Audit: src
Scope: Root-level files only (3 files audited)
Date: 2026-06-26
Findings
| # |
File |
Type |
Severity |
Summary |
| 1 |
helpers.js |
bug |
medium |
applyNumberFormatting padding logic does not truncate when separator is used with pad — excess decimal places are preserved instead of being trimmed to round |
| 2 |
filesize.js |
code-smell |
low |
isNaN(arg) should be isNaN(num) for clarity — functionally equivalent here but misleading |
| 3 |
filesize.js |
fragility |
low |
partial uses JSON.parse(JSON.stringify()) for deep cloning — loses functions, undefined, Dates, RegExps |
Details
1. Padding with separator (medium)
File: helpers.js → applyNumberFormatting
When both separator and pad options are set, the padding logic runs after the separator replacement. The padEnd call only adds trailing zeros — it does not truncate excess decimal places. If the value has more decimal digits than round, the output will exceed the requested precision.
Example: filesize(1234.567, {separator: ",", pad: true, round: 2}) → "1,234.567" (expected "1,234.57" or similar)
2. isNaN clarity (low)
File: filesize.js → filesize function
isNaN(arg) is used after num = Number(arg). While functionally equivalent in this context (both coerce to number), isNaN(num) would be clearer and more intentional.
3. JSON deep clone fragility (low)
File: filesize.js → partial function
JSON.parse(JSON.stringify(localeOptions)) etc. is used for deep cloning. This works for plain objects/arrays but silently drops functions, undefined, Dates, RegExps, and circular references. Fine for current use case but fragile if options evolve.
Files Audited
constants.js — Pure data exports, no issues foundfilesize.js — Main entry point, 2 low-severity findingshelpers.js — Helper functions, 1 medium-severity finding
Audit: src
Scope: Root-level files only (3 files audited)
Date: 2026-06-26
Findings
helpers.jsapplyNumberFormattingpadding logic does not truncate whenseparatoris used withpad— excess decimal places are preserved instead of being trimmed toroundfilesize.jsisNaN(arg)should beisNaN(num)for clarity — functionally equivalent here but misleadingfilesize.jspartialusesJSON.parse(JSON.stringify())for deep cloning — loses functions, undefined, Dates, RegExpsDetails
1. Padding with separator (medium)
File:
helpers.js→applyNumberFormattingWhen both
separatorandpadoptions are set, the padding logic runs after the separator replacement. ThepadEndcall only adds trailing zeros — it does not truncate excess decimal places. If the value has more decimal digits thanround, the output will exceed the requested precision.Example:
filesize(1234.567, {separator: ",", pad: true, round: 2})→"1,234.567"(expected"1,234.57"or similar)2. isNaN clarity (low)
File:
filesize.js→filesizefunctionisNaN(arg)is used afternum = Number(arg). While functionally equivalent in this context (both coerce to number),isNaN(num)would be clearer and more intentional.3. JSON deep clone fragility (low)
File:
filesize.js→partialfunctionJSON.parse(JSON.stringify(localeOptions))etc. is used for deep cloning. This works for plain objects/arrays but silently drops functions, undefined, Dates, RegExps, and circular references. Fine for current use case but fragile if options evolve.Files Audited
constants.js— Pure data exports, no issues foundfilesize.js— Main entry point, 2 low-severity findingshelpers.js— Helper functions, 1 medium-severity finding