@coana-tech/cli 14.12.166 → 14.12.168

package/cli.mjs

@@ -251307,7 +251307,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "14.12.166";
+var version3 = "14.12.168";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.166",
+  "version": "14.12.168",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -110988,10 +110988,14 @@ async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reac
     const jellyExecutable = ToolPathResolver.jellyPath;
     const vulnerabilitiesInJellyFormat = vulnerabilities.map((v) => {
       assert4(v.range);
+      let patterns = v.vulnerabilityAccessPaths;
+      if (experiment === "AUGMENT_IMPORT_PATHS_EXPERIMENT")
+        patterns = patterns.map((p) => p.replace(">", "/**>"));
+      if (patterns.some((p) => p.includes("?")) && patterns.some((p) => p.includes("(cbarg)")))
+        patterns = patterns.filter((p) => !p.includes("?"));
       return {
         npm: v,
-        patterns: v.vulnerabilityAccessPaths.map((p) => experiment === "AUGMENT_IMPORT_PATHS_EXPERIMENT" ? p.replace(">", "/**>") : p)
-        // Replace > with /**> to ensure Jelly also matches call <PKG/dist/index.js>.foo for pattern <PKG>.foo
+        patterns
       };
     });
     const vulnerabilitiesFile = resolve13(tmpFolder, "vulnerabilities.json");
@@ -111005,6 +111009,8 @@ async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reac
     const additionalFlags = process.env.JELLY_ADDITIONAL_FLAGS?.split(/\s+/).filter(Boolean) ?? [];
     const jellyCmd = cmdt`
       ${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} --max-old-space-size=${reachabilityAnalysisOptions.memoryLimitInMB ?? 8192}
+        ${logFile && // Enable verbose GC tracing if log file is requested
+    ["--trace-gc", "--trace-gc-verbose", "--trace-gc-ignore-scavenger", "--trace-mutator-utilization"]}
         ${jellyExecutable}
         --basedir ${mainProjectRoot}
         --timeout ${timeoutInSeconds}

package/repos/coana-tech/jelly-private/dist/bundle/approx.js

@@ -7,11 +7,11 @@ import "./iterator-helpers-polyfill.js";
 import {
   require_hints,
   require_parser
-} from "./chunk-BV33FESD.js";
+} from "./chunk-2EM22I7M.js";
 import {
   require_proxy,
   require_sandbox
-} from "./chunk-ID4Q5QL5.js";
+} from "./chunk-USUJB4DB.js";
 import {
   __commonJS,
   __name,
@@ -21,7 +21,7 @@ import {
   require_options,
   require_transform,
   require_util
-} from "./chunk-AAKFGMVW.js";
+} from "./chunk-NHEUSYVH.js";
 
 // lib/approx/approx.js
 var require_approx = __commonJS({

package/repos/coana-tech/jelly-private/dist/bundle/{chunk-BV33FESD.js → chunk-2EM22I7M.js}

@@ -14,7 +14,7 @@ import {
   require_options,
   require_tokens,
   require_util
-} from "./chunk-AAKFGMVW.js";
+} from "./chunk-NHEUSYVH.js";
 
 // lib/parsing/parser.js
 var require_parser = __commonJS({
@@ -516,4 +516,4 @@ export {
   require_patching,
   require_hints
 };
-//# sourceMappingURL=chunk-BV33FESD.js.map
+//# sourceMappingURL=chunk-2EM22I7M.js.map

package/repos/coana-tech/jelly-private/dist/bundle/{chunk-AAKFGMVW.js → chunk-NHEUSYVH.js}

