miccy · miccy · Apr 28, 2026
diff --git a/packages/scanner/src/detectors/index.ts b/packages/scanner/src/detectors/index.ts
@@ -7,9 +7,9 @@ export { detectInjection }
 /**
  * Run all detectors against a directory.
  */
-export function detect(targetDir: string): Finding[] {
+export async function detect(targetDir: string): Promise<Finding[]> {
   const findings: Finding[] = []
-  const lockPkgs = parseNpmLockfile(targetDir)
+  const lockPkgs = await parseNpmLockfile(targetDir)
   findings.push(...detectInjection(lockPkgs, targetDir))
   return findings
 }
diff --git a/packages/scanner/src/parsers/index.ts b/packages/scanner/src/parsers/index.ts
@@ -6,6 +6,10 @@ export { parseNpmLockfile, parseYarnLockfile }
 /**
  * Placeholder for unified lockfile parser dispatcher
  */
-export function parseLockfiles(targetDir: string): any[] {
-  return [...parseNpmLockfile(targetDir), ...parseYarnLockfile(targetDir)]
+export async function parseLockfiles(targetDir: string): Promise<any[]> {
+  const [npmPkgs, yarnPkgs] = await Promise.all([
+    parseNpmLockfile(targetDir),
+    parseYarnLockfile(targetDir),
+  ])
+  return [...npmPkgs, ...yarnPkgs]
 }
diff --git a/packages/scanner/src/parsers/npm.ts b/packages/scanner/src/parsers/npm.ts
@@ -1,5 +1,6 @@
-import { readFileSync } from 'node:fs'
+import { readFile } from 'node:fs/promises'
 import { join } from 'node:path'
+import { stat } from 'node:fs/promises'
 import type { LockfileEntry } from '../types.js'
 
 interface NpmLockfile {
@@ -25,34 +26,51 @@ export interface ParsedPackage {
   lockfileVersion: number
 }
 
-/** Parse package-lock.json (v2/v3) or package-lock.v3.json */
-export function parseNpmLockfile(targetDir: string): ParsedPackage[] {
-  const paths = [
-    join(targetDir, 'package-lock.json'),
-    join(targetDir, 'package-lock.v3.json'),
-    join(targetDir, 'package-lock.v2.json'),
-  ]
-
-  let content: string = ''
-  let _lockPath: string = ''
-  for (const p of paths) {
-    try {
-      content = readFileSync(p, 'utf-8')
-      _lockPath = p
-      break
-    } catch {
-      /* try next */
+/**
+ * Parse package-lock.json (v2/v3) or package-lock.v3.json
+ * @param pathOrDir - Path to a specific lockfile or a directory to search in.
+ */
+export async function parseNpmLockfile(pathOrDir: string): Promise<ParsedPackage[]> {
+  let lockPath = pathOrDir
+  try {
+    const s = await stat(pathOrDir)
+    if (s.isDirectory()) {
+      const paths = [
+        join(pathOrDir, 'package-lock.json'),
+        join(pathOrDir, 'package-lock.v3.json'),
+        join(pathOrDir, 'package-lock.v2.json'),
+      ]
+      let found = false
+      for (const p of paths) {
+        try {
+          await stat(p)
+          lockPath = p
+          found = true
+          break
+        } catch { /* continue */ }
+      }
+      if (!found) return []
     }
+  } catch {
+    return []
+  }
+
+  let content: string
+  try {
+    content = await readFile(lockPath, 'utf-8')
+  } catch {
+    return []
   }
-  if (!content) return []
 
   const lock: NpmLockfile = JSON.parse(content)
   const version = lock.lockfileVersion ?? 2
   const pkgs: ParsedPackage[] = []
+  const seen = new Set<string>()
 
   if (version >= 3 && lock.packages) {
     for (const [pkgPath, entry] of Object.entries(lock.packages)) {
-      if (!pkgPath) continue
+      if (!pkgPath || seen.has(pkgPath)) continue
+      seen.add(pkgPath)
       const name = pkgPath.replace(/^node_modules\//, '')
       pkgs.push({
         name,

diff --git a/packages/scanner/src/parsers/yarn.ts b/packages/scanner/src/parsers/yarn.ts
@@ -1,4 +1,4 @@
-import { readFileSync } from 'node:fs'
+import { readFile, stat } from 'node:fs/promises'
 import { join } from 'node:path'
 import type { LockfileEntry } from '../types.js'
 
