@kevinrabun/judges 3.117.0 → 3.117.1

package/dist/ast/taint-tracker.js

@@ -11,8 +11,25 @@
 // - Same-file inter-procedural taint (function parameter → return tracking)
 // - Guard clause sensitivity (validation guards reduce taint confidence)
 // ─────────────────────────────────────────────────────────────────────────────
-import ts from "typescript";
+import { createRequire } from "node:module";
 import { normalizeLanguage } from "../language-patterns.js";
+// Lazy-load the TypeScript compiler API so that modules which transitively
+// import this file (e.g. the VS Code extension bundle) do not crash at load
+// time when the `typescript` package is not available at runtime.
+//
+// In CJS bundles (esbuild for VS Code extension), `import.meta.url` is empty
+// but the bundler emits a CJS `require` for externals — so `require` just
+// works.  In native ESM (tests, CLI), we use `createRequire` from the real
+// `import.meta.url`.
+let _ts;
+function getTS() {
+    if (!_ts) {
+        const metaUrl = typeof import.meta?.url === "string" ? import.meta.url : undefined;
+        const req = metaUrl ? createRequire(metaUrl) : require;
+        _ts = req("typescript");
+    }
+    return _ts;
+}
 // ─── Source / Sink Definitions ───────────────────────────────────────────────
 const SOURCE_PATTERNS = [
     { pattern: /\breq(?:uest)?\.(?:body|query|params|headers|cookies)\b/i, kind: "http-param" },
@@ -147,6 +164,7 @@ function containsWordBoundary(text, varName) {
  * Tracks which function parameters flow to return values.
  */
 function buildFunctionTaintMap(sourceFile, _taintMap) {
+    const ts = getTS();
     const result = new Map();
     ts.forEachChild(sourceFile, function walk(node) {
         if (ts.isFunctionDeclaration(node) ||
@@ -195,6 +213,7 @@ function buildFunctionTaintMap(sourceFile, _taintMap) {
     return result;
 }
 function getFnName(node) {
+    const ts = getTS();
     if (ts.isFunctionDeclaration(node) || ts.isMethodDeclaration(node)) {
         return node.name?.getText();
     }
@@ -688,7 +707,14 @@ export function analyzeTaintFlows(code, language) {
     switch (lang) {
         case "javascript":
         case "typescript":
-            return analyzeTypeScriptTaint(code, lang);
+            try {
+                return analyzeTypeScriptTaint(code, lang);
+            }
+            catch {
+                // typescript package unavailable (e.g. VS Code extension bundle) —
+                // fall through to regex-based analysis
+                return analyzeRegexTaint(code, LANGUAGE_PATTERN_MAP[lang]);
+            }
         default: {
             const langPatterns = LANGUAGE_PATTERN_MAP[lang];
             return analyzeRegexTaint(code, langPatterns);
@@ -697,6 +723,7 @@ export function analyzeTaintFlows(code, language) {
 }
 // ─── TypeScript / JavaScript Taint Analysis ──────────────────────────────────
 function analyzeTypeScriptTaint(code, language) {
+    const ts = getTS();
     const scriptKind = language === "typescript" ? ts.ScriptKind.TS : ts.ScriptKind.JS;
     const sourceFile = ts.createSourceFile("input." + (language === "typescript" ? "ts" : "js"), code, ts.ScriptTarget.Latest, true, scriptKind);
     const flows = [];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kevinrabun/judges",
-  "version": "3.117.0",
+  "version": "3.117.1",
   "description": "45 specialized judges that evaluate AI-generated code for security, cost, and quality.",
   "mcpName": "io.github.KevinRabun/judges",
   "type": "module",

package/server.json

@@ -7,12 +7,12 @@
     "url": "https://github.com/kevinrabun/judges",
     "source": "github"
   },
-  "version": "3.117.0",
+  "version": "3.117.1",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "@kevinrabun/judges",
-      "version": "3.117.0",
+      "version": "3.117.1",
       "transport": {
         "type": "stdio"
       }