@@ -11794,54 +11794,55 @@ var require_listeners = __commonJS({
       TokenListener2[TokenListener2["CALL_FUNCTION"] = 2] = "CALL_FUNCTION";
       TokenListener2[TokenListener2["CALL_REQUIRE"] = 3] = "CALL_REQUIRE";
       TokenListener2[TokenListener2["CALL_EXTERNAL"] = 4] = "CALL_EXTERNAL";
-      TokenListener2[TokenListener2["READ_BASE"] = 5] = "READ_BASE";
-      TokenListener2[TokenListener2["READ_BASE_DYNAMIC"] = 6] = "READ_BASE_DYNAMIC";
-      TokenListener2[TokenListener2["READ_GETTER"] = 7] = "READ_GETTER";
-      TokenListener2[TokenListener2["READ_GETTER_THIS"] = 8] = "READ_GETTER_THIS";
-      TokenListener2[TokenListener2["WRITE_BASE"] = 9] = "WRITE_BASE";
-      TokenListener2[TokenListener2["WRITE_BASE_DYNAMIC"] = 10] = "WRITE_BASE_DYNAMIC";
-      TokenListener2[TokenListener2["WRITE_SETTER"] = 11] = "WRITE_SETTER";
-      TokenListener2[TokenListener2["WRITE_SETTER_THIS"] = 12] = "WRITE_SETTER_THIS";
-      TokenListener2[TokenListener2["WRITE_OBJECT_PATTERN_REST"] = 13] = "WRITE_OBJECT_PATTERN_REST";
-      TokenListener2[TokenListener2["WRITE_OBJECT_PATTERN_REST_PROPERTIES"] = 14] = "WRITE_OBJECT_PATTERN_REST_PROPERTIES";
-      TokenListener2[TokenListener2["WRITE_ARRAY_PATTERN_REST"] = 15] = "WRITE_ARRAY_PATTERN_REST";
-      TokenListener2[TokenListener2["WRITE_ARRAY_PATTERN_REST_ARRAY"] = 16] = "WRITE_ARRAY_PATTERN_REST_ARRAY";
-      TokenListener2[TokenListener2["WRITE_REQUIRE_EXTENSIONS"] = 17] = "WRITE_REQUIRE_EXTENSIONS";
-      TokenListener2[TokenListener2["IMPORT_BASE"] = 18] = "IMPORT_BASE";
-      TokenListener2[TokenListener2["EXPORT_BASE"] = 19] = "EXPORT_BASE";
-      TokenListener2[TokenListener2["ANCESTORS"] = 20] = "ANCESTORS";
-      TokenListener2[TokenListener2["READ_ANCESTORS"] = 21] = "READ_ANCESTORS";
-      TokenListener2[TokenListener2["WRITE_ANCESTORS"] = 22] = "WRITE_ANCESTORS";
-      TokenListener2[TokenListener2["CLASS_FIELD"] = 23] = "CLASS_FIELD";
-      TokenListener2[TokenListener2["EXTENDS"] = 24] = "EXTENDS";
-      TokenListener2[TokenListener2["READ_ITERATOR_VALUE"] = 25] = "READ_ITERATOR_VALUE";
-      TokenListener2[TokenListener2["OBJECT_SPREAD"] = 26] = "OBJECT_SPREAD";
-      TokenListener2[TokenListener2["CALL_PROMISE_EXECUTOR"] = 27] = "CALL_PROMISE_EXECUTOR";
-      TokenListener2[TokenListener2["CALL_PROMISE_RESOLVE"] = 28] = "CALL_PROMISE_RESOLVE";
-      TokenListener2[TokenListener2["CALL_PROMISE_ONFULFILLED"] = 29] = "CALL_PROMISE_ONFULFILLED";
-      TokenListener2[TokenListener2["CALL_PROMISE_ONREJECTED"] = 30] = "CALL_PROMISE_ONREJECTED";
-      TokenListener2[TokenListener2["CALL_PROMISE_ONFINALLY"] = 31] = "CALL_PROMISE_ONFINALLY";
-      TokenListener2[TokenListener2["MAKE_PROMISE_RESOLVE"] = 32] = "MAKE_PROMISE_RESOLVE";
-      TokenListener2[TokenListener2["MAKE_PROMISE_REJECT"] = 33] = "MAKE_PROMISE_REJECT";
-      TokenListener2[TokenListener2["MAKE_PROMISE_ALL"] = 34] = "MAKE_PROMISE_ALL";
-      TokenListener2[TokenListener2["MAKE_PROMISE_ALLSETTLED"] = 35] = "MAKE_PROMISE_ALLSETTLED";
-      TokenListener2[TokenListener2["MAKE_PROMISE_ANY"] = 36] = "MAKE_PROMISE_ANY";
-      TokenListener2[TokenListener2["MAKE_PROMISE_RACE"] = 37] = "MAKE_PROMISE_RACE";
-      TokenListener2[TokenListener2["AWAIT"] = 38] = "AWAIT";
-      TokenListener2[TokenListener2["JSX_ELEMENT"] = 39] = "JSX_ELEMENT";
-      TokenListener2[TokenListener2["NATIVE_INVOKE_CALLBACK"] = 40] = "NATIVE_INVOKE_CALLBACK";
-      TokenListener2[TokenListener2["NATIVE_INVOKE_CALLBACK2"] = 41] = "NATIVE_INVOKE_CALLBACK2";
-      TokenListener2[TokenListener2["NATIVE_INVOKE_CALL_APPLY2"] = 42] = "NATIVE_INVOKE_CALL_APPLY2";
-      TokenListener2[TokenListener2["NATIVE_INVOKE_CALL_APPLY3"] = 43] = "NATIVE_INVOKE_CALL_APPLY3";
-      TokenListener2[TokenListener2["NATIVE_ASSIGN_PROPERTIES"] = 44] = "NATIVE_ASSIGN_PROPERTIES";
-      TokenListener2[TokenListener2["NATIVE_ASSIGN_PROPERTIES2"] = 45] = "NATIVE_ASSIGN_PROPERTIES2";
-      TokenListener2[TokenListener2["NATIVE_ASSIGN_PROPERTIES3"] = 46] = "NATIVE_ASSIGN_PROPERTIES3";
-      TokenListener2[TokenListener2["NATIVE_OBJECT_DEFINE_PROPERTY"] = 47] = "NATIVE_OBJECT_DEFINE_PROPERTY";
