TypeScript Support

Skylos provides analysis capabilities for TypeScript (.ts, .tsx) and JavaScript files using tree-sitter parsing.

Features

TypeScript analysis includes:

Dead code detection: Unused functions, classes, interfaces, enums, type aliases, variables, methods, and imports
Security scanning: eval(), unsafe innerHTML, document.write(), new Function(), outerHTML, string-based timers, command injection
Quality analysis: Cyclomatic complexity, nesting depth, function length, and parameter count

How It Works

Skylos uses tree-sitter with the TypeScript grammar to parse files into a syntax tree. This enables accurate analysis without requiring a full TypeScript compiler setup.

Parsing Pipeline

Read source file as bytes
Parse with tree-sitter TypeScript grammar
Query for definitions (functions, classes, interfaces, enums, type aliases, methods, variables, imports)
Query for references (calls, property accesses, type references, decorators, exports, inheritance)
Cross-reference to find unused definitions

Dead Code Detection

Supported Definitions

Type	Detection Pattern
Functions	`function foo() {}`
Arrow functions	`const foo = () => {}`
Classes	`class Foo {}`
Interfaces	`interface Foo {}`
Enums	`enum Foo {}`
Type aliases	`type Foo = ...`
Methods	`class { method() {} }`
Top-level variables	`const foo = value`
Imports	`import { foo } from '...'`

Export Awareness

Exported definitions are treated differently:

// Not flagged - exported
export function publicApi() {}

// Flagged if not called internally
function internalHelper() {}

Lifecycle Method Exclusions

Framework lifecycle methods are automatically excluded from dead code detection:

React: constructor, render, componentDidMount, componentWillUnmount, componentDidUpdate, shouldComponentUpdate, getDerivedStateFromProps, getSnapshotBeforeUpdate
Angular: ngOnInit, ngOnDestroy, ngOnChanges, ngAfterViewInit
Web Components: connectedCallback, disconnectedCallback, attributeChangedCallback

Reference Tracking

Skylos tracks references across many usage patterns:

Function calls and new expressions
Property accesses and member expressions
Callback arguments, return values, and spread elements
Array storage and object shorthand properties
Type annotations and type references
Decorator usage (decorated classes are not flagged)
Export specifiers and extends clauses

Security Rules

SKY-D501: eval()

Detects use of eval(), which can execute arbitrary code.

// Flagged (CRITICAL)
eval(userInput);

SKY-D502: innerHTML

Detects unsafe innerHTML assignments that could enable XSS.

// Flagged (HIGH)
element.innerHTML = userContent;

SKY-D503: document.write()

Detects document.write() calls that can lead to XSS vulnerabilities.

// Flagged (HIGH)
document.write(data);

SKY-D504: new Function()

Detects new Function() constructor which is equivalent to eval().

// Flagged (CRITICAL)
const fn = new Function('return ' + userInput);

SKY-D505: String-based Timers

Detects setTimeout() and setInterval() with string arguments, which are equivalent to eval().

// Flagged (HIGH)
setTimeout("alert('xss')", 1000);
setInterval("doStuff()", 500);

// Not flagged - function reference
setTimeout(() => alert('ok'), 1000);

SKY-D506: child_process.exec()

Detects .exec() calls that may indicate command injection. Safe objects like regex, db, stmt, and cursor are automatically excluded.

// Flagged (HIGH)
child_process.exec(userCommand);

// Not flagged - regex exec is safe
const match = pattern.exec(input);

SKY-D507: outerHTML

Detects unsafe outerHTML assignments that could enable XSS.

// Flagged (HIGH)
element.outerHTML = userContent;

Quality Rules

SKY-Q601: Function Complexity

Measures cyclomatic complexity for TypeScript functions.

Complexity nodes:

if_statement
for_statement
while_statement
switch_case
catch_clause
ternary_expression

// Complexity: 4
function process(data: Data) {
  if (data.valid) {           // +1
    for (const item of data.items) {  // +1
      if (item.active) {      // +1
        handle(item);
      }
    }
  }
}

SKY-Q602: Nesting Depth

Flags functions with deeply nested control flow.

