{"id":13799839,"url":"https://github.com/lydell/eslump","last_synced_at":"2025-10-15T01:36:47.691Z","repository":{"id":16594688,"uuid":"80316431","full_name":"lydell/eslump","owner":"lydell","description":"Fuzz testing JavaScript parsers and suchlike programs.","archived":false,"fork":false,"pushed_at":"2022-04-10T09:16:46.000Z","size":2829,"stargazers_count":59,"open_issues_count":2,"forks_count":6,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-10-07T21:35:13.176Z","etag":null,"topics":["acorn","babylon","ecmascript","escodegen","espree","esprima","fuzz-testing","javascript","parse","shift-codegen","shift-parser"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lydell.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-01-28T22:57:11.000Z","updated_at":"2025-01-10T14:10:35.000Z","dependencies_parsed_at":"2022-08-07T08:15:29.238Z","dependency_job_id":null,"html_url":"https://github.com/lydell/eslump","commit_stats":null,"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/lydell/eslump","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lydell%2Feslump","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lydell%2Feslump/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lydell%2Feslump/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lydell%2Feslump/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lydell","download_url":"https://codeload.github.com/lydell/eslump/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lydell%2Feslump/sbom","scorecard":{"id":607076,"data":{"date":"2025-08-11","repo":{"name":"github.com/lydell/eslump","commit":"157d56fa9401df86f08ed7ca4e3dc150801859e9"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.8,"checks":[{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/check.yml:1","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":2,"reason":"Found 2/10 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Pinned-Dependencies","score":2,"reason":"dependency not pinned by hash detected -- score normalized to 2","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/check.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/lydell/eslump/check.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/check.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/lydell/eslump/check.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/check.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/lydell/eslump/check.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/lydell/eslump/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/lydell/eslump/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/lydell/eslump/test.yml/main?enable=pin","Info:   0 out of   6 GitHub-owned GitHubAction dependencies pinned","Info:   2 out of   2 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 22 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"24 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92","Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-w8qv-6jwh-64r5","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4","Warn: Project is vulnerable to: GHSA-896r-f27r-55mw","Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3","Warn: Project is vulnerable to: GHSA-hj48-42vr-x3v9","Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp","Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-jgrx-mgxx-jf9v","Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3","Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq","Warn: Project is vulnerable to: GHSA-cf4h-3jhx-xvhq","Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7","Warn: Project is vulnerable to: GHSA-6fc8-4gx4-v693","Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-21T01:51:24.649Z","repository_id":16594688,"created_at":"2025-08-21T01:51:24.649Z","updated_at":"2025-08-21T01:51:24.649Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279009755,"owners_count":26084645,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-11T02:00:06.511Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acorn","babylon","ecmascript","escodegen","espree","esprima","fuzz-testing","javascript","parse","shift-codegen","shift-parser"],"created_at":"2024-08-04T00:01:06.519Z","updated_at":"2025-10-15T01:36:47.642Z","avatar_url":"https://github.com/lydell.png","language":"JavaScript","readme":"# eslump [![Build Status][ci-badge]][ci-link]\n\nFuzz testing JavaScript parsers and suchlike programs.\n\n\u003e **es :** short for ECMAScript (the JavaScript standard)  \n\u003e **lump :** a piece or mass of indefinite size and shape  \n\u003e **slump :** the Swedish word for “chance”\n\nInspired by [esfuzz]. Powered by [shift-fuzzer] and [shift-codegen].\n\n## Contents\n\n\u003c!-- prettier-ignore-start --\u003e\n\u003c!-- START doctoc generated TOC please keep comment here to allow auto update --\u003e\n\u003c!