-      TokenListener2[TokenListener2["NATIVE_OBJECT_DEFINE_PROPERTIES"] = 48] = "NATIVE_OBJECT_DEFINE_PROPERTIES";
-      TokenListener2[TokenListener2["NATIVE_ASSIGN_ITERATOR_MAP_VALUE_PAIRS"] = 49] = "NATIVE_ASSIGN_ITERATOR_MAP_VALUE_PAIRS";
-      TokenListener2[TokenListener2["NATIVE_ASSIGN_BASE_ARRAY_ARRAY_VALUE_TO_ARRAY"] = 50] = "NATIVE_ASSIGN_BASE_ARRAY_ARRAY_VALUE_TO_ARRAY";
-      TokenListener2[TokenListener2["NATIVE_RETURN_PROTOTYPE_OF"] = 51] = "NATIVE_RETURN_PROTOTYPE_OF";
-      TokenListener2[TokenListener2["NATIVE_SET_PROTOTYPE_OF"] = 52] = "NATIVE_SET_PROTOTYPE_OF";
+      TokenListener2[TokenListener2["CALLBACK_ARGUMENT"] = 5] = "CALLBACK_ARGUMENT";
+      TokenListener2[TokenListener2["READ_BASE"] = 6] = "READ_BASE";
+      TokenListener2[TokenListener2["READ_BASE_DYNAMIC"] = 7] = "READ_BASE_DYNAMIC";
+      TokenListener2[TokenListener2["READ_GETTER"] = 8] = "READ_GETTER";
+      TokenListener2[TokenListener2["READ_GETTER_THIS"] = 9] = "READ_GETTER_THIS";
+      TokenListener2[TokenListener2["WRITE_BASE"] = 10] = "WRITE_BASE";
+      TokenListener2[TokenListener2["WRITE_BASE_DYNAMIC"] = 11] = "WRITE_BASE_DYNAMIC";
+      TokenListener2[TokenListener2["WRITE_SETTER"] = 12] = "WRITE_SETTER";
+      TokenListener2[TokenListener2["WRITE_SETTER_THIS"] = 13] = "WRITE_SETTER_THIS";
+      TokenListener2[TokenListener2["WRITE_OBJECT_PATTERN_REST"] = 14] = "WRITE_OBJECT_PATTERN_REST";
+      TokenListener2[TokenListener2["WRITE_OBJECT_PATTERN_REST_PROPERTIES"] = 15] = "WRITE_OBJECT_PATTERN_REST_PROPERTIES";
+      TokenListener2[TokenListener2["WRITE_ARRAY_PATTERN_REST"] = 16] = "WRITE_ARRAY_PATTERN_REST";
+      TokenListener2[TokenListener2["WRITE_ARRAY_PATTERN_REST_ARRAY"] = 17] = "WRITE_ARRAY_PATTERN_REST_ARRAY";
+      TokenListener2[TokenListener2["WRITE_REQUIRE_EXTENSIONS"] = 18] = "WRITE_REQUIRE_EXTENSIONS";
+      TokenListener2[TokenListener2["IMPORT_BASE"] = 19] = "IMPORT_BASE";
+      TokenListener2[TokenListener2["EXPORT_BASE"] = 20] = "EXPORT_BASE";
+      TokenListener2[TokenListener2["ANCESTORS"] = 21] = "ANCESTORS";
+      TokenListener2[TokenListener2["READ_ANCESTORS"] = 22] = "READ_ANCESTORS";
+      TokenListener2[TokenListener2["WRITE_ANCESTORS"] = 23] = "WRITE_ANCESTORS";
+      TokenListener2[TokenListener2["CLASS_FIELD"] = 24] = "CLASS_FIELD";
+      TokenListener2[TokenListener2["EXTENDS"] = 25] = "EXTENDS";
+      TokenListener2[TokenListener2["READ_ITERATOR_VALUE"] = 26] = "READ_ITERATOR_VALUE";
+      TokenListener2[TokenListener2["OBJECT_SPREAD"] = 27] = "OBJECT_SPREAD";
+      TokenListener2[TokenListener2["CALL_PROMISE_EXECUTOR"] = 28] = "CALL_PROMISE_EXECUTOR";
+      TokenListener2[TokenListener2["CALL_PROMISE_RESOLVE"] = 29] = "CALL_PROMISE_RESOLVE";
+      TokenListener2[TokenListener2["CALL_PROMISE_ONFULFILLED"] = 30] = "CALL_PROMISE_ONFULFILLED";
+      TokenListener2[TokenListener2["CALL_PROMISE_ONREJECTED"] = 31] = "CALL_PROMISE_ONREJECTED";
+      TokenListener2[TokenListener2["CALL_PROMISE_ONFINALLY"] = 32] = "CALL_PROMISE_ONFINALLY";
+      TokenListener2[TokenListener2["MAKE_PROMISE_RESOLVE"] = 33] = "MAKE_PROMISE_RESOLVE";
+      TokenListener2[TokenListener2["MAKE_PROMISE_REJECT"] = 34] = "MAKE_PROMISE_REJECT";
+      TokenListener2[TokenListener2["MAKE_PROMISE_ALL"] = 35] = "MAKE_PROMISE_ALL";
+      TokenListener2[TokenListener2["MAKE_PROMISE_ALLSETTLED"] = 36] = "MAKE_PROMISE_ALLSETTLED";
+      TokenListener2[TokenListener2["MAKE_PROMISE_ANY"] = 37] = "MAKE_PROMISE_ANY";
+      TokenListener2[TokenListener2["MAKE_PROMISE_RACE"] = 38] = "MAKE_PROMISE_RACE";
+      TokenListener2[TokenListener2["AWAIT"] = 39] = "AWAIT";
+      TokenListener2[TokenListener2["JSX_ELEMENT"] = 40] = "JSX_ELEMENT";
+      TokenListener2[TokenListener2["NATIVE_INVOKE_CALLBACK"] = 41] = "NATIVE_INVOKE_CALLBACK";
+      TokenListener2[TokenListener2["NATIVE_INVOKE_CALLBACK2"] = 42] = "NATIVE_INVOKE_CALLBACK2";
+      TokenListener2[TokenListener2["NATIVE_INVOKE_CALL_APPLY2"] = 43] = "NATIVE_INVOKE_CALL_APPLY2";
+      TokenListener2[TokenListener2["NATIVE_INVOKE_CALL_APPLY3"] = 44] = "NATIVE_INVOKE_CALL_APPLY3";
