arol-ai 0.1.2 → 0.1.3

package/README.md

@@ -76,9 +76,14 @@ Flags **only** when your code actually references the deprecated API in a scanne
 
 This split is what keeps a marketing page that mentions *"GPT-4o, GPT-4.1, and o4-mini"* from being reported as deprecated usage: those names aren't quoted string literals, so `detect.models` ignores them. Only something like `model: "o4-mini"` counts.
 
+Two more layers keep matches context-aware:
+
+- **Language scoping (`applies_to`).** Each entry lists the file extensions its signals are valid in (e.g. `["py"]`, `["js","ts","jsx","tsx","mjs"]`, or `["*"]` for model strings). An entry is only tested against files with a matching extension, so a Python-only pattern like `openai.ChatCompletion` never fires in a `.tsx` file. Defaults to `["*"]` when omitted.
+- **Comment stripping.** Before matching, comments are blanked out per language — `//`, `/* */`, JSX `{/* */}`, and `#` (Python). Stripping is string-aware: a marker inside a string literal (e.g. the `//` in `"https://…"`) is **not** treated as a comment, and offsets are preserved so reported line numbers stay exact. A commented-out `model: "gpt-4o"` is ignored; the real call on the next line is not.
+
 Each hit records the **file path, line number, and matched text**, and one deprecation aggregates **all** of its matched locations into a single finding.
 
-> Having the `openai` package in `requirements.txt` does **not** flag the Assistants API deprecation. Your code has to actually use `beta.assistants` / a deprecated model id (etc.).
+> Having the `openai` package in `requirements.txt` does **not** flag the Assistants API deprecation. Your code has to actually use `beta.assistants` / a deprecated model id (etc.), in a file of the right language, outside comments.
 
 **Files scanned / skipped**
 
@@ -142,6 +147,7 @@ The dataset is either a bare array of entries, or a `{ "deprecations": [ ... ] }
   "title": "Assistants API (beta)", // short headline (required)
   "severity": "high",               // "high" | "medium" | "low" (required)
   "match": "pattern",               // "pattern" (default) | "sdk" | "version"
+  "applies_to": ["py","js","ts","jsx","tsx","mjs"], // extensions to test; ["*"] = any
   "sunset_date": "2026-08-26",      // ISO YYYY-MM-DD, or "" if no fixed date
   "detect": {
     "sdk": ["openai"],              // scope hint for "pattern"; the trigger for "sdk"/"version"
@@ -157,7 +163,7 @@ The dataset is either a bare array of entries, or a `{ "deprecations": [ ... ] }
 }
 ```
 
-A model-retirement entry uses `detect.models` so it only fires on a quoted model id, never on prose:
+A model-retirement entry uses `detect.models` (and `applies_to: ["*"]`) so it only fires on a quoted model id, in any language, never on prose:
 
 ```jsonc
 {
@@ -166,6 +172,7 @@ A model-retirement entry uses `detect.models` so it only fires on a quoted model
   "title": "GPT-4 family models (API shutdown)",
   "severity": "high",
   "match": "pattern",
+  "applies_to": ["*"],
   "sunset_date": "2026-10-23",
   "detect": {
     "sdk": ["openai"],
@@ -177,6 +184,23 @@ A model-retirement entry uses `detect.models` so it only fires on a quoted model
 }
 ```
 
+A Python-only entry scopes itself with `applies_to: ["py"]`, so its patterns never fire in JS/TSX files that merely mention the API in prose:
+
+```jsonc
+{
+  "id": "openai-python-v0-syntax",
+  "vendor": "OpenAI",
+  "title": "Legacy openai-python v0 call syntax",
+  "severity": "high",
+  "match": "pattern",
+  "applies_to": ["py"],
+  "sunset_date": "2023-11-06",
+  "detect": { "sdk": ["openai"], "patterns": ["openai\\.ChatCompletion"] },
+  "migration_url": "https://github.com/openai/openai-python/discussions/742",
+  "summary": "Instantiate a client: client.chat.completions.create(...)."
+}
+```
+
 A `version` entry instead flags on the installed SDK version (no patterns needed):
 
