circle-ir-ai 2.11.2 → 2.11.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +33 -0
- package/package.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,39 @@ All notable changes to this project will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [2.11.3] - 2026-06-18
|
|
9
|
+
|
|
10
|
+
### Changed — circle-ir 3.69.0 → 3.71.0
|
|
11
|
+
|
|
12
|
+
Drop-in engine bump across 2 sprints (3.70.0 / 3.71.0):
|
|
13
|
+
|
|
14
|
+
- **3.70.0** — Sprint 20 new pass `cache-no-vary` (rule
|
|
15
|
+
`cache-no-vary`, `CWE-524`, severity `medium`) detecting
|
|
16
|
+
shared-cache leaks where an authenticated response is marked
|
|
17
|
+
`Cache-Control: public` without a `Vary` header. Strict
|
|
18
|
+
auth-qualifier mode (requires 3 signals: cache-public + auth + no
|
|
19
|
+
Vary) to keep the FP rate low on generic CDN-cacheable assets.
|
|
20
|
+
Covers JS/TS (Express, Fastify, Koa), Python (Flask, FastAPI,
|
|
21
|
+
Django), Go (`net/http`, gin), Java (Spring, Servlet). Allowlist
|
|
22
|
+
guardrails skip `private`/`no-store`/`no-cache`, `max-age=0`, test
|
|
23
|
+
files, and `Vary: *`. 12 new fixtures, engine suite 2467 pass.
|
|
24
|
+
- **3.71.0** — Sprint 21 OOP safe-mirror sanitizer FP closures
|
|
25
|
+
(cognium-dev#105): FP-31 `findOopFieldReadSources` now recognizes
|
|
26
|
+
allowlist-guarded getter pattern (`if x not in
|
|
27
|
+
UPPER_SNAKE_CONST: raise`) so allowlist-cleared field reads stop
|
|
28
|
+
emitting as taint sources. FP-32 new `isMongoValueBoundFilter`
|
|
29
|
+
helper post-filters `nosql_injection` for MongoDB value-bound
|
|
30
|
+
filter dicts (`{field: {"$lte": value}}` etc.) — operator-injection
|
|
31
|
+
only fires when the operator key itself is user-controlled.
|
|
32
|
+
Regression locks added for FP-33 (hardened `lxml` parser), FP-34
|
|
33
|
+
(EJS auto-escape) and FN-INV (direct `self.url` field read).
|
|
34
|
+
Engine suite 2475 pass.
|
|
35
|
+
|
|
36
|
+
No API breaks — both new findings surface through the existing
|
|
37
|
+
`analyze()` / mastra workflow output as `findings[].type ===
|
|
38
|
+
'cache-no-vary'`. The OOP sanitizer additions are pure suppression
|
|
39
|
+
on existing rule emissions.
|
|
40
|
+
|
|
8
41
|
## [2.11.2] - 2026-06-18
|
|
9
42
|
|
|
10
43
|
### Changed — circle-ir 3.66.0 → 3.69.0
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "circle-ir-ai",
|
|
3
|
-
"version": "2.11.
|
|
3
|
+
"version": "2.11.3",
|
|
4
4
|
"description": "LLM-enhanced SAST analysis built on circle-ir",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"module": "dist/index.js",
|
|
@@ -94,7 +94,7 @@
|
|
|
94
94
|
"dependencies": {
|
|
95
95
|
"@ax-llm/ax": "^20.0.0",
|
|
96
96
|
"@mastra/core": "^1.18.0",
|
|
97
|
-
"circle-ir": "3.
|
|
97
|
+
"circle-ir": "3.71.0",
|
|
98
98
|
"minimatch": "^10.2.5",
|
|
99
99
|
"p-queue": "^9.1.0"
|
|
100
100
|
},
|