@nodesecure/js-x-ray@11.7.0

Minor Changes

• #523 7918a5d Thanks @fraxken! - Add support for native type striping inside JsSourceParser using node:module API

@nodesecure/tracer@4.0.0

Major Changes

• #501 1c2c39f Thanks @clemgbld! - feat: detect identifier sql-injection

Patch Changes

• Updated dependencies [1c2c39f]:
  • @nodesecure/estree-ast-utils@4.3.0

@nodesecure/js-x-ray@11.5.0

Minor Changes

• #494 3686651 Thanks @clemgbld! - feat(js-x-ray): detect more sync IO method for crypto module

• #505 4800d5d Thanks @fraxken! - Implement i18n translation locally for warnings

• #483 996be20 Thanks @clemgbld! - refactor(js-x-ray): valideProbe optimisation on CallExpressionIdentifier with tracer

• #486 4259011 Thanks @clemgbld! - feat(js-x-ray): add metadata in analyzeFile and analyzeFileSync in AstAnalyzer

• #485 cf75218 Thanks @fraxken! - Implement a new monkey-patch warning/probe

• #501 1c2c39f Thanks @clemgbld! - feat: detect identifier sql-injection

• #491 4674d38 Thanks @fraxken! - Enhance ProbeRunner runProbe readability by removing tabs and implementing a new private method #getProbeHandler

Patch Changes

• #496 667cccf Thanks @7amed3li! - feat: add performance benchmarks using mitata

• Updated dependencies [1c2c39f]:

  • @nodesecure/tracer@4.0.0
  • @nodesecure/estree-ast-utils@4.3.0

@nodesecure/estree-ast-utils@4.3.0

Minor Changes

• #501 1c2c39f Thanks @clemgbld! - feat: detect identifier sql-injection

@nodesecure/tracer@3.1.0

Minor Changes

• #471 e288c04 Thanks @clemgbld! - feat: generate data-exfiltration warning on import when the sensitivity is aggressive

@nodesecure/js-x-ray@11.4.0

Minor Changes

• #468 317d679 Thanks @7amed3li! - feat(isLiteral): add email collection using CollectableSet API

  Implemented email detection and collection in the isLiteral probe. The probe now identifies email addresses in string literals using the same regex pattern as the CLI and collects them via the CollectableSet API.

  • Added email regex constant matching CLI implementation
  • Email addresses are now collected when CollectableSet("email") is provided
  • Added comprehensive test cases covering valid/invalid formats and edge cases

• #462 ed0a637 Thanks @7amed3li! - Support multiple named main handlers in probes (resolves #460)

  Introduces support for multiple named main entrypoints in probes, allowing probes to define different handlers for various analysis scenarios. This enables more flexible probe implementations while maintaining full backward compatibility.

  Key Changes:

  • Added NamedMainHandlers type supporting multiple handler functions with required default handler
  • Extended ProbeContext with setEntryPoint(handlerName: string) method for handler selection
  • Updated Probe interface to accept either single main function or NamedMainHandlers object
  • Implemented handler resolution logic in ProbeRunner#runProbe with automatic cleanup
  • Added comprehensive test coverage (all 14 existing tests + 8 new tests passing)

  Backward Compatibility:

  • Existing probes with single main function continue to work without changes
  • setEntryPoint method available but optional for backward-compatible probes
  • No breaking changes to existing API

  This is the core infrastructure PR. Future work will include example probe refactoring and documentation updates.

• #456 9f4e420 Thanks @7amed3li! - Add sensitivity option to AstAnalyser for configurable warning detection

  Introduces a new sensitivity option in AstAnalyserOptions that allows users to control the strictness of warning detection:

  • conservative (default): Maintains current strict behavior to minimize false positives. Suitable for scanning ecosystem libraries.
  • aggressive: Detects all child_process usage for maximum visibility in local project scanning.

  This change implements the sensitivity option for the isUnsafeCommand probe. Additional probes (isSerializeEnv, data-exfiltration) can be updated in future releases.

• #480 d9e0481 Thanks @clemgbld! - feat(js-x-ray): add sql-injection probe

• #467 8948caa Thanks @7amed3li! - feat(isSerializeEnv): add named handler for direct process.env access detection

  Introduces a named handler pattern in the isSerializeEnv probe to detect direct process.env access when running in aggressive sensitivity mode.

  Changes:

  • Added validateProcessEnv validator to detect process.env MemberExpression nodes
  • Added processEnvHandler named handler that triggers only in aggressive mode
  • Converted probe export to use NamedMainHandlers pattern with default and process.env handlers
  • Existing JSON.stringify(process.env) detection remains unchanged (backward compatible)

  Behavior:

  • Conservative mode (default): Only flags process.env when used with JSON.stringify
  • Aggressive mode: Additionally flags any direct process.env access

  Relates to #367

• #454 bad3093 Thanks @clemgbld! - feat(js-x-ray): isUnsafeCommand transform TemplateLiteral to Literal

• #464 18fc25a Thanks @clemgbld! - feat(js-x-ray): collectable set can add metadata

• #479 8848684 Thanks @clemgbld! - feat(js-x-ray): implement log-usage probe

• #471 e288c04 Thanks @clemgbld! - feat: generate data-exfiltration warning on import when the sensitivity is aggressive

• #463 e621d91 Thanks @clemgbld! - feat(js-x-ray): do not detect file: as shady link

• #469 c4fad05 Thanks @fraxken! - Introduce new VirtualIdentifier to split inlined require() with chained MemberExpr/CallExpr

• #478 029031c Thanks @clemgbld! - refactor(js-x-ray): type the type of CollectableSet

Patch Changes

• #482 9b51811 Thanks @clemgbld! - fix(js-x-ray): fix 32 bit ip addresses false positive

• Updated dependencies [e288c04]:

  • @nodesecure/tracer@3.1.0

@nodesecure/js-x-ray@11.3.0

Minor Changes

• #453 0b0751a Thanks @clemgbld! - feat(js-x-ray): scan and collect ip address that are not urls

• #452 a01b8e7 Thanks @7amed3li! - Added detection for local IP addresses and localhost in URLs. These are now flagged with the existing shady-link warning but with Information severity level instead of Warning.

• #450 3185318 Thanks @fraxken! - Allow to customize warnings severity

@nodesecure/js-x-ray@11.2.0

Minor Changes

• #445 20a03d2 Thanks @clemgbld! - feat(js-x-ray): add collectable api

• #443 297c072 Thanks @clemgbld! - fix(js-x-ray): parsing error in data exfiltration probe

@nodesecure/ts-source-parser@1.1.0

Minor Changes

• #438 8d7efd2 Thanks @fraxken! - Implement TypeScript files support in EntryFileAnalyser

@nodesecure/js-x-ray@11.1.0

Minor Changes

• #438 8d7efd2 Thanks @fraxken! - Implement TypeScript files support in EntryFileAnalyser

Patch Changes

• Updated dependencies [8d7efd2]:
  • @nodesecure/ts-source-parser@1.1.0