 ```jsonc
@@ -203,6 +227,7 @@ A `version` entry instead flags on the installed SDK version (no patterns needed
 | `title` | string | ✓ | Short headline for the finding. |
 | `severity` | `"high"` \| `"medium"` \| `"low"` | ✓ | Drives color, sort order, and `--fail-on`. |
 | `match` | `"pattern"` \| `"sdk"` \| `"version"` | – | How the entry is triggered. **Defaults to `"pattern"`** when omitted. See [How detection works](#how-detection-works). |
+| `applies_to` | string[] | – | File extensions (no dot) the entry's patterns/models are tested against, e.g. `["py"]` or `["js","ts","jsx","tsx","mjs"]`. Use `["*"]` for any file (model strings). **Defaults to `["*"]`** when omitted. |
 | `version_range` | string | – | For `match: "version"` only — e.g. `"<3.0.0"`, `">=1.2.0"`, `"=2.1.0"`. If omitted, a `version` entry behaves like `"sdk"`. |
 | `sunset_date` | string | – | ISO `YYYY-MM-DD`. Use `""` for unmaintained/no-fixed-date items; the report shows a relative hint (e.g. *"in 42 days"* / *"passed 12 days ago"*). |
 | `detect.sdk` | string[] | – | Manifest dependency/module names. For `match: "pattern"` this is only a **scope hint and never triggers** a finding; for `sdk`/`version` it is the trigger. |

package/dist/data.js

@@ -89,6 +89,11 @@ function coerceDeprecation(raw) {
     const version_range = isNonEmptyString(r.version_range)
         ? r.version_range
         : undefined;
+    // Language scoping: extensions this entry's patterns are valid in.
+    // Normalize to lowercase, dot-stripped; default to ["*"] (match any file).
+    const applies_to = isStringArray(r.applies_to) && r.applies_to.length > 0
+        ? r.applies_to.map((e) => e.toLowerCase().replace(/^\./, ""))
+        : ["*"];
     // Drop entries that can never fire under their match mode.
     // A "pattern" entry fires on either a raw pattern OR a model-string match.
     if (match === "pattern" && patterns.length === 0 && models.length === 0)
@@ -101,6 +106,7 @@ function coerceDeprecation(raw) {
         title: r.title,
         severity: r.severity,
         match,
+        applies_to,
         sunset_date: typeof r.sunset_date === "string" ? r.sunset_date : "",
         detect: { sdk, patterns, models },
         version_range,