Nesting nodes:

if_statement
for_statement, for_in_statement
while_statement, do_statement
switch_statement
try_statement

// Nesting depth: 3 (flagged if limit is 4)
function deep() {
  if (a) {                    // depth 1
    for (const x of items) {  // depth 2
      if (x.ok) {             // depth 3
        handle(x);
      }
    }
  }
}

SKY-Q603: Function Length

Flags functions that exceed the maximum line count.

// Flagged if > 50 lines (default)
function longFunction() {
  // ... 60 lines of code
}

SKY-Q604: Parameter Count

Flags functions with too many parameters.

// Flagged if > 5 parameters (default)
function configure(a: string, b: number, c: boolean, d: object, e: string[], f: Map<string, any>) {
  // ...
}

Configuration

Override TypeScript thresholds separately from Python:

[tool.skylos.languages.typescript]
complexity = 15  # Higher threshold for TS

Running Analysis

Skylos automatically detects TypeScript files in the scan path:

# Scans both Python and TypeScript
skylos ./src --danger --quality

File Extensions

Supported extensions:

.ts - TypeScript
.tsx - TypeScript with JSX

Output Example

──────────────────── Unreachable Functions ────────────────────
 #   Name                 Location
 1   unusedHelper         src/utils.ts:45
 2   deprecatedFunc       src/legacy.ts:12
 3   OldInterface         src/types.ts:8

───────────────────── Security Issues ─────────────────────────
 #   Rule       Severity   Message                             Location
 1   SKY-D501   Critical   Use of eval() detected              src/dynamic.ts:23
 2   SKY-D502   High       Unsafe innerHTML assignment          src/render.tsx:67
 3   SKY-D503   High       document.write() can lead to XSS    src/legacy.ts:12
 4   SKY-D504   Critical   new Function() is equivalent to eval src/exec.ts:5
 5   SKY-D506   High       child_process.exec() command inject  src/run.ts:41

────────────────────── Quality Issues ─────────────────────────
 #   Rule       Severity   Message                             Location
 1   SKY-Q601   Medium     Function 'processData' complexity 18 src/processor.ts:30
 2   SKY-Q602   Medium     Function 'handle' nesting depth 6    src/handler.ts:15
 3   SKY-Q603   Low        Function 'init' is 85 lines long     src/setup.ts:10
 4   SKY-Q604   Low        Function 'configure' has 8 params    src/config.ts:22

Limitations

Not Supported

Type checking: Skylos doesn't validate TypeScript types
Import resolution: Cross-file imports are not fully resolved
JSDoc: Documentation comments are not analyzed

Workarounds

For React components that appear unused:

// Components exported from index are often used externally
export { MyComponent } from './MyComponent';  // Not flagged

For dynamic patterns:

// noqa: skylos
const handler = handlers[eventType];

Dependencies

TypeScript support requires:

tree-sitter>=0.25.2
tree-sitter-typescript>=0.23.2

These are installed automatically with Skylos:

pip install skylos

Integration with Python Projects

Skylos can analyze mixed-language projects:

my-project/
├── backend/  # Python - fully analyzed
│   ├── api/
│   └── models/
├── frontend/  # TypeScript - analyzed
│   ├── src/
│   └── components/
└── pyproject.toml

# Analyze everything
skylos . --danger --quality

# Analyze only frontend
skylos ./frontend --quality

Features​

How It Works​

Parsing Pipeline​

Dead Code Detection​

Supported Definitions​

Export Awareness​

Lifecycle Method Exclusions​

Reference Tracking​

Security Rules​

SKY-D501: eval()​

SKY-D502: innerHTML​

SKY-D503: document.write()​

SKY-D504: new Function()​

SKY-D505: String-based Timers​

SKY-D506: child_process.exec()​

SKY-D507: outerHTML​

Quality Rules​

SKY-Q601: Function Complexity​

SKY-Q602: Nesting Depth​

SKY-Q603: Function Length​

SKY-Q604: Parameter Count​

Configuration​

Running Analysis​

File Extensions​

Output Example​

Limitations​

Not Supported​

Workarounds​

Dependencies​

Integration with Python Projects​