NodeSecure · fraxken · Dec 21, 2025 · Dec 19, 2025
diff --git a/.changeset/tall-drinks-push.md b/.changeset/tall-drinks-push.md
@@ -0,0 +1,5 @@
+---
+"@nodesecure/tarball": patch
+---
+
+Never throw in SourceCodeScanner because it break the scanner pipeline
diff --git a/workspaces/scanner/test/depWalker.spec.ts b/workspaces/scanner/test/depWalker.spec.ts
@@ -162,10 +162,6 @@ test("execute depWalker on pkg.gitdeps", async(test) => {
   const walkErrors = errors();
 
   assert.deepStrictEqual(walkErrors, [
-    {
-      error: "You must provide at least one file either in manifest or javascript",
-      phase: "tarball-scan"
-    },
     {
       error: "404 Not Found - GET https://registry.npmjs.org/pkg.gitdeps - Not found",
       phase: "tarball-scan"

diff --git a/workspaces/tarball/src/class/NpmTarball.class.ts b/workspaces/tarball/src/class/NpmTarball.class.ts
@@ -29,7 +29,9 @@ export interface ScannedFilesResult {
 }
 
 export class NpmTarball {
-  static JS_EXTENSIONS = new Set([".js", ".mjs", ".cjs"]);
+  static JS_EXTENSIONS = new Set([
+    ".js", ".mjs", ".cjs"
+  ]);
 
   manifest: LocatedManifestManager;
 

diff --git a/workspaces/tarball/src/class/SourceCodeScanner.class.ts b/workspaces/tarball/src/class/SourceCodeScanner.class.ts
@@ -153,22 +153,23 @@ export class SourceCodeScanner<
   async iterate(
     entries: SourceCodeEntries
   ): Promise<T> {
+    const report = this.#initNewReport();
     if (
       entries.manifest.length === 0 &&
       entries.javascript.length === 0
     ) {
-      throw new Error("You must provide at least one file either in manifest or javascript");
+      return report;
     }
 
     return entries.manifest.length > 0 ?
-      this.#iterateWithEntries(entries) :
-      this.#iterateAll(entries.javascript);
+      this.#iterateWithEntries(report, entries) :
+      this.#iterateAll(report, entries.javascript);
   }
 
   async #iterateWithEntries(
+    report: T,
     entries: SourceCodeEntries
   ): Promise<T> {
-    const report = this.#initNewReport();
     const { location } = this.manifest;
 
     const efa = new EntryFilesAnalyser({
@@ -187,21 +188,21 @@ export class SourceCodeScanner<
 
     return report.consumed ?
       report :
-      this.#iterateAll(entries.javascript);
+      this.#iterateAll(report, entries.javascript);
   }
 
   async #iterateAll(
+    report: T,
     sourceFiles: string[]
   ): Promise<T> {
     if (sourceFiles.length === 0) {
-      throw new Error("You must provide at least one javascript source file");
+      return report;
     }
 
     const {
       location,
       document: { name: packageName, type }
     } = this.manifest;
-    const report = this.#initNewReport();
 
     await Promise.allSettled(
       sourceFiles.map(async(relativeFile) => {

diff --git a/workspaces/tarball/test/SourceCodeScanner.spec.ts b/workspaces/tarball/test/SourceCodeScanner.spec.ts
@@ -21,29 +21,25 @@ const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const kFixturePath = path.join(__dirname, "fixtures", "scanPackage");
 
 describe("SourceCodeScanner", () => {
-  test("iterate() should throw if we provide no files", async() => {
+  test("iterate() should return empty report if we provide no files", async() => {
     const mama = loadFixtureManifest("entryfiles");
     const scanner = new SourceCodeScanner(mama);
 
-    await assert.rejects(
-      () => scanner.iterate({ manifest: [], javascript: [] }),
-      { message: "You must provide at least one file either in manifest or javascript" }
-    );
+    const report = await scanner.iterate({ manifest: [], javascript: [] });
+    assert.strictEqual(report.consumed, false);
   });
 
-  test("iterate() should throw if we provide a manifest that doesn't exist and zero JavaScript files", async() => {
+  test("iterate() should return empty report if we provide a manifest that doesn't exist and zero JavaScript files", async() => {
     const mama = loadFixtureManifest("entryfiles");
     const scanner = new SourceCodeScanner(mama);
 
-    await assert.rejects(
-      () => scanner.iterate({
-        manifest: [
-          "src/bar.js"
-        ],
-        javascript: []
-      }),
-      { message: "You must provide at least one javascript source file" }
-    );
+    const report = await scanner.iterate({
+      manifest: [
+        "src/bar.js"
+      ],
+      javascript: []
+    });
+    assert.strictEqual(report.consumed, false);
   });
 
   test("iterate() should properly trace and report required files using one manifest entry file", async() => {