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --\u003e\n\n- [Installation](#installation)\n- [CLI](#cli)\n- [Module](#module)\n  - [`generateRandomJS(options = {})`](#generaterandomjsoptions--)\n- [Disclaimer](#disclaimer)\n- [Examples](#examples)\n- [Test files](#test-files)\n- [License](#license)\n\n\u003c!-- END doctoc generated TOC please keep comment here to allow auto update --\u003e\n\u003c!-- prettier-ignore-end --\u003e\n\n## Installation\n\neslump is primarily intended to be used as a CLI tool.\n\n```\nnpm install --global eslump\n```\n\nYou can also use parts of it as a Node.js module.\n\n```\nnpm install eslump\n```\n\n## CLI\n\n\u003cdetails\u003e\n\n\u003csummary\u003e\u003ccode\u003eeslump --help\u003c/code\u003e\u003c/summary\u003e\n\n```\nUsage: eslump [options]\n   or: eslump TEST_FILE OUTPUT_DIR [options]\n\nOptions:\n\n  --max-depth Number    The maximum depth of the random JavaScript. - default: 7\n  --source-type String  Parsing mode. - either: module or script - default: module\n  --whitespace          Randomize the whitespace in the random JavaScript.\n  --comments            Insert random comments into the random JavaScript.\n  -r, --reproduce       Reproduce a previous error using files in OUTPUT_DIR.\n  -h, --help            Show help\n  -v, --version         Show version\n\nWhen no arguments are provided, random JavaScript is printed to stdout.\nOtherwise, TEST_FILE is executed until an error occurs, or you kill the\nprogram. When an error occurs, the error is printed to stdout and files\nare written to OUTPUT_DIR:\n\n  - random.js contains the random JavaScript that caused the error.\n  - random.backup.js is a backup of random.js.\n  - reproductionData.json contains additional data defined by TEST_FILE\n    needed to reproduce the error caused by random.js, if any.\n  - Other files, if any, are defined by TEST_FILE.\n\nOUTPUT_DIR is created as with `mkdir -p` if non-existent.\n\nFor information on how to write a TEST_FILE, see:\nhttps://github.com/lydell/eslump#test-files\n\nExamples:\n\n  # See how \"prettier\" pretty-prints random JavaScript.\n  $ eslump | prettier --parser babel\n\n  # Run test.js and save the results in output/.\n  $ eslump test.js output/\n\n  # Narrow down the needed JavaScript to produce the error.\n  # output/random.backup.js is handy if you go too far.\n  $ vim output/random.js\n\n  # Reproduce the narrowed down case.\n  $ eslump test.js output/ --reproduce\n```\n\n\u003c/details\u003e\n\n## Module\n\n```js\nconst { generateRandomJS } = require(\"eslump\");\n\nconst randomJSString = generateRandomJS({\n  sourceType: \"module\",\n  maxDepth: 7,\n  comments: false,\n  whitespace: false,\n});\n```\n\n### `generateRandomJS(options = {})`\n\nReturns a string of random JavaScript code.\n\nIf you want, you can pass some options:\n\n| Option | Type | Default | Description |\n| --- | --- | --- | --- |\n| sourceType | `\"module\"` or `\"script\"` | `\"module\"` | The type of code to generate. |\n| maxDepth | integer | 7 | How deeply nested AST:s to generate. |\n| comments | boolean | false | Whether or not to generate random comments. |\n| whitespace | boolean | false | Whether or not to generate random whitespace. |\n\n## Disclaimer\n\neslump was created from the need of finding edge cases in [Prettier]. It started out as a bare-bones little script in a branch on my fork of that repo. As I wanted more and more features, I extracted it and fleshed it out in its own repo. Then I realized that it might be useful to others, so I put it on GitHub and made the CLI installable from npm.\n\nInitially, eslump basically just strung together [shift-fuzzer] and [shift-codegen]. Then, I realized that no random comments were generated, so I hacked that in (along with random whitespace) since comments are very difficult to get right in Prettier. Then, random parentheses and semicolons where requested, so I hacked that in as well.\n\neslump has successfully found lots of little edge cases in Prettier, so it evidently works. But there aren’t many tests. (I’ve mostly gone meta and fuzz-tested it using itself basically.)\n\nFrom the beginning eslump was only ever intended to be a CLI tool, but other people have started to want to use eslump’s code generation as an npm module, so these days it can also be used as a module. If you know what you’re doing.\n\nHere are some features I’d like to see from a proper random JS library:\n\n- No hacks.\n- Seeded randomness, so things can be reproduced.\n- JSX and Flow support.\n- Ability to generate code without any early errors.\n- Possibly ways to prevent certain syntax constructs from being generated.\n\n## Examples\n\nThere are several examples in the [examples] directory.\n\n- Parsers:\n\n  - [acorn]\n  - [@babel/parser]\n  - [espree]\n  - [esprima]\n  - [flow]\n  - [meriyah]\n  - [shift-parser]\n\n- Code generators:\n  - [@babel/generator]\n  - [escodegen]\n  - [Prettier]\n  - [shift-codegen]\n\nTo run the Acorn example, for instance, follow these steps:\n\n1. Clone this repository.