cognium-dev 3.30.0 → 3.33.0

package/dist/cli.js

@@ -8990,6 +8990,484 @@ function findChildByTypeGo(node, type) {
   }
   return null;
 }
+// ../circle-ir/dist/core/extractors/runtime-registrations.js
+var HTTP_VERB_METHODS = new Set([
+  "get",
+  "post",
+  "put",
+  "patch",
+  "delete",
+  "head",
+  "options",
+  "all"
+]);
+var MIDDLEWARE_METHODS = new Set(["use"]);
+var EVENT_LISTENER_METHODS = new Set(["on", "once", "ws"]);
+var EXPRESS_RECEIVER_NAMES = new Set([
+  "app",
+  "router",
+  "server",
+  "apiRouter",
+  "fastify",
+  "koa",
+  "express"
+]);
+var FRAMEWORK_MODULE_PATTERNS = [
+  /^express$/,
+  /^@?fastify(\/.*)?$/,
+  /^koa$/,
+  /^restify$/,
+  /^hapi$/,
+  /^@nestjs\/common$/,
+  /^@nestjs\/core$/
+];
+function extractRuntimeRegistrations(tree, cache, language, imports) {
+  if (language === "javascript" || language === "typescript") {
+    return extractJSRuntimeRegistrations(tree, cache, imports);
+  }
+  if (language === "python") {
+    return extractPythonRuntimeRegistrations(tree, cache, imports);
+  }
+  return [];
+}
+function buildHandlerIndex(tree, cache, imports) {
+  const decls = new Map;
+  const recordDeclaration = (name2, node) => {
+    if (!decls.has(name2)) {
+      decls.set(name2, {
+        line: node.startPosition.row + 1,
+        column: node.startPosition.column
+      });
+    }
+  };
+  for (const fn of getNodesFromCache(tree.rootNode, "function_declaration", cache)) {
+    const nameNode = fn.childForFieldName("name");
+    if (nameNode)
+      recordDeclaration(getNodeText(nameNode), fn);
+  }
+  const collectVarDeclarators = (parentType) => {
+    for (const decl of getNodesFromCache(tree.rootNode, parentType, cache)) {
+      for (let i2 = 0;i2 < decl.childCount; i2++) {
+        const child = decl.child(i2);
+        if (!child || child.type !== "variable_declarator")
+          continue;
+        const nameNode = child.childForFieldName("name");
+        const valueNode = child.childForFieldName("value");
+        if (!nameNode || !valueNode)
+          continue;
+        if (valueNode.type === "arrow_function" || valueNode.type === "function_expression" || valueNode.type === "function") {
+          recordDeclaration(getNodeText(nameNode), child);
+        }
+      }
+    }
+  };
+  collectVarDeclarators("lexical_declaration");
+  collectVarDeclarators("variable_declaration");
+  let hasFrameworkImport = false;
+  if (imports) {
+    for (const imp of imports) {
+      const mod = imp.from_package ?? "";
+      if (mod && FRAMEWORK_MODULE_PATTERNS.some((re) => re.test(mod))) {
+        hasFrameworkImport = true;
+        break;
+      }
+    }
+  }
+  return { declarations: decls, hasFrameworkImport };
+}
+function extractJSRuntimeRegistrations(tree, cache, imports) {
+  const out2 = [];
+  const index = buildHandlerIndex(tree, cache, imports);
+  const callExpressions = getNodesFromCache(tree.rootNode, "call_expression", cache);
+  for (const call of callExpressions) {
+    const fnNode = call.childForFieldName("function");
+    if (!fnNode || fnNode.type !== "member_expression")
+      continue;
+    const objectNode = fnNode.childForFieldName("object");
+    const propertyNode = fnNode.childForFieldName("property");
+    if (!objectNode || !propertyNode)
+      continue;
+    const method = getNodeText(propertyNode);
+    const receiver = getNodeText(objectNode);
+    const kind = classifyMethod(method);
+    if (!kind)
+      continue;
+    if (!isExpressShapedReceiver(receiver) && !index.hasFrameworkImport) {
+      continue;
+    }
+    const argsNode = call.childForFieldName("arguments");
+    if (!argsNode)
+      continue;
+    const argNodes = getRealArgs(argsNode);
+    if (argNodes.length === 0)
+      continue;
+    let path;
+    let handlerStart = 0;
+    const first = argNodes[0];
+    if (first.type === "string") {
+      path = stripQuotes(getNodeText(first));
+      handlerStart = 1;
+    } else if (first.type === "template_string" && !hasTemplateSubstitution(first)) {
+      path = stripBackticks(getNodeText(first));
+      handlerStart = 1;