+      TokenListener2[TokenListener2["NATIVE_ASSIGN_PROPERTIES"] = 45] = "NATIVE_ASSIGN_PROPERTIES";
+      TokenListener2[TokenListener2["NATIVE_ASSIGN_PROPERTIES2"] = 46] = "NATIVE_ASSIGN_PROPERTIES2";
+      TokenListener2[TokenListener2["NATIVE_ASSIGN_PROPERTIES3"] = 47] = "NATIVE_ASSIGN_PROPERTIES3";
+      TokenListener2[TokenListener2["NATIVE_OBJECT_DEFINE_PROPERTY"] = 48] = "NATIVE_OBJECT_DEFINE_PROPERTY";
+      TokenListener2[TokenListener2["NATIVE_OBJECT_DEFINE_PROPERTIES"] = 49] = "NATIVE_OBJECT_DEFINE_PROPERTIES";
+      TokenListener2[TokenListener2["NATIVE_ASSIGN_ITERATOR_MAP_VALUE_PAIRS"] = 50] = "NATIVE_ASSIGN_ITERATOR_MAP_VALUE_PAIRS";
+      TokenListener2[TokenListener2["NATIVE_ASSIGN_BASE_ARRAY_ARRAY_VALUE_TO_ARRAY"] = 51] = "NATIVE_ASSIGN_BASE_ARRAY_ARRAY_VALUE_TO_ARRAY";
+      TokenListener2[TokenListener2["NATIVE_RETURN_PROTOTYPE_OF"] = 52] = "NATIVE_RETURN_PROTOTYPE_OF";
+      TokenListener2[TokenListener2["NATIVE_SET_PROTOTYPE_OF"] = 53] = "NATIVE_SET_PROTOTYPE_OF";
     })(TokenListener || (exports.TokenListener = TokenListener = {}));
   }
 });
@@ -13746,8 +13747,9 @@ var require_accesspaths = __commonJS({
   "lib/analysis/accesspaths.js"(exports) {
     "use strict";
     Object.defineProperty(exports, "__esModule", { value: true });
-    exports.LazyAccessPath = exports.UnknownAccessPath = exports.IgnoredAccessPath = exports.ComponentAccessPath = exports.CallResultAccessPath = exports.PropertyAccessPath = exports.ModuleAccessPath = exports.PatternAccessPath = exports.AccessPath = void 0;
+    exports.LazyAccessPath = exports.UnknownAccessPath = exports.IgnoredAccessPath = exports.CallbackArgumentAccessPath = exports.ComponentAccessPath = exports.CallResultAccessPath = exports.PropertyAccessPath = exports.ModuleAccessPath = exports.PatternAccessPath = exports.AccessPath = void 0;
     var infos_1 = require_infos();
+    var util_1 = require_util();
     var AccessPath = class {
       static {
         __name(this, "AccessPath");
@@ -13821,6 +13823,17 @@ var require_accesspaths = __commonJS({
       }
     };
     exports.ComponentAccessPath = ComponentAccessPath;
+    var CallbackArgumentAccessPath = class extends PatternAccessPath {
+      static {
+        __name(this, "CallbackArgumentAccessPath");
+      }
+      fun;
+      constructor(fun) {
+        super(`(cbarg)[${(0, util_1.locationToStringWithFileAndEnd)(fun.loc, true)}]`);
+        this.fun = fun;
+      }
+    };
+    exports.CallbackArgumentAccessPath = CallbackArgumentAccessPath;
     var IgnoredAccessPath = class _IgnoredAccessPath extends AccessPath {
       static {
         __name(this, "IgnoredAccessPath");
@@ -14457,7 +14470,7 @@ var require_constraintvars = __commonJS({
       return mod && mod.__esModule ? mod : { "default": mod };
     };
     Object.defineProperty(exports, "__esModule", { value: true });
-    exports.ReadResultVar = exports.AncestorsVar = exports.IntermediateVar = exports.ArgumentsVar = exports.ThisVar = exports.FunctionReturnVar = exports.ObjectPropertyVar = exports.NodeVar = exports.ConstraintVar = void 0;
+    exports.CallbackReceiverVar = exports.ReadResultVar = exports.AncestorsVar = exports.IntermediateVar = exports.ArgumentsVar = exports.ThisVar = exports.FunctionReturnVar = exports.ObjectPropertyVar = exports.NodeVar = exports.ConstraintVar = void 0;
     exports.isObjectPropertyVarObj = isObjectPropertyVarObj;
     var types_1 = __require("@babel/types");
     var util_1 = require_util();
@@ -14646,6 +14659,23 @@ var require_constraintvars = __commonJS({
       }
     };
     exports.ReadResultVar = ReadResultVar;
+    var CallbackReceiverVar = class extends ConstraintVar {
+      static {
+        __name(this, "CallbackReceiverVar");
+      }
+      fun;
+      constructor(fun) {
+        super();
+        this.fun = fun;
+      }
+      toString() {
+        return `CallbackReceiver[${(0, util_1.locationToStringWithFileAndEnd)(this.fun.loc, true)}]`;
+      }
+      getParent() {
+        return this.fun;
+      }
+    };
+    exports.CallbackReceiverVar = CallbackReceiverVar;
   }
 });
 
