@daml-tools/daml-lint 0.8.1 → 0.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +21 -4
- package/package.json +5 -5
package/README.md
CHANGED
|
@@ -92,6 +92,12 @@ avoid the CLI parser and QuickJS runtime:
|
|
|
92
92
|
daml-lint = { version = "0.8", default-features = false }
|
|
93
93
|
```
|
|
94
94
|
|
|
95
|
+
Rust-facing finding locations, parser diagnostics, and IR spans use the
|
|
96
|
+
coordinate newtypes from `daml-syntax` (`LineNumber`, `CharColumn`,
|
|
97
|
+
`Utf16Offset`, and `ByteOffset`) so byte, UTF-16, line, and column coordinates
|
|
98
|
+
cannot be mixed accidentally. JSON, SARIF, and custom-rule JavaScript output
|
|
99
|
+
still serialize those coordinates as numbers.
|
|
100
|
+
|
|
95
101
|
The `js-runtime` feature enables the QuickJS-backed runtime used by shipped
|
|
96
102
|
built-ins. The `custom-rules` feature implies `js-runtime` and enables loading
|
|
97
103
|
user-provided rule files through `--rules` and configured plugin packages.
|
|
@@ -248,8 +254,11 @@ escape hatches for constructs with no structured form (e.g.
|
|
|
248
254
|
Heads up: visitors must be `function` declarations — arrow functions assigned
|
|
249
255
|
to `const` are not discovered. If a script fails at runtime, the CLI exits 2;
|
|
250
256
|
library callers can use `Detector::try_detect` to receive the rule error
|
|
251
|
-
without terminating the host process.
|
|
252
|
-
|
|
257
|
+
without terminating the host process. `DetectError` preserves the underlying
|
|
258
|
+
`ScriptLoadError` through `std::error::Error::source()` when one is available,
|
|
259
|
+
so library callers can inspect the typed failure chain instead of parsing
|
|
260
|
+
strings. Rule errors are never swallowed. A runaway loop is interrupted so a
|
|
261
|
+
broken rule can't hang CI. The engine runs JavaScript
|
|
253
262
|
(ES2023) — no Node APIs, no `require`/`import`, no filesystem or network.
|
|
254
263
|
Each rule's script is evaluated once and its visitors are then called for
|
|
255
264
|
every module — visitors should be stateless; don't accumulate findings in
|
|
@@ -275,6 +284,11 @@ Each example is authored in TypeScript and ships with its compiled `.js` under
|
|
|
275
284
|
|
|
276
285
|
To check that a rule script parses without running a scan, point the tool at a nonexistent path — rule errors are reported before file discovery. (A valid script then prints `No .daml files found.`, which also exits 2 — go by the message, not the exit code.)
|
|
277
286
|
|
|
287
|
+
Library callers can load custom rules without writing temporary files:
|
|
288
|
+
`detectors::script::load_script_source(label, source)` accepts in-memory
|
|
289
|
+
JavaScript, and `load_script_reader_with_options(label, reader, options)`
|
|
290
|
+
accepts any `std::io::Read` source plus JSON rule `CONFIG`.
|
|
291
|
+
|
|
278
292
|
### CI gating
|
|
279
293
|
|
|
280
294
|
Use `--fail-on` to control when the tool returns a non-zero exit code:
|
|
@@ -316,8 +330,9 @@ provenance and licensing.
|
|
|
316
330
|
## Public API Stability
|
|
317
331
|
|
|
318
332
|
`daml-lint` is pre-1.0. The CLI exit codes and documented feature flags are the
|
|
319
|
-
stable user contract for 0.
|
|
320
|
-
custom rules and library users, but it may gain
|
|
333
|
+
stable user contract for the current 0.8 line. The rule-facing IR is
|
|
334
|
+
intentionally public for custom rules and library users, but it may gain
|
|
335
|
+
structure in 0.x minor releases;
|
|
321
336
|
custom rules should check `ir_version` and match typed nodes rather than raw
|
|
322
337
|
source substrings. Detector result types such as `Finding`, `Severity`, and
|
|
323
338
|
`DetectError` are non-exhaustive; use their documented fields/accessors and keep
|
|
@@ -328,6 +343,8 @@ Breaking updates introduced in this branch:
|
|
|
328
343
|
- `Severity` no longer implements `Ord`/`PartialOrd`; use `rank()` or
|
|
329
344
|
`meets_or_exceeds()` for risk-based ordering and thresholds.
|
|
330
345
|
- `Severity::from_str` now returns `SeverityParseError` instead of `()`.
|
|
346
|
+
- `parse_severity` was removed; use `value.parse::<Severity>()` so invalid
|
|
347
|
+
input preserves `SeverityParseError`.
|
|
331
348
|
- Public IR/report DTO structs are `#[non_exhaustive]`; construct through
|
|
332
349
|
parser lowering or documented constructors such as `Finding::new`.
|
|
333
350
|
- `parse_daml_with_diagnostics` now returns a named `ParseResult` with fields
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@daml-tools/daml-lint",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.9.0",
|
|
4
4
|
"description": "Static analysis scanner for Daml smart contracts",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"daml",
|
|
@@ -23,10 +23,10 @@
|
|
|
23
23
|
"node": ">=18"
|
|
24
24
|
},
|
|
25
25
|
"optionalDependencies": {
|
|
26
|
-
"@daml-tools/daml-lint-darwin-arm64": "0.
|
|
27
|
-
"@daml-tools/daml-lint-linux-arm64": "0.
|
|
28
|
-
"@daml-tools/daml-lint-linux-x64": "0.
|
|
29
|
-
"@daml-tools/daml-lint-win32-x64": "0.
|
|
26
|
+
"@daml-tools/daml-lint-darwin-arm64": "0.9.0",
|
|
27
|
+
"@daml-tools/daml-lint-linux-arm64": "0.9.0",
|
|
28
|
+
"@daml-tools/daml-lint-linux-x64": "0.9.0",
|
|
29
|
+
"@daml-tools/daml-lint-win32-x64": "0.9.0"
|
|
30
30
|
},
|
|
31
31
|
"publishConfig": {
|
|
32
32
|
"access": "public"
|