+    }
+    for (let i2 = handlerStart;i2 < argNodes.length; i2++) {
+      const handlerNode = argNodes[i2];
+      const handler = resolveHandler(handlerNode, index);
+      if (!handler)
+        continue;
+      out2.push({
+        kind,
+        framework: inferFramework(receiver, index.hasFrameworkImport),
+        registrar: {
+          method,
+          receiver,
+          line: call.startPosition.row + 1,
+          column: call.startPosition.column
+        },
+        ...path !== undefined ? { path } : {},
+        handler
+      });
+    }
+  }
+  return out2;
+}
+function classifyMethod(method) {
+  if (HTTP_VERB_METHODS.has(method))
+    return "http_route";
+  if (MIDDLEWARE_METHODS.has(method))
+    return "middleware";
+  if (EVENT_LISTENER_METHODS.has(method))
+    return "event_listener";
+  return null;
+}
+function isExpressShapedReceiver(receiver) {
+  if (EXPRESS_RECEIVER_NAMES.has(receiver))
+    return true;
+  if (/(?:Router|App|Server)$/.test(receiver))
+    return true;
+  return false;
+}
+function inferFramework(receiver, hasFrameworkImport) {
+  if (receiver === "fastify")
+    return "fastify";
+  if (receiver === "koa")
+    return "koa";
+  if (receiver === "express")
+    return "express";
+  return hasFrameworkImport ? "express" : "unknown";
+}
+function getRealArgs(argsNode) {
+  const out2 = [];
+  for (let i2 = 0;i2 < argsNode.childCount; i2++) {
+    const child = argsNode.child(i2);
+    if (!child)
+      continue;
+    if (child.type === "(" || child.type === ")" || child.type === ",")
+      continue;
+    out2.push(child);
+  }
+  return out2;
+}
+function stripQuotes(s) {
+  if (s.length >= 2 && (s[0] === '"' || s[0] === "'") && s[s.length - 1] === s[0]) {
+    return s.slice(1, -1);
+  }
+  return s;
+}
+function stripBackticks(s) {
+  if (s.length >= 2 && s[0] === "`" && s[s.length - 1] === "`") {
+    return s.slice(1, -1);
+  }
+  return s;
+}
+function hasTemplateSubstitution(node) {
+  for (let i2 = 0;i2 < node.childCount; i2++) {
+    const child = node.child(i2);
+    if (child && child.type === "template_substitution")
+      return true;
+  }
+  return false;
+}
+function resolveHandler(node, index) {
+  if (node.type === "arrow_function" || node.type === "function_expression" || node.type === "function") {
+    return {
+      name: null,
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    };
+  }
+  if (node.type === "identifier") {
+    const name2 = getNodeText(node);
+    const decl = index.declarations.get(name2);
+    if (decl) {
+      return { name: name2, line: decl.line, column: decl.column };
+    }
+    return {
+      name: name2,
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    };
+  }
+  if (node.type === "member_expression") {
+    return {
+      name: getNodeText(node),
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    };
+  }
+  return null;
+}
+var PY_HTTP_ROUTE_METHODS = new Set([
+  "route",
+  "get",
+  "post",
+  "put",
+  "patch",
+  "delete",
+  "head",
+  "options"
+]);
+var PY_MIDDLEWARE_METHODS = new Set([
+  "before_request",
+  "after_request",
+  "teardown_request",
+  "before_first_request",
+  "teardown_appcontext",
+  "middleware"
+]);
+var PY_EVENT_METHODS = new Set([
+  "errorhandler",
+  "on_event",
+  "exception_handler"
+]);
+var PY_STDLIB_DECORATORS = new Set([
+  "property",
+  "staticmethod",
+  "classmethod",
+  "abstractmethod",
+  "cached_property",
+  "dataclass",
+  "cache",
+  "lru_cache",
+  "singledispatch",
+  "singledispatchmethod",
+  "contextmanager",
+  "asynccontextmanager",
+  "final",
+  "override",
+  "wraps"
+]);
+function summarisePythonImports(imports) {
+  const s = {
+    hasFlask: false,
+    hasFastApi: false,
+    hasCelery: false,
+    hasNumba: false,
+    hasClick: false,
+    hasPytest: false
+  };
+  if (!imports)
+    return s;
+  for (const imp of imports) {
+    const mod = imp.from_package ?? "";
+    if (!mod)
+      continue;
+    if (/^flask(\b|\.)/.test(mod))
+      s.hasFlask = true;
+    if (/^fastapi(\b|\.)/.test(mod) || /^starlette(\b|