@@ -87,11 +87,20 @@ function parseYarnV2(content: string): ParsedPackage[] {
 /**
  * Main entrance for Yarn lockfile parsing
  */
-export function parseYarnLockfile(targetDir: string): ParsedPackage[] {
-  const lockPath = join(targetDir, 'yarn.lock')
+export async function parseYarnLockfile(pathOrDir: string): Promise<ParsedPackage[]> {
+  let lockPath = pathOrDir
+  try {
+    const s = await stat(pathOrDir)
+    if (s.isDirectory()) {
+      lockPath = join(pathOrDir, 'yarn.lock')
+    }
+  } catch {
+    return []
+  }
+
   let content: string
   try {
-    content = readFileSync(lockPath, 'utf8')
+    content = await readFile(lockPath, 'utf8')
   } catch {
     return []
   }

diff --git a/packages/scanner/src/scan.ts b/packages/scanner/src/scan.ts
@@ -1,7 +1,7 @@
 import { existsSync, readFileSync } from 'node:fs'
-import { basename, resolve } from 'node:path'
+import { resolve, basename } from 'node:path'
 
-import { parseYarnLockfile } from './parsers/yarn.js'
+import { parseNpmLockfile, parseYarnLockfile } from './parsers/index.js'
 import type { Finding, ScanResult } from './types.js'
 
 // ---------------------------------------------------------------------------
@@ -35,78 +35,14 @@ async function parseLockfile(path: string): Promise<any[]> {
     case 'package-lock.json':
     case 'package-lock.v2.json':
     case 'package-lock.v3.json':
-      return parseNpmLock(path)
+      return parseNpmLockfile(path)
     case 'yarn.lock':
       return parseYarnLockfile(path)
     default:
       return []
   }
 }
 
-// ---------------------------------------------------------------------------
-// npm (v2 + v3)
-// ---------------------------------------------------------------------------
-
-interface NpmLockPackage {
-  version: string
-  resolved?: string
-  engines?: Record<string, string>
-  requires?: Record<string, string>
-}
-
-interface NpmLockfile {
-  lockfileVersion?: number
-  packages?: Record<string, NpmLockPackage>
-  dependencies?: Record<string, NpmLockPackage>
-}
-
-function parseNpmLock(path: string): any[] {
-  let content: string
-  try {
-    content = readFileSync(path, 'utf8')
-  } catch {
-    return []
-  }
-
-  let lock: NpmLockfile
-  try {
-    lock = JSON.parse(content)
-  } catch {
-    return []
-  }
-
-  const version = lock.lockfileVersion ?? 2
-  const packages: any[] = []
-  const seen = new Set<string>()
-
-  if (version >= 3 && lock.packages) {
-    for (const [pkgPath, entry] of Object.entries(lock.packages)) {
-      if (!pkgPath || seen.has(pkgPath)) continue
-      seen.add(pkgPath)
-      const name = pkgPath.replace(/^node_modules\//, '')
-      packages.push({
-        name,
-        version: entry.version ?? '',
-        resolved: entry.resolved,
-        engines: entry.engines,
-        requires: entry.requires,
-      })
-    }
-  } else if (lock.dependencies) {
-    for (const [name, dep] of Object.entries(lock.dependencies)) {
-      packages.push({
-        name,
-        version: dep.version ?? '',
-        resolved: dep.resolved,
-        engines: dep.engines,
-        requires: dep.requires,
-      })
-    }
-  }
-
-  return packages
-}
-
 // ---------------------------------------------------------------------------
 // Injection detector
 // ---------------------------------------------------------------------------
@@ -172,7 +108,8 @@ export async function scan(target: string): Promise<ScanResult> {
     }
   }
 
-  const results = await Promise.all(lockfilePaths.map((p) => parseLockfile(p)))
+  // Use the shared parsers to avoid duplication and benefit from async I/O
+  const results = await Promise.all(lockfilePaths.map(p => parseLockfile(p)))
   const packages = results.flat()
   const injectionFindings = detectInjection(packages, target)
   findings.push(...injectionFindings)