@zuplo/cli 6.70.69 → 6.70.71

package/node_modules/@zuplo/runtime/out/esm/mocks/index.js

@@ -22,5 +22,5 @@
  *  DEALINGS IN THE SOFTWARE.
  *--------------------------------------------------------------------------------------------*/
     
-import{b as l}from"../chunk-GEVKFSKR.js";import{a as o,da as n}from"../chunk-ZIKV2LUM.js";function g(u={request:new Request("https://api.example.com")}){let e=[];function t(i){e.push(Promise.resolve(i))}return o(t,"waitUntil"),{context:new s({event:{waitUntil:t},route:u.route}),invokeResponse:o(async()=>{await Promise.all(e)},"invokeResponse")}}o(g,"createMockContext");var p={path:"/",methods:["GET"],handler:{module:{},export:"default"},raw:o(()=>({}),"raw")},s=class extends EventTarget{static{o(this,"MockZuploContext")}#e;contextId;requestId;log;route;custom;incomingRequestProperties;parentContext;analyticsContext;constructor({event:e,route:t=p,parentContext:r}){super(),this.requestId=crypto.randomUUID(),this.contextId=crypto.randomUUID(),this.log={info:n.console.info,log:n.console.log,debug:n.console.debug,warn:n.console.warn,error:n.console.error,setLogProperties:o(()=>{},"setLogProperties")},this.custom={},this.route=t,this.incomingRequestProperties={asn:1234,asOrganization:"ORGANIZATION",city:"Seattle",region:"Washington",regionCode:"WA",colo:"SEA",continent:"NA",country:"US",postalCode:"98004",metroCode:"SEA",latitude:void 0,longitude:void 0,timezone:void 0,httpProtocol:void 0,clientCert:void 0,clientMtlsVerificationStatus:void 0,clientMtlsVerificationReason:void 0,clientCertFingerprintSha256:void 0,clientCertNotBefore:void 0,clientCertNotAfter:void 0,clientCertIssuerDn:void 0,clientCertSubjectDn:void 0},this.parentContext=r,this.#e=e,this.analyticsContext=new l(this.requestId)}waitUntil(e){this.#e.waitUntil(e)}invokeInboundPolicy(e,t){throw new Error("Not implemented")}invokeOutboundPolicy(e,t,r){throw new Error("Not implemented")}invokeRoute(e,t){throw new Error("Not implemented")}addResponseSendingHook(e){throw new Error("Not implemented")}addResponseSendingFinalHook(e){throw new Error("Not implemented")}addEventListener(e,t,r){let d=o(i=>{try{typeof t=="function"?t(i):t.handleEvent(i)}catch(a){throw this.log.error(`Error invoking event ${e}. See following logs for details.`),a}},"wrapped");super.addEventListener(e,d,r)}};export{s as MockZuploContext,g as createMockContext};
+import{b as l}from"../chunk-AZIRK6TC.js";import{a as o,da as n}from"../chunk-ZIKV2LUM.js";function g(u={request:new Request("https://api.example.com")}){let e=[];function t(i){e.push(Promise.resolve(i))}return o(t,"waitUntil"),{context:new s({event:{waitUntil:t},route:u.route}),invokeResponse:o(async()=>{await Promise.all(e)},"invokeResponse")}}o(g,"createMockContext");var p={path:"/",methods:["GET"],handler:{module:{},export:"default"},raw:o(()=>({}),"raw")},s=class extends EventTarget{static{o(this,"MockZuploContext")}#e;contextId;requestId;log;route;custom;incomingRequestProperties;parentContext;analyticsContext;constructor({event:e,route:t=p,parentContext:r}){super(),this.requestId=crypto.randomUUID(),this.contextId=crypto.randomUUID(),this.log={info:n.console.info,log:n.console.log,debug:n.console.debug,warn:n.console.warn,error:n.console.error,setLogProperties:o(()=>{},"setLogProperties")},this.custom={},this.route=t,this.incomingRequestProperties={asn:1234,asOrganization:"ORGANIZATION",city:"Seattle",region:"Washington",regionCode:"WA",colo:"SEA",continent:"NA",country:"US",postalCode:"98004",metroCode:"SEA",latitude:void 0,longitude:void 0,timezone:void 0,httpProtocol:void 0,clientCert:void 0,clientMtlsVerificationStatus:void 0,clientMtlsVerificationReason:void 0,clientCertFingerprintSha256:void 0,clientCertNotBefore:void 0,clientCertNotAfter:void 0,clientCertIssuerDn:void 0,clientCertSubjectDn:void 0},this.parentContext=r,this.#e=e,this.analyticsContext=new l(this.requestId)}waitUntil(e){this.#e.waitUntil(e)}invokeInboundPolicy(e,t){throw new Error("Not implemented")}invokeOutboundPolicy(e,t,r){throw new Error("Not implemented")}invokeRoute(e,t){throw new Error("Not implemented")}addResponseSendingHook(e){throw new Error("Not implemented")}addResponseSendingFinalHook(e){throw new Error("Not implemented")}addEventListener(e,t,r){let d=o(i=>{try{typeof t=="function"?t(i):t.handleEvent(i)}catch(a){throw this.log.error(`Error invoking event ${e}. See following logs for details.`),a}},"wrapped");super.addEventListener(e,d,r)}};export{s as MockZuploContext,g as createMockContext};
 //# sourceMappingURL=index.js.map

