {
   const result = await from(
     "pacote",

diff --git a/workspaces/scanner/test/utils/parseSemverRange.spec.ts b/workspaces/scanner/test/utils/parseSemverRange.spec.ts
@@ -0,0 +1,54 @@
+// Import Node.js Dependencies
+import { test, describe } from "node:test";
+import assert from "node:assert";
+
+// Import Internal Dependencies
+import { parseSemverRange } from "../../src/utils/parseSemverRange.ts";
+
+describe("parseSemverRange", () => {
+  test("should do nothing when the semver ranges are already well formatted", () => {
+    assert.deepEqual(parseSemverRange({
+      foo: "1.2.3",
+      bar: "1.2.3 || 1.2.4"
+    }), {
+      foo: "1.2.3",
+      bar: "1.2.3 || 1.2.4"
+    });
+  });
+
+  test("should parse to semver range string when getting an array", () => {
+    assert.deepEqual(parseSemverRange({
+      foo: ["1.2.3"],
+      bar: ["1.2.3", "1.2.4"]
+    }), {
+      foo: "1.2.3",
+      bar: "1.2.3 || 1.2.4"
+    });
+  });
+
+  describe("specs", () => {
+    test("should parse specs to name semver range", () => {
+      assert.deepEqual(parseSemverRange(["foo@1.2.3", "bar@1.2.3", "bar@1.2.4"]), {
+        foo: "1.2.3",
+        bar: "1.2.3 || 1.2.4"
+      });
+    });
+
+    test("should parse to wildcard when there is no version", () => {
+      assert.deepEqual(parseSemverRange(["mocha", "jest@1.2.1", "jest"]), {
+        mocha: "*",
+        jest: "1.2.1 || *"
+      });
+    });
+
+    test("should include the org in the name", () => {
+      assert.deepEqual(parseSemverRange(["@nodesecure/js-x-ray@1.0.0", "@nodesecure/js-x-ray@1.0.1"]), {
+        "@nodesecure/js-x-ray": "1.0.0 || 1.0.1"
+      });
+    });
+
+    test("should should not parse invalid specs", () => {
+      assert.deepEqual(parseSemverRange([""]), {});
+    });
+  });
+});