Module npm_reach 

Build-free npm reachability via a module import graph (the spec’s R2).

Unlike the grep heuristic in crate::reach, this resolves transitive reachability: it parses every require/import specifier in the repo’s own source and in each installed node_modules package, builds a name-level package→package graph, and asks whether a vulnerable package is reachable from the first-party code. A reached package gets a sound-positive ReachVerdict::Reachable with a witness import-chain (your-dep → … → vuln), exactly like the Go/govulncheck path.

Soundness of the negative. A NotReachable is only emitted under an explicit opt-in (prune) AND only when node_modules is present (so the transitive graph is complete). Even then it is best-effort sound: JavaScript can require(variableExpr) or autoload via a framework, which this cannot see, so a NotReachable can be wrong for such code — the flag is the caller’s acknowledgement of that risk. To stay safe by default:

• entry points are over-approximated to every first-party file (any file may run), so a dependency used only by a test/script is still Reachable, never falsely pruned;
• package→package edges are taken from actual parsed import specifiers (precise, so the prune has teeth) — the documented trade for the dynamic-import blind spot.

Without prune, an unreached package stays ReachVerdict::Unknown.

Structs

Options

Options for assess.

Enums

Reach

The reachability verdict for one package.

Functions

assess

Annotate every npm finding in report with import-graph reachability. Repos are analyzed once and cached. Non-npm findings are left untouched.