package/node_modules/@zuplo/runtime/out/types/index.d.ts

@@ -2899,6 +2899,291 @@ export declare class DataDogMetricsPlugin extends MetricsPlugin {
   static setContext(context: ZuploContext, data: DataDogMetricsContext): void;
 }
 
+/**
+ * Scans the incoming request body for sensitive data — PII, secrets, and
+ * financial identifiers — using an extensible catalog of built-in recognizers
+ * plus any custom patterns, and takes a configurable action when a match is
+ * found.
+ *
+ * The action is one of `mask` (redact matches before forwarding the request),
+ * `block` (reject with a `422` listing the detected entity names only), or
+ * `log` (record a warning and forward unchanged). Only text content types are
+ * inspected; binary bodies pass through untouched, and the body is read from a
+ * clone so the upstream still receives the original stream.
+ *
+ * @title Data Loss Prevention
+ * @product api-gateway
+ * @public
+ * @param request - The ZuploRequest
+ * @param context - The ZuploContext
+ * @param options - The policy options set in policies.json
+ * @param policyName - The name of the policy as set in policies.json
+ * @returns A Request or a Response
+ */
+export declare const DataLossPreventionInboundPolicy: InboundPolicyHandler<DataLossPreventionInboundPolicyOptions>;
+
+/**
+ * The options for the Data Loss Prevention inbound policy. Scans the incoming request body for sensitive data and applies the configured action (mask, block, or log).
+ * @public
+ */
+export declare interface DataLossPreventionInboundPolicyOptions {
+  /**
+   * The detection engine. Only `builtin` (in-isolate regex + checksum detection with context-word scoring) is available today. This is the extension point for a future hosted `presidio-service` mode; declaring it now keeps adding that mode an additive, non-breaking change.
+   */
+  engine?: "builtin";
+  /**
+   * Built-in recognizer ids and/or group selectors to enable. Entity ids follow a {category}-{scope}-{name} taxonomy, and any dash-aligned id prefix acts as a selector (for example `secret` is every secret, `id-au` is Australia's identifiers, `secret-aws` is both AWS entities), plus the named groups `pii` and `region-eu`. Available selectors: `contact`, `finance`, `finance-us`, `id`, `id-au`, `id-br`, `id-ca`, `id-es`, `id-fr`, `id-in`, `id-it`, `id-nl`, `id-pl`, `id-sg`, `id-uk`, `id-us`, `network`, `pii`, `region-eu`, `secret`, `secret-aws`. When omitted, the full built-in catalog is used.
+   */
+  entities?: (
+    | "contact"
+    | "finance"
+    | "finance-us"
+    | "id"
+    | "id-au"
+    | "id-br"
+    | "id-ca"
+    | "id-es"
+    | "id-fr"
+    | "id-in"
+    | "id-it"
+    | "id-nl"
+    | "id-pl"
+    | "id-sg"
+    | "id-uk"
+    | "id-us"
+    | "network"
+    | "pii"
+    | "region-eu"
+    | "secret"
+    | "secret-aws"
+    | "contact-email"
+    | "contact-phone"
+    | "finance-credit-card"
+    | "finance-crypto-wallet"
+    | "finance-cvv"
+    | "finance-iban"
+    | "finance-swift-bic"
+    | "finance-us-aba-routing"
+    | "finance-us-bank-account"
+    | "id-au-abn"
+    | "id-au-acn"
+    | "id-au-medicare"
+    | "id-au-tfn"
+    | "id-br-cpf"
+    | "id-ca-sin"
+    | "id-es-nif"
+    | "id-fr-nir"
+    | "id-in-aadhaar"
+    | "id-in-pan"
+    | "id-it-fiscal-code"
+    | "id-nl-bsn"
+    | "id-pl-pesel"
+    | "id-sg-nric"
+    | "id-uk-nhs"
+    | "id-uk-nino"
+    | "id-us-itin"
+    | "id-us-passport"
+    | "id-us-ssn"
+    | "network-ipv4"
+    | "network-ipv6"
+    | "network-mac"
+    | "secret-anthropic"
+    | "secret-aws-access-key"
+    | "secret-aws-bedrock"
+    | "secret-azure-client"
+    | "secret-databricks"
+    | "secret-digitalocean"
+    | "secret-discord-webhook"
+    | "secret-github"
+    | "secret-gitlab"
+    | "secret-google-api-key"
+    | "secret-heroku"
+    | "secret-hugging-face"
+    | "secret-jwt"
+    | "secret-mailchimp"
+    | "secret-mailgun"
+    | "secret-npm"
+    | "secret-openai"
+    | "secret-perplexity"
+    | "secret-postman"
+    | "secret-private-key"
+    | "secret-pypi"
+    | "secret-sendgrid"
+    | "secret-sentry"
+    | "secret-shopify"
+    | "secret-slack"
+    | "secret-square"
+    | "secret-stripe"
+    | "secret-telegram-bot"
+    | "secret-terraform"
+    | "secret-twilio"
+    | "secret-zuplo"
+  )[];
+  /**
+   * Additional customer-defined regex recognizers. Invalid patterns are logged and skipped rather than failing the request.
+   */
+  customPatterns?: DlpCustomPattern[];
+  /**
+   * What to do when sensitive data is detected. `mask` redacts matches before forwarding the request, `block` rejects with a 422 listing only the detected entity names, and `log` records a warning and forwards the request unchanged.
+   */
+  action?: "mask" | "block" | "log";
+  /**
+   * The string that replaces detected values when `action` is `mask`.
+   */
+  mask?: string;
+  /**
+   * Minimum confidence (0-1) a match must reach to count as a finding. Context-dependent recognizers (for example `finance-us-bank-account` or `finance-us-aba-routing`) sit below the default threshold of 0.5 until a context word near the match boosts them above it. Lower the threshold to surface them everywhere; raise it to keep only prefix- or checksum-validated matches.
+   */
+  minConfidence?: number;
+  /**
+   * Override the set of scannable content-type prefixes. When omitted, the built-in text content-type allow-list (JSON, XML, form-encoded, text/*) is used.
+   */
+  contentTypes?: string[];
+}
+
+/**