package/dist/scanner.js

@@ -121,9 +121,110 @@ function compileDeprecations(deprecations) {
                 // Defensive: a pathological family name must not crash the scan.
             }
         }
-        return { deprecation, regexes };
+        const appliesTo = new Set((deprecation.applies_to.length > 0 ? deprecation.applies_to : ["*"]).map((e) => e.toLowerCase()));
+        return { deprecation, regexes, appliesTo };
     });
 }
+/** True if a compiled entry should be tested against a file with this extension. */
+function appliesToExt(compiled, ext) {
+    return compiled.appliesTo.has("*") || compiled.appliesTo.has(ext);
+}
+function commentConfig(ext) {
+    switch (ext) {
+        case "js":
+        case "mjs":
+        case "cjs":
+        case "jsx":
+        case "ts":
+        case "mts":
+        case "cts":
+        case "tsx":
+        case "go":
+            return { line: ["//"], block: [["/*", "*/"]], strings: ["'", '"', "`"], triple: [] };
+        case "py":
+            return { line: ["#"], block: [], strings: ["'", '"'], triple: ['"""', "'''"] };
+        default:
+            return null;
+    }
+}
+/**
+ * Replace comments with spaces so they don't match, while preserving the exact
+ * byte length and all newlines — line/column offsets stay correct. String literals
+ * (including their contents) are left intact, so a comment marker inside a string
+ * (e.g. "https://…") is NOT treated as a comment.
+ */
+function stripComments(src, cfg) {
+    const out = src.split("");
+    const n = src.length;
+    const at = (s, i) => src.startsWith(s, i);
+    const blank = (from, to) => {
+        for (let k = from; k < to; k++)
+            if (out[k] !== "\n")
+                out[k] = " ";
+    };
+    let i = 0;
+    while (i < n) {
+        // Triple-quoted strings (Python) — checked before single quotes.
+        let matched = false;
+        for (const t of cfg.triple) {
+            if (at(t, i)) {
+                i += t.length;
+                while (i < n && !at(t, i))
+                    i++;
+                i += t.length;
+                matched = true;
+                break;
+            }
+        }
+        if (matched)
+            continue;
+        // Ordinary string literals — preserve contents verbatim.
+        for (const q of cfg.strings) {
+            if (src[i] === q) {
+                i++;
+                while (i < n && src[i] !== q) {
+                    if (src[i] === "\\")
+                        i++; // skip escaped char
+                    i++;
+                }
+                i++; // closing quote (or past end if unterminated)
+                matched = true;
+                break;
+            }
+        }
+        if (matched)
+            continue;
+        // Block comments.
+        for (const [open, close] of cfg.block) {
+            if (at(open, i)) {
+                const end = src.indexOf(close, i + open.length);
+                const stop = end === -1 ? n : end + close.length;
+                blank(i, stop);
+                i = stop;
+                matched = true;
+                break;
+            }
+        }
+        if (matched)
+            continue;
+        // Line comments.
+        for (const lc of cfg.line) {
+            if (at(lc, i)) {
+                let k = i;
+                while (k < n && src[k] !== "\n")
+                    k++;
+                blank(i, k);
+                i = k;
+                matched = true;
+                break;
+            }
+        }
+        if (matched)
+            continue;
+        i++;
+    }
+    return out.join("");
+}
 /** Precompute the byte offset at which each line starts. */
 function computeLineStarts(content) {
     const starts = [0];
@@ -354,7 +455,16 @@ function scanRepo(root, deprecations, options = {}) {
             continue;
         }
         scannedFiles++;
-        scanContent(content, rel, compiled, patternSink);
+        // Language scoping: only test entries valid for this file's extension.
+        const ext = path.extname(rel).slice(1).toLowerCase();
+        const applicable = compiled.filter((c) => appliesToExt(c, ext));
+        if (applicable.length === 0)
+            continue;
+        // Comment stripping: match against de-commented source so mentions in
+        // comments don't count. Offsets are preserved, so line numbers stay correct.
+        const cfg = commentConfig(ext);
+        const scanText = cfg ? stripComments(content, cfg) : content;
+        scanContent(scanText, rel, applicable, patternSink);
     }
     // 3. Build findings — one per deprecation, evaluated per its match mode.
     const findings = [];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "arol-ai",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "Scan a local repo for upcoming third-party API/SDK deprecations. Fully local — no network, no telemetry, your code never leaves the machine.",
   "keywords": [
     "deprecation",