@@ -19910,4 +19940,4 @@ fill-range/index.js:
    * Licensed under the MIT License.
    *)
 */
-//# sourceMappingURL=chunk-AAKFGMVW.js.map
+//# sourceMappingURL=chunk-NHEUSYVH.js.map

package/repos/coana-tech/jelly-private/dist/bundle/{chunk-ID4Q5QL5.js → chunk-USUJB4DB.js}

@@ -9,7 +9,7 @@ import {
   __name,
   __require,
   require_transform
-} from "./chunk-AAKFGMVW.js";
+} from "./chunk-NHEUSYVH.js";
 
 // lib/approx/proxy.js
 var require_proxy = __commonJS({
@@ -268,4 +268,4 @@ export {
   require_proxy,
   require_sandbox
 };
-//# sourceMappingURL=chunk-ID4Q5QL5.js.map
+//# sourceMappingURL=chunk-USUJB4DB.js.map

package/repos/coana-tech/jelly-private/dist/bundle/{chunk-AEP2QDUI.js → chunk-ZYU33ERK.js}

@@ -8,7 +8,7 @@ import {
   __commonJS,
   __name,
   __require
-} from "./chunk-AAKFGMVW.js";
+} from "./chunk-NHEUSYVH.js";
 
 // node_modules/source-map/lib/base64.js
 var require_base64 = __commonJS({
@@ -224380,4 +224380,4 @@ typescript/lib/typescript.js:
   and limitations under the License.
   ***************************************************************************** *)
 */
-//# sourceMappingURL=chunk-AEP2QDUI.js.map
+//# sourceMappingURL=chunk-ZYU33ERK.js.map

package/repos/coana-tech/jelly-private/dist/bundle/hooks.js

@@ -6,10 +6,10 @@ import "./iterator-helpers-polyfill.js";
 
 import {
   require_moduleresolver
-} from "./chunk-AEP2QDUI.js";
+} from "./chunk-ZYU33ERK.js";
 import {
   require_sandbox
-} from "./chunk-ID4Q5QL5.js";
+} from "./chunk-USUJB4DB.js";
 import {
   __commonJS,
   __name,
@@ -17,7 +17,7 @@ import {
   require_files,
   require_options,
   require_transform
-} from "./chunk-AAKFGMVW.js";
+} from "./chunk-NHEUSYVH.js";
 
 // lib/approx/hooks.js
 var require_hooks = __commonJS({

package/repos/coana-tech/jelly-private/dist/bundle/jelly.js

@@ -9,11 +9,11 @@ import {
   require_hints,
   require_parser,
   require_patching
-} from "./chunk-BV33FESD.js";
+} from "./chunk-2EM22I7M.js";
 import {
   require_moduleresolver,
   require_typescript
-} from "./chunk-AEP2QDUI.js";
+} from "./chunk-ZYU33ERK.js";
 import {
   __commonJS,
   __name,
@@ -37,7 +37,7 @@ import {
   require_tokens,
   require_transform,
   require_util
-} from "./chunk-AAKFGMVW.js";
+} from "./chunk-NHEUSYVH.js";
 
