circle-ir-ai 2.11.1 → 2.11.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +30 -0
- package/package.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,36 @@ All notable changes to this project will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [2.11.2] - 2026-06-18
|
|
9
|
+
|
|
10
|
+
### Changed — circle-ir 3.66.0 → 3.69.0
|
|
11
|
+
|
|
12
|
+
Drop-in engine bump across 3 sprints (3.67.0 / 3.68.0 / 3.69.0):
|
|
13
|
+
|
|
14
|
+
- **3.67.0** — Java safe-corpus regressions closed (the long-tail
|
|
15
|
+
beyond what 3.64.0 / 3.65.0 caught for cognium-dev#49 / #101):
|
|
16
|
+
`SafeService.java` `path_traversal` + `xxe` and
|
|
17
|
+
`FalsePositiveCorpus.java` `command_injection` (switch→constant)
|
|
18
|
+
now suppressed on the real `coggiyadmin/java-vuln-demo` shape
|
|
19
|
+
(not just the synthetic regression fixtures). The remaining
|
|
20
|
+
`FalsePositiveCorpus.java` `sql_injection@81` (bounded `Set`
|
|
21
|
+
allowlist) is still tracked as open in cognium-dev#101.
|
|
22
|
+
- **3.68.0** — Sprint 18 Python consolidation: f-string taint fix,
|
|
23
|
+
two new sinks (`urllib.request.urlretrieve` for ssrf + path
|
|
24
|
+
traversal), 12-fixture Python FP/FN regression locks tracking
|
|
25
|
+
cognium-dev#100 / #96 / #65.
|
|
26
|
+
- **3.69.0** — Sprint 19 new pass `module-side-effect` (rule
|
|
27
|
+
`module-side-effect`, `CWE-829`, severity `high`) detecting
|
|
28
|
+
supply-chain droppers via module-load / install-time / build-time
|
|
29
|
+
side effects across JS/TS (incl. `package.json` install scripts),
|
|
30
|
+
Python, Go (`init()`), and Rust (`build.rs`). 8 new regression
|
|
31
|
+
fixtures (5 positive + 3 negative-control). Engine suite now
|
|
32
|
+
2455 pass / 1 skip / zero regressions across 139 files.
|
|
33
|
+
|
|
34
|
+
No API breaks on the bump itself — the new pass surfaces as a new
|
|
35
|
+
`findings[].type === 'module-side-effect'` value through the existing
|
|
36
|
+
`analyze()` / mastra workflow output.
|
|
37
|
+
|
|
8
38
|
## [2.11.1] - 2026-06-18
|
|
9
39
|
|
|
10
40
|
### Changed — circle-ir 3.59.0 → 3.66.0
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "circle-ir-ai",
|
|
3
|
-
"version": "2.11.
|
|
3
|
+
"version": "2.11.2",
|
|
4
4
|
"description": "LLM-enhanced SAST analysis built on circle-ir",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"module": "dist/index.js",
|
|
@@ -94,7 +94,7 @@
|
|
|
94
94
|
"dependencies": {
|
|
95
95
|
"@ax-llm/ax": "^20.0.0",
|
|
96
96
|
"@mastra/core": "^1.18.0",
|
|
97
|
-
"circle-ir": "3.
|
|
97
|
+
"circle-ir": "3.69.0",
|
|
98
98
|
"minimatch": "^10.2.5",
|
|
99
99
|
"p-queue": "^9.1.0"
|
|
100
100
|
},
|