package/src/data/deprecations.json

@@ -5,6 +5,7 @@
     "title": "Assistants API (beta)",
     "severity": "high",
     "match": "pattern",
+    "applies_to": ["py", "js", "ts", "jsx", "tsx", "mjs"],
     "sunset_date": "2026-08-26",
     "detect": {
       "sdk": ["openai"],
@@ -25,6 +26,7 @@
     "title": "Claude Sonnet 4 & Opus 4",
     "severity": "high",
     "match": "pattern",
+    "applies_to": ["*"],
     "sunset_date": "2026-06-15",
     "detect": {
       "sdk": ["@anthropic-ai/sdk", "anthropic"],
@@ -46,6 +48,7 @@
     "title": "Retired Claude models (Haiku 3, 3.5/3.7 Sonnet, Claude 2.x)",
     "severity": "high",
     "match": "pattern",
+    "applies_to": ["*"],
     "sunset_date": "2026-04-20",
     "detect": {
       "sdk": ["@anthropic-ai/sdk", "anthropic"],
@@ -69,6 +72,7 @@
     "title": "Gemini 2.5 Pro / Flash / Flash-Lite",
     "severity": "high",
     "match": "pattern",
+    "applies_to": ["*"],
     "sunset_date": "2026-10-16",
     "detect": {
       "sdk": ["@google/generative-ai", "@google/genai", "google-generativeai"],
@@ -85,6 +89,7 @@
     "title": "Gemini 2.0 Flash family",
     "severity": "high",
     "match": "pattern",
+    "applies_to": ["*"],
     "sunset_date": "2026-06-01",
     "detect": {
       "sdk": ["@google/generative-ai", "@google/genai", "google-generativeai"],
@@ -106,11 +111,17 @@
     "title": "Gemini 1.0 / 1.5 models",
     "severity": "high",
     "match": "pattern",
+    "applies_to": ["*"],
     "sunset_date": "2026-04-29",
     "detect": {
       "sdk": ["@google/generative-ai", "@google/genai", "google-generativeai"],
       "patterns": [],
-      "models": ["gemini-1.5-pro", "gemini-1.5-flash", "gemini-1.0-pro", "gemini-pro"]
+      "models": [
+        "gemini-1.5-pro",
+        "gemini-1.5-flash",
+        "gemini-1.0-pro",
+        "gemini-pro"
+      ]
     },
     "migration_url": "https://ai.google.dev/gemini-api/docs/deprecations",
     "summary": "All Gemini 1.0 and 1.5 models are shut down and return 404. Migrate to Gemini 2.5+ or 3.x.",
@@ -122,6 +133,7 @@
     "title": "GPT-4 family models (API shutdown)",
     "severity": "high",
     "match": "pattern",
+    "applies_to": ["*"],
     "sunset_date": "2026-10-23",
     "date_confidence": "verify",
     "detect": {
@@ -149,6 +161,7 @@
     "title": "Retired legacy OpenAI models (GPT-3 era, early snapshots)",
     "severity": "high",
     "match": "pattern",
+    "applies_to": ["*"],
     "sunset_date": "2024-01-04",
     "detect": {
       "sdk": ["openai"],
@@ -174,6 +187,7 @@
     "title": "Removed legacy Stripe.js methods",
     "severity": "high",
     "match": "pattern",
+    "applies_to": ["js", "ts", "jsx", "tsx", "mjs"],
     "sunset_date": "2026-03-25",
     "detect": {
       "sdk": ["@stripe/stripe-js", "stripe"],
@@ -197,6 +211,7 @@
     "title": "Sources API / legacy Charges API",
     "severity": "medium",
     "match": "pattern",
+    "applies_to": ["js", "ts", "jsx", "tsx", "mjs"],
     "sunset_date": "2024-05-15",
     "detect": {
       "sdk": ["stripe"],
@@ -212,6 +227,7 @@
     "title": "Notify API",
     "severity": "high",
     "match": "pattern",
+    "applies_to": ["py", "js", "ts", "jsx", "tsx", "mjs"],
     "sunset_date": "2027-01-31",
     "date_confidence": "verify",
     "detect": {
@@ -228,6 +244,7 @@
     "title": "Programmable Chat API",
     "severity": "high",
     "match": "pattern",
+    "applies_to": ["py", "js", "ts", "jsx", "tsx", "mjs"],
     "sunset_date": "2022-07-25",
     "detect": {
       "sdk": ["twilio", "twilio-chat"],
@@ -243,6 +260,7 @@
     "title": "AWS SDK for JavaScript v2",
     "severity": "medium",