 // lib/misc/timer.js
 var require_timer = __commonJS({
@@ -147,7 +147,7 @@ var require_patterns = __commonJS({
       return mod && mod.__esModule ? mod : { "default": mod };
     };
     Object.defineProperty(exports, "__esModule", { value: true });
-    exports.Type = exports.FilterSelector = exports.TypeFilter = exports.NumArgsCallFilter = exports.Filter = exports.PotentiallyUnknownAccessPathPattern = exports.WildcardAccessPathPattern = exports.ExclusionAccessPathPattern = exports.DisjunctionAccessPathPattern = exports.AbbreviatedPathPattern = exports.ComponentAccessPathPattern = exports.CallResultAccessPathPattern = exports.PropertyAccessPathPattern = exports.ImportAccessPathPattern = exports.ComponentDetectionPattern = exports.CallDetectionPattern = exports.WriteDetectionPattern = exports.ReadDetectionPattern = exports.ImportDetectionPattern = exports.DetectionPattern = void 0;
+    exports.Type = exports.FilterSelector = exports.TypeFilter = exports.NumArgsCallFilter = exports.Filter = exports.CallbackArgumentAccessPathPattern = exports.PotentiallyUnknownAccessPathPattern = exports.WildcardAccessPathPattern = exports.ExclusionAccessPathPattern = exports.DisjunctionAccessPathPattern = exports.AbbreviatedPathPattern = exports.ComponentAccessPathPattern = exports.CallResultAccessPathPattern = exports.PropertyAccessPathPattern = exports.ImportAccessPathPattern = exports.ComponentDetectionPattern = exports.CallDetectionPattern = exports.WriteDetectionPattern = exports.ReadDetectionPattern = exports.ImportDetectionPattern = exports.DetectionPattern = void 0;
     var assert_1 = __importDefault(__require("assert"));
     var DetectionPattern = class {
       static {
@@ -402,6 +402,23 @@ var require_patterns = __commonJS({
       }
     };
     exports.PotentiallyUnknownAccessPathPattern = PotentiallyUnknownAccessPathPattern;
+    var CallbackArgumentAccessPathPattern = class {
+      static {
+        __name(this, "CallbackArgumentAccessPathPattern");
+      }
+      base;
+      constructor(base) {
+        this.base = base;
+      }
+      toString() {
+        return `${this.base}(cbarg)`;
+      }
+      visitAccessPathPatterns(visitor) {
+        visitor(this);
+        this.base.visitAccessPathPatterns(visitor);
+      }
+    };
+    exports.CallbackArgumentAccessPathPattern = CallbackArgumentAccessPathPattern;
     var Filter = class {
       static {
         __name(this, "Filter");
@@ -617,6 +634,10 @@ var require_patternparser = __commonJS({
             pos2 += 2;
             pos2 = parseSpace(pos2);
             p2 = c.canonicalize(new patterns_1.CallResultAccessPathPattern(p2));
+          } else if (pattern[pos2] === "(" && pattern.substring(pos2 + 1, pos2 + 7) === "cbarg)") {
+            pos2 += 7;
+            pos2 = parseSpace(pos2);
+            p2 = c.canonicalize(new patterns_1.CallbackArgumentAccessPathPattern(p2));
           } else if (pattern[pos2] === "?") {
             pos2++;
             pos2 = parseSpace(pos2);
@@ -1064,7 +1085,7 @@ ${pattern}${"semanticPatchId" in p ? ` (pattern #${p.semanticPatchId} version ${
       return s;
     }
     __name(getProperties, "getProperties");
-    var [callIdx, componentIdx, moduleIdx] = Array.from({ length: 3 }, (_, i) => {
+    var [callIdx, componentIdx, moduleIdx, cbargIdx] = Array.from({ length: 4 }, (_, i) => {
       const bs = new bitset_1.SmallBitSet();
       bs.set(i);
       return bs;
@@ -1073,7 +1094,7 @@ ${pattern}${"semanticPatchId" in p ? ` (pattern #${p.semanticPatchId} version ${
       const unknowns = /* @__PURE__ */ new Map();
       return {
         graph: new Map(ds.map((p) => {
-          const edges = Array.from({ length: 3 }, () => new bitset_1.SmallBitSet());
+          const edges = Array.from({ length: 4 }, () => new bitset_1.SmallBitSet());
           const properties = /* @__PURE__ */ new Map();
           let wildcardIdx = -1;
           const classify = /* @__PURE__ */ __name((p2) => {
@@ -1083,6 +1104,8 @@ ${pattern}${"semanticPatchId" in p ? ` (pattern #${p.semanticPatchId} version ${
               return componentIdx;
             if (p2 instanceof accesspaths_1.ModuleAccessPath)
               return moduleIdx;
+            if (p2 instanceof accesspaths_1.CallbackArgumentAccessPath)
+              return cbargIdx;
             (0, assert_1.default)(p2 instanceof accesspaths_1.PropertyAccessPath);
             return properties.get(p2.prop);
           }, "classify");
@@ -1099,6 +1122,9 @@ ${pattern}${"semanticPatchId" in p ? ` (pattern #${p.semanticPatchId} version ${
             } else if (app instanceof patterns_1.ComponentAccessPathPattern) {
               [pre, unknown] = aux(app.component);
               post = componentIdx;
+            } else if (app instanceof patterns_1.CallbackArgumentAccessPathPattern) {
+              [pre, unknown] = aux(app.base);
+              post = cbargIdx;
             } else if (app instanceof patterns_1.PropertyAccessPathPattern) {
               [pre, unknown] = aux(app.base);
               post = new bitset_1.SmallBitSet();
@@ -1218,7 +1244,6 @@ var require_globalstate = __commonJS({
       dummyModuleInfos = /* @__PURE__ */ new Map();
       functionInfos = /* @__PURE__ */ new Map();
       entryFiles = /* @__PURE__ */ new Set();
-      reachedFiles = /* @__PURE__ */ new Set();
       pendingFiles = new worklist_1.Worklist();
       reachedModulesFull = /* @__PURE__ */ new Set();
       pendingModulesFull = new worklist_1.Worklist();
@@ -1328,10 +1353,8 @@ var require_globalstate = __commonJS({
         }
       }
       reachedFile(tofile, entry, from, local) {
-        let moduleInfo;