+ * Scans the upstream response body for sensitive data — PII, secrets, and
+ * financial identifiers — using an extensible catalog of built-in recognizers
+ * plus any custom patterns, and takes a configurable action when a match is
+ * found.
+ *
+ * The action is one of `mask` (redact matches before returning the response),
+ * `block` (replace the response with a `422` listing the detected entity names
+ * only), or `log` (record a warning and return unchanged). Only text content
+ * types are inspected; binary bodies pass through untouched, and the body is
+ * read from a clone so the client still receives the original stream.
+ *
+ * @title Data Loss Prevention
+ * @product api-gateway
+ * @public
+ * @param response - The outgoing Response from the handler
+ * @param request - The original incoming Request
+ * @param context - The current context of the Request
+ * @param options - The configuration options for the policy
+ * @param policyName - The name of the policy as set in policies.json
+ * @returns A Response
+ */
+export declare const DataLossPreventionOutboundPolicy: OutboundPolicyHandler<DataLossPreventionOutboundPolicyOptions>;
+
+/**
+ * The options for the Data Loss Prevention outbound policy. Scans the upstream response body for sensitive data and applies the configured action (mask, block, or log).
+ * @public
+ */
+export declare interface DataLossPreventionOutboundPolicyOptions {
+  /**
+   * The detection engine. Only `builtin` (in-isolate regex + checksum detection with context-word scoring) is available today. This is the extension point for a future hosted `presidio-service` mode; declaring it now keeps adding that mode an additive, non-breaking change.
+   */
+  engine?: "builtin";
+  /**
+   * Built-in recognizer ids and/or group selectors to enable. Entity ids follow a {category}-{scope}-{name} taxonomy, and any dash-aligned id prefix acts as a selector (for example `secret` is every secret, `id-au` is Australia's identifiers, `secret-aws` is both AWS entities), plus the named groups `pii` and `region-eu`. Available selectors: `contact`, `finance`, `finance-us`, `id`, `id-au`, `id-br`, `id-ca`, `id-es`, `id-fr`, `id-in`, `id-it`, `id-nl`, `id-pl`, `id-sg`, `id-uk`, `id-us`, `network`, `pii`, `region-eu`, `secret`, `secret-aws`. When omitted, the full built-in catalog is used.
+   */
+  entities?: (
+    | "contact"
+    | "finance"
+    | "finance-us"
+    | "id"
+    | "id-au"
+    | "id-br"
+    | "id-ca"
+    | "id-es"
+    | "id-fr"
+    | "id-in"
+    | "id-it"
+    | "id-nl"
+    | "id-pl"
+    | "id-sg"
+    | "id-uk"
+    | "id-us"
+    | "network"
+    | "pii"
+    | "region-eu"
+    | "secret"
+    | "secret-aws"
+    | "contact-email"
+    | "contact-phone"
+    | "finance-credit-card"
+    | "finance-crypto-wallet"
+    | "finance-cvv"
+    | "finance-iban"
+    | "finance-swift-bic"
+    | "finance-us-aba-routing"
+    | "finance-us-bank-account"
+    | "id-au-abn"
+    | "id-au-acn"
+    | "id-au-medicare"
+    | "id-au-tfn"
+    | "id-br-cpf"
+    | "id-ca-sin"
+    | "id-es-nif"
+    | "id-fr-nir"
+    | "id-in-aadhaar"
+    | "id-in-pan"
+    | "id-it-fiscal-code"
+    | "id-nl-bsn"
+    | "id-pl-pesel"
+    | "id-sg-nric"
+    | "id-uk-nhs"
+    | "id-uk-nino"
+    | "id-us-itin"
+    | "id-us-passport"
+    | "id-us-ssn"
+    | "network-ipv4"
+    | "network-ipv6"
+    | "network-mac"
+    | "secret-anthropic"
+    | "secret-aws-access-key"
+    | "secret-aws-bedrock"
+    | "secret-azure-client"
+    | "secret-databricks"
+    | "secret-digitalocean"
+    | "secret-discord-webhook"
+    | "secret-github"
+    | "secret-gitlab"
+    | "secret-google-api-key"
+    | "secret-heroku"
+    | "secret-hugging-face"
+    | "secret-jwt"
+    | "secret-mailchimp"
+    | "secret-mailgun"
+    | "secret-npm"
+    | "secret-openai"
+    | "secret-perplexity"
+    | "secret-postman"
+    | "secret-private-key"
+    | "secret-pypi"
+    | "secret-sendgrid"
+    | "secret-sentry"
+    | "secret-shopify"
+    | "secret-slack"
+    | "secret-square"
+    | "secret-stripe"
+    | "secret-telegram-bot"
+    | "secret-terraform"
+    | "secret-twilio"
+    | "secret-zuplo"
+  )[];
+  /**
+   * Additional customer-defined regex recognizers. Invalid patterns are logged and skipped rather than failing the response.
+   */
+  customPatterns?: DlpCustomPattern_2[];
+  /**
+   * What to do when sensitive data is detected. `mask` redacts matches before returning the response, `block` replaces the response with a 422 listing only the detected entity names, and `log` records a warning and returns the response unchanged.
+   */
+  action?: "mask" | "block" | "log";
+  /**
+   * The string that replaces detected values when `action` is `mask`.
+   */
+  mask?: string;
+  /**
+   * Minimum confidence (0-1) a match must reach to count as a finding. Context-dependent recognizers (for example `finance-us-bank-account` or `finance-us-aba-routing`) sit below the default threshold of 0.5 until a context word near the match boosts them above it. Lower the threshold to surface them everywhere; raise it to keep only prefix- or checksum-validated matches.
+   */
+  minConfidence?: number;
+  /**
+   * Override the set of scannable content-type prefixes. When omitted, the built-in text content-type allow-list (JSON, XML, form-encoded, text/*) is used.
+   */
+  contentTypes?: string[];
+}
+
 /**
  * Default function to generate Hydrolix log entries
  * @public
@@ -2924,6 +3209,44 @@ export declare interface DispatchRequestLoggerEntries<T> {
   (entries: T[]): Promise<void>;
 }
 