\n2. `npm ci`\n3. `eslump examples/acorn.js output`\n\n## Test files\n\n```\n$ eslump test.js output/\n```\n\nTest files, `test.js` in the above example, must follow this pattern:\n\n```js\nmodule.exports = ({\n  code, // String.\n  sourceType, // String, either \"module\" or \"script\".\n  reproductionData = {}, // undefined or anything that `JSON.parse` can return.\n}) =\u003e {\n  if (testFailedSomehow) {\n    return {\n      error, // Caught Error object.\n      reproductionData, // Optional. Anything that `JSON.stringify` can handle.\n      artifacts, // Optional. Object mapping file names to string contents.\n    };\n  }\n  // If the test passed, return nothing.\n};\n```\n\n- The main export is a function, called the _test function._\n\n- The test function accepts a single argument, an object with the following properties:\n\n  - code: `String`. Randomly generated JavaScript, or the contents of `OUTPUT_DIR/random.js` if using the `--reproduce` flag.\n\n  - sourceType: `String`. Either `\"module\"` or `\"script\"`. ES2015 can be parsed in one of these modes, and parsers usually have an option for choosing between the two.\n\n  - reproductionData: `undefined` or anything that `JSON.parse` can return. Normally, it is `undefined`. When using the `--reproduce` flag, this property contains the result of running `JSON.parse` on the contents of `OUTPUT_DIR/reproductionData.json`. This is used when the test function itself generates random data, such as random options for a parser.\n\n    - If the test function is completely deterministic, ignore this property.\n    - Otherwise, generate random options if it is `undefined`.\n    - In all other cases, use its data to be able to reproduce a previous error.\n\n- The test function returns nothing if the test succeeded. Then, eslump will run it again with new random JavaScript code. If the `--reproduce` flag is used, the test function will only be run once (and if nothing fails in that run something is wrong).\n\n- The test function returns an object with the following properties if the test fails:\n\n  - error: `Error`. The caught error. (Technically, this property can have any value, since anything can be `throw`n.)\n\n  - reproductionData: Anything that `JSON.stringify` can handle. Optional. If the test function isn’t completely deterministic, such as when generating random options for a parser, the data needed to reproduce the error in the future must be set here. eslump will write this data to `OUTPUT_DIR/reproductionData.json`. That file will be read, parsed and passed to the test function when using the `--reproduce` flag.\n\n  - artifacts. `Object`. Optional. Sometimes it can be useful to see intermediate values in addition to just the random JavaScript when a test fails, such as the AST from a parser. Each key-value pair describes a file to write:\n\n    - The object keys are file paths relative to `OUTPUT_DIR`. The file will be written at `OUTPUT_DIR/key`.\n    - The object values are the contents of the file. (The values will be passed trough the `String` function before writing.)\n\n    Example:\n\n    ```js\n      {\n        artifacts: {\n          \"ast.json\": JSON.stringify(ast, null, 2)\n        }\n      }\n    ```\n\n- The test function must not throw errors, so be sure to wrap everything in try-catch. (eslump will catch uncaught errors, but it will not have a chance to write `OUTPUT_DIR/reproductionData.json` or any artifacts.)\n\n## License\n\n[MIT](LICENSE).\n\n[@babel/generator]: https://github.com/babel/babel/tree/master/packages/babel-generator\n[@babel/parser]: https://babeljs.io/docs/en/babel-parser.html\n[acorn]: https://github.com/acornjs/acorn\n[ci-badge]: https://github.com/lydell/eslump/actions/workflows/test.yml/badge.svg\n[ci-link]: https://github.com/lydell/eslump/actions\n[doctoc]: https://github.com/thlorenz/doctoc\n[escodegen]: https://github.com/estools/escodegen\n[esfuzz]: https://github.com/estools/esfuzz\n[eslint]: https://eslint.org/\n[espree]: https://github.com/eslint/espree\n[esprima]: https://github.com/jquery/esprima\n[examples]: https://github.com/lydell/eslump/tree/main/examples\n[flow]: https://github.com/facebook/flow\n[jest]: https://jestjs.io/\n[meriyah]: https://github.com/meriyah/meriyah\n[node.js]: https://nodejs.org/en/\n[npm]: https://www.npmjs.com/\n[prettier]: https://github.com/prettier/prettier\n[shift-codegen]: https://github.com/shapesecurity/shift-codegen-js\n[shift-fuzzer]: https://github.com/shapesecurity/shift-fuzzer-js\n[shift-parser]: https://github.com/shapesecurity/shift-parser-js\n[typescript]: https://github.com/Microsoft/TypeScript\n","funding_links":[],"categories":["Fuzzing"],"sub_categories":["DHCP"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flydell%2Feslump","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flydell%2Feslump","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flydell%2Feslump/lists"}