-        if (this.reachedFiles.has(tofile))
-          moduleInfo = this.moduleInfosByPath.get(tofile);
-        else {
+        let moduleInfo = this.moduleInfosByPath.get(tofile);
+        if (!moduleInfo) {
           let packageInfo;
           let rel = "";
           let otherfile;
@@ -1341,7 +1364,8 @@ var require_globalstate = __commonJS({
             if (rel.startsWith("../")) {
               logger_1.default.warn(`Relative module reference from ${from.getPath()} to ${rel} outside current package ${packageInfo}`);
               packageInfo = void 0;
-            }
+            } else
+              moduleInfo = packageInfo.modules.get(rel);
           }
           if (!packageInfo) {
             const p = (0, util_1.getOrSet)(this.packageJsonInfos, (0, path_1.dirname)(tofile), () => (0, packagejson_1.getPackageJsonInfo)(tofile));
@@ -1365,7 +1389,7 @@ var require_globalstate = __commonJS({
             const ignoreModule = from && (options_1.options.ignoreDependencies || !packageInfo.isEntry && (options_1.options.includePackages && !options_1.options.includePackages.includes(packageInfo.name))) || options_1.options.excludePackages?.includes(packageInfo.name);
             moduleInfo = new infos_1.ModuleInfo(rel, packageInfo, from === void 0, !ignoreModule);
             packageInfo.modules.set(rel, moduleInfo);
-            this.reachedFiles.add(tofile);
+            this.moduleInfos.set(moduleInfo.toString(), moduleInfo);
             if (ignoreModule)
               logger_1.default.info(`Ignoring module ${moduleInfo}`);
             else
@@ -1375,7 +1399,6 @@ var require_globalstate = __commonJS({
               this.moduleInfosByPath.set(otherfile, moduleInfo);
           }
           this.moduleInfosByPath.set(tofile, moduleInfo);
-          this.moduleInfos.set(moduleInfo.toString(), moduleInfo);
         }
         if (from) {
           const pf = from.packageInfo;
@@ -1492,6 +1515,9 @@ var require_constraintvarproducer = __commonJS({
       readResultVar(t, prop) {
         return this.a.canonicalizeVar(new constraintvars_1.ReadResultVar(t, prop));
       }
+      callbackReceiverVar(fun) {
+        return this.a.vulnerabilities?.hasCallbackArgumentPattern ? this.a.canonicalizeVar(new constraintvars_1.CallbackReceiverVar(fun)) : void 0;
+      }
     };
     exports.ConstraintVarProducer = ConstraintVarProducer;
   }
@@ -1703,6 +1729,7 @@ var require_fragmentstate = __commonJS({
       propertyWriteAccessPaths = /* @__PURE__ */ new Map();
       callResultAccessPaths = /* @__PURE__ */ new Map();
       componentAccessPaths = /* @__PURE__ */ new Map();
+      callbackArgumentAccessPaths = /* @__PURE__ */ new Map();
       importDeclRefs = /* @__PURE__ */ new Map();
       propertyReads = [];
       maybeEmptyPropertyReads = [];
@@ -2734,20 +2761,22 @@ var require_solver = __commonJS({
             (0, assert_1.default)(validEdge);
             if (validEdge(subap, ap))
               ap2s = [a.canonicalizeAccessPath(ap)];
-            let base;
-            if (ap instanceof accesspaths_1.CallResultAccessPath)
-              base = ap.caller;
-            else if (ap instanceof accesspaths_1.ComponentAccessPath)
-              base = ap.component;
-            else
-              (0, assert_1.default)(ap instanceof accesspaths_1.PropertyAccessPath), base = ap.base;
-            const ap2 = new accesspaths_1.PropertyAccessPath(base, "?", subp);
-            if (validEdge(subap, ap2))
-              (ap2s ??= []).push(a.canonicalizeAccessPath(ap2));
+            if (!(ap instanceof accesspaths_1.CallbackArgumentAccessPath)) {
+              let base;
+              if (ap instanceof accesspaths_1.CallResultAccessPath)
+                base = ap.caller;
+              else if (ap instanceof accesspaths_1.ComponentAccessPath)
+                base = ap.component;
+              else
+                (0, assert_1.default)(ap instanceof accesspaths_1.PropertyAccessPath), base = ap.base;
+              const ap2 = new accesspaths_1.PropertyAccessPath(base, "?", subp);
+              if (validEdge(subap, ap2))
+                (ap2s ??= []).push(a.canonicalizeAccessPath(ap2));
+            }
           }
         } else {
           const abstractProp = ap instanceof accesspaths_1.PropertyAccessPath && !(subap instanceof accesspaths_1.ModuleAccessPath && ap.prop === "default") && options_1.patternProperties && !options_1.patternProperties.has(ap.prop);
-          if (subap instanceof accesspaths_1.UnknownAccessPath && (ap instanceof accesspaths_1.CallResultAccessPath || ap instanceof accesspaths_1.ComponentAccessPath || abstractProp || options_1.options.lazy))
+          if (subap instanceof accesspaths_1.UnknownAccessPath && (ap instanceof accesspaths_1.CallResultAccessPath || ap instanceof accesspaths_1.ComponentAccessPath || ap instanceof accesspaths_1.CallbackArgumentAccessPath || abstractProp || options_1.options.lazy))
             ap2s = [subap];
           else
             ap2s = [a.canonicalizeAccessPath(abstractProp ? new accesspaths_1.PropertyAccessPath(ap.base, "?") : ap)];
@@ -2768,6 +2797,8 @@ var require_solver = __commonJS({
               (0, util_2.mapGetMap)(f.callResultAccessPaths, subap).set(node, { bp: ap2, sub: ap2.caller, encl });
             else if (ap2 instanceof accesspaths_1.ComponentAccessPath)
               (0, util_2.mapGetMap)(f.componentAccessPaths, subap).set(node, { bp: ap2, sub: ap2.component, encl });
+            else if (ap2 instanceof accesspaths_1.CallbackArgumentAccessPath)
+              (0, util_2.mapGetMap)(f.callbackArgumentAccessPaths, subap).set(node, { bp: ap2, sub: to, encl });
             else