+declare interface DlpCustomPattern {
+  /**
+   * Identifier reported in findings and block details for this pattern.
+   */
+  name: string;
+  /**
+   * A JavaScript regular expression source string. Remember to escape backslashes for JSON (for example `\\d` for a digit).
+   */
+  pattern: string;
+  /**
+   * Base confidence (0-1) for matches of this pattern. The default of 0.85 is above the default detection threshold; combine a low value with `context` words for patterns that are only sensitive in context.
+   */
+  confidence?: number;
+  /**
+   * Context words that boost a match's confidence by 0.45 when one appears near the match (in the surrounding field, label, or key).
+   */
+  context?: string[];
+}
+
+declare interface DlpCustomPattern_2 {
+  /**
+   * Identifier reported in findings and block details for this pattern.
+   */
+  name: string;
+  /**
+   * A JavaScript regular expression source string. Remember to escape backslashes for JSON (for example `\\d` for a digit).
+   */
+  pattern: string;
+  /**
+   * Base confidence (0-1) for matches of this pattern. The default of 0.85 is above the default detection threshold; combine a low value with `context` words for patterns that are only sensitive in context.
+   */
+  confidence?: number;
+  /**
+   * Context words that boost a match's confidence by 0.45 when one appears near the match (in the surrounding field, label, or key).
+   */
+  context?: string[];
+}
+
 declare interface DynaTraceLoggingOptions {
   url: string;
   apiToken: string;
@@ -3259,6 +3582,67 @@ export declare class GoogleCloudLoggingPlugin extends LogPlugin {
   /* Excluded from this release type: getTransport */
 }
 
+/**
+ * Reports GraphQL errors returned in response bodies to Zuplo's GraphQL
+ * analytics. GraphQL servers following the standard Apollo / graphql-yoga
+ * pattern return `200 OK` with an `errors[]` array in the body when an
+ * operation fails, which HTTP-level analytics alone report as a success —
+ * add this policy to a GraphQL route and failed operations show up as
+ * failures on the GraphQL dashboard, classified by error type.
+ *
+ * Each error in `errors[]` is classified from its `extensions.code`
+ * following the Apollo Server conventions (`GRAPHQL_PARSE_FAILED` →
+ * `syntax`, `GRAPHQL_VALIDATION_FAILED` → `validation`, `UNAUTHENTICATED` /
+ * `FORBIDDEN` → `auth`, timeout codes → `timeout`); custom codes can be
+ * mapped with `errorCodeClassification`, and anything unrecognized falls
+ * back to `defaultErrorClass` (`resolver`). Optionally set `logErrors` to
+ * also write a structured warning per errored response. Bodies larger
+ * than `maxResponseBytes` (default 5 MiB) are not inspected.
+ *
+ * The response always passes through unchanged — the body is read from a
+ * clone, and any internal failure is swallowed so reporting can never
+ * break the request. The route must be marked `x-graphql: true` in
+ * `routes.oas.json` (which enables GraphQL analytics for the route);
+ * without the marker the policy logs a warning and does nothing.
+ *
+ * @title GraphQL Analytics
+ * @product api-gateway
+ * @beta
+ * @public
+ * @param response - The outgoing Response from the handler
+ * @param request - The original incoming Request
+ * @param context - The current context of the Request
+ * @param options - The configuration options for the policy
+ * @param policyName - The name of the policy as set in policies.json
+ * @returns A Response
+ */
+export declare const GraphqlAnalyticsOutboundPolicy: OutboundPolicyHandler<GraphqlAnalyticsOutboundPolicyOptions>;
+
+/**
+ * The options for the GraphQL Analytics outbound policy. Reads GraphQL `errors[]` from the response body and reports them to Zuplo's GraphQL analytics.
+ * @public
+ */
+export declare interface GraphqlAnalyticsOutboundPolicyOptions {
+  /**
+   * Additional `extensions.code` → error-class mappings for codes your GraphQL server emits. Entries are merged over (and win against) the built-in Apollo-convention map (`GRAPHQL_PARSE_FAILED` → `syntax`, `GRAPHQL_VALIDATION_FAILED` / `BAD_USER_INPUT` → `validation`, `UNAUTHENTICATED` / `FORBIDDEN` → `auth`, timeout codes → `timeout`, `INTERNAL_SERVER_ERROR` → `resolver`). Keys are matched case-sensitively; built-in codes are matched case-insensitively.
+   */
+  errorCodeClassification?: {
+    [k: string]: "syntax" | "validation" | "auth" | "timeout" | "resolver";
+  };
+  /**
+   * The error class reported for a GraphQL error whose `extensions.code` is missing or not in the classification map.
+   */
+  defaultErrorClass?: "syntax" | "validation" | "auth" | "timeout" | "resolver";
+  /**
+   * When `true`, also write a structured warning to the request log (message, `extensions.code`, and path of each error — capped at the first 10) whenever a response contains GraphQL errors.
+   */
+  logErrors?: boolean;
+  /**
+   * Maximum response body size in bytes the policy will inspect. Larger bodies — by `Content-Length`, or measured while reading when the header is absent — pass through without being scanned, so their GraphQL errors (if any) go unreported. The default is 5 MiB.
+   */
+  maxResponseBytes?: number;
+}
+
 /**
  * The main request handler for the Zuplo runtime. This class initializes the gateway
  * and handles all incoming HTTP requests through the configured pipeline.

package/node_modules/@zuplo/runtime/out/types/mcp-gateway/index.d.ts

@@ -1462,7 +1462,9 @@ export declare interface McpEntraOAuthInboundPolicyOptions {
 /**
  * Activates the MCP Gateway internal routes (OAuth authorization server,
  * upstream connection management, well-known metadata) on the runtime router.
- * The plugin is a no-op when no MCP-related policy is present.
+ * When no MCP-related policy is present the plugin registers no routes; it
+ * still records `plugin.mcp-gateway` feature usage on construction so gateway
+ * adoption is visible in telemetry regardless of route configuration.
  *
  * Importing from `@zuplo/runtime/mcp-gateway` is the opt-in: the runtime core
  * does not statically reference any MCP gateway code, so unrelated projects

package/node_modules/@zuplo/runtime/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@zuplo/runtime",
   "type": "module",
-  "version": "6.70.69",
+  "version": "6.70.71",
   "repository": "https://github.com/zuplo/zuplo",
   "author": "Zuplo, Inc.",
   "exports": {

package/node_modules/acorn/CHANGELOG.md

@@ -1,3 +1,17 @@
+## 8.17.0 (2026-06-11)
+
+### New features
+
+The new `strict` option can be used to start script sources in strict mode.
+
+### Bug fixes
+
+Fix a number of corner case bugs when `using` or `await using` appear in `for` loop specs.
+
+Disallow `new super()` expressions.
+
+Don't allow the conditional in a ternary expression to be a (naked) arrow function.
+
 ## 8.16.0 (2026-02-19)
 
 ### New features

package/node_modules/acorn/README.md

@@ -86,6 +86,9 @@ required):
   will be valid, even if `ecmaVersion` is less than 6. If set to `"commonjs"`,
   it is the same as `"script"` except that the top-level scope behaves like a function.
 
+- **strict**: When set to true, enable strict parsing mode even if
+  `sourceType` is `"script"`.
+
 - **onInsertedSemicolon**: If given a callback, that callback will be
   called whenever a missing semicolon is inserted by the parser. The
   callback will be given the character offset of the point where the

package/node_modules/acorn/dist/acorn.d.mts

@@ -619,6 +619,12 @@ export interface Options {
    */
   sourceType?: "script" | "module" | "commonjs"
 
+  /**
+   * When set to true, enable strict parsing mode even if `sourceType`
+   * is `"script"`.
+   */
+  strict?: boolean
+
   /**
    * a callback that will be called when a semicolon is automatically inserted.
    * @param lastTokEnd the position of the comma as an offset

package/node_modules/acorn/dist/acorn.d.ts

@@ -619,6 +619,12 @@ export interface Options {
    */
   sourceType?: "script" | "module" | "commonjs"
 
+  /**
+   * When set to true, enable strict parsing mode even if `sourceType`
+   * is `"script"`.
+   */
+  strict?: boolean
+
   /**
    * a callback that will be called when a semicolon is automatically inserted.
    * @param lastTokEnd the position of the comma as an offset