     "match": "sdk",
+    "applies_to": ["js", "ts", "jsx", "tsx", "mjs"],
     "sunset_date": "2025-09-08",
     "detect": {
       "sdk": ["aws-sdk"],
@@ -258,6 +276,7 @@
     "title": "Legacy API keys (hapikey)",
     "severity": "high",
     "match": "pattern",
+    "applies_to": ["py", "js", "ts", "jsx", "tsx", "mjs"],
     "sunset_date": "2022-11-30",
     "detect": {
       "sdk": ["@hubspot/api-client"],
@@ -266,5 +285,70 @@
     "migration_url": "https://developers.hubspot.com/changelog/upcoming-api-key-sunset",
     "summary": "HubSpot deprecated legacy API keys (the hapikey query param) on Nov 30, 2022; requests using hapikey now fail. Migrate to Private App access tokens (Bearer auth). The eCommerce Bridge and Accounting Extension APIs were also sunset Dec 1, 2022.",
     "source": "https://developers.hubspot.com/changelog/upcoming-api-key-sunset"
+  },
+  {
+    "id": "openai-python-v0-syntax",
+    "vendor": "OpenAI",
+    "title": "Legacy openai-python v0 call syntax",
+    "severity": "high",
+    "match": "pattern",
+    "applies_to": ["py"],
+    "sunset_date": "2023-11-06",
+    "detect": {
+      "sdk": ["openai"],
+      "patterns": [
+        "openai\\.ChatCompletion",
+        "openai\\.Completion\\.create",
+        "openai\\.Embedding\\.create",
+        "openai\\.Moderation\\.create"
+      ]
+    },
+    "migration_url": "https://github.com/openai/openai-python/discussions/742",
+    "summary": "openai-python v1.0 (Nov 2023) removed module-level calls. openai.ChatCompletion/Completion/Embedding.create now raise APIRemovedInV1. Instantiate a client (client = OpenAI(); client.chat.completions.create(...)) or run `openai migrate`.",
+    "source": "https://github.com/openai/openai-python/issues/2172"
+  },
+  {
+    "id": "vercel-ai-sdk-v5-removed",
+    "vendor": "Vercel (AI SDK)",
+    "title": "AI SDK v4→v5/v6 removed APIs",
+    "severity": "medium",
+    "match": "pattern",
+    "applies_to": ["js", "ts", "jsx", "tsx", "mjs"],
+    "sunset_date": "2025-07-31",
+    "detect": {
+      "sdk": ["ai"],
+      "patterns": [
+        "from ['\"]ai/react['\"]",
+        "from ['\"]ai/openai['\"]",
+        "experimental_streamText",
+        "experimental_generateText",
+        "StreamingTextResponse"
+      ]
+    },
+    "migration_url": "https://ai-sdk.dev/docs/migration-guides/migration-guide-5-0",
+    "summary": "AI SDK v5 (Jul 2025) removed deprecated APIs: 'ai/react' → '@ai-sdk/react', experimental_streamText → streamText, StreamingTextResponse removed, useChat maxSteps removed. v6 moved provider imports ('ai/openai' → '@ai-sdk/openai').",
+    "source": "https://ai-sdk.dev/docs/migration-guides/migration-guide-5-0"
+  },
+  {
+    "id": "langchain-legacy-imports",
+    "vendor": "LangChain",
+    "title": "Legacy LangChain imports & chains",
+    "severity": "medium",
+    "match": "pattern",
+    "applies_to": ["py"],
+    "sunset_date": "2024-05-01",
+    "detect": {
+      "sdk": ["langchain"],
+      "patterns": [
+        "from langchain\\.llms import",
+        "from langchain\\.chat_models import",
+        "from langchain\\.embeddings import",
+        "initialize_agent",
+        "LLMChain"
+      ]
+    },
+    "migration_url": "https://python.langchain.com/docs/versions/v0_2/",
+    "summary": "Pre-0.2 LangChain imports are deprecated/removed: langchain.llms/chat_models/embeddings → langchain_community or provider packages (langchain_openai). LLMChain and initialize_agent are deprecated (use LCEL / create_agent; legacy moved to langchain-classic in 1.0).",
+    "source": "https://github.com/langchain-ai/langchain/discussions/19083"
   }
 ]