               assert_1.default.fail("Unexpected AccessPath");
           }
@@ -4410,7 +4441,7 @@ var require_operations = __commonJS({
           for (let i = 0; i < argVars.length; i++) {
             const argVar = argVars[i];
             if (argVar) {
-              this.solver.addForAllTokensConstraint(argVar, listeners_1.TokenListener.CALL_EXTERNAL, pars.node, (at) => this.invokeExternalCallback(at, pars.node, caller));
+              this.solver.addForAllTokensConstraint(argVar, listeners_1.TokenListener.CALL_EXTERNAL, pars.node, (at) => this.invokeExternalCallback(at, pars.node, caller, calleeVar));
               f.registerEscapingToExternal(argVar, args[i], caller);
             } else if ((0, types_1.isSpreadElement)(args[i]))
               f.warnUnsupported(args[i], "SpreadElement in arguments to external function");
@@ -4477,18 +4508,29 @@ var require_operations = __commonJS({
         if (!(0, asthelpers_1.isParentExpressionStatement)(pars))
           this.solver.addSubsetConstraint(vp.returnVar(t.fun), resultVar);
       }
-      invokeExternalCallback(at, node, caller) {
+      invokeExternalCallback(at, node, caller, calleeVar) {
         if (at instanceof tokens_1.FunctionToken) {
           const f = this.solver.fragmentState;
           f.registerCall(node, caller, void 0, { external: true });
           f.registerCallEdge(node, caller, this.a.functionInfos.get(at.fun), { external: true });
           if (!f.externalCallbacksProcessed.has(at)) {
             f.externalCallbacksProcessed.add(at);
-            for (let j = 0; j < at.fun.params.length; j++)
-              if ((0, types_1.isIdentifier)(at.fun.params[j]))
-                this.solver.addAccessPath(accesspaths_1.UnknownAccessPath.instance, f.varProducer.nodeVar(at.fun.params[j]));
+            for (const param of at.fun.params)
+              if ((0, types_1.isIdentifier)(param))
+                this.solver.addAccessPath(accesspaths_1.UnknownAccessPath.instance, f.varProducer.nodeVar(param));
             this.solver.addAccessPath(accesspaths_1.UnknownAccessPath.instance, f.varProducer.thisVar(at.fun));
+            const cbargVar = f.varProducer.callbackReceiverVar(at.fun);
+            this.solver.addForAllTokensConstraint(cbargVar, listeners_1.TokenListener.CALLBACK_ARGUMENT, at.fun, (apt) => {
+              if (apt instanceof tokens_1.AccessPathToken) {
+                for (const param of at.fun.params)
+                  if ((0, types_1.isIdentifier)(param)) {
+                    const paramVar = f.varProducer.nodeVar(param);
+                    this.solver.addAccessPath(new accesspaths_1.CallbackArgumentAccessPath(at.fun), paramVar, node, caller, apt.ap);
+                  }
+              }
+            });
           }
+          this.solver.addSubsetConstraint(calleeVar, f.varProducer.callbackReceiverVar(at.fun));
         }
       }
       readProperty(base, prop, dst, node, enclosing, extrakey = "") {
@@ -8960,6 +9002,18 @@ var require_patternmatcher = __commonJS({
                 }
               transfer(level, sub, tmp, subvs);
             }
+          } else if (p instanceof patterns_1.CallbackArgumentAccessPathPattern) {
+            const sub = this.findAccessPathPatternMatches(p.base, moduleFilter);
+            for (const level of exports.confidenceLevels) {
+              const tmp = /* @__PURE__ */ new Map();
+              const subvs = /* @__PURE__ */ new Map();
+              for (const [aps] of sub[level].values())
+                for (const ap of aps) {
+                  addMatches(level, ap, f.callbackArgumentAccessPaths.get(ap), tmp, subvs);
+                  addEscapingToExternal(ap);
+                }
+              transfer(level, sub, tmp, subvs);
+            }
           } else if (p instanceof patterns_1.DisjunctionAccessPathPattern) {
             const subs = [];
             for (const ap of p.aps)
@@ -13100,6 +13154,7 @@ var require_vulnerabilitydetector = __commonJS({
     var vulnerabilities_1 = require_vulnerabilities();
     var util_1 = require_util();
     var logger_1 = __importStar(require_logger());
+    var patterns_1 = require_patterns();
     var patternparser_1 = require_patternparser();
     var patternmatcher_1 = require_patternmatcher();
     var timer_1 = __importStar(require_timer());
@@ -13119,6 +13174,7 @@ var require_vulnerabilitydetector = __commonJS({
       vulnerabilities = /* @__PURE__ */ new Map();
       patterns = /* @__PURE__ */ new Map();
       importGlobsToPatterns = new Array();
+      hasCallbackArgumentPattern;
       vulnerabilityPackageMatches = /* @__PURE__ */ new Map();
       vulnerabilityModuleMatches = /* @__PURE__ */ new Map();
       vulnerabilityFunctionMatches = /* @__PURE__ */ new Map();
@@ -13146,11 +13202,17 @@ ${p} (${(0, vulnerabilities_1.getVulnerabilityId)(v)})`);
             }
         }
         const globToPatterns = /* @__PURE__ */ new Map();
-        for (const p of this.getPatterns())
+        const patterns = this.getPatterns();
+        for (const p of patterns)
           for (const glob of (0, patternloader_1.getGlobs)([p]))
             (0, util_1.mapArrayAdd)(glob, p, globToPatterns);
         for (const [g, ps] of globToPatterns)
           this.importGlobsToPatterns.push([micromatch_1.default.matcher(g), ps]);
+        this.hasCallbackArgumentPattern = patterns.some((p) => {
+          let found = false;
+          p.ap.visitAccessPathPatterns((app) => found ||= app instanceof patterns_1.CallbackArgumentAccessPathPattern);
+          return found;
+        });
       }
       getPatterns() {
         return this.patterns.values().flatMap((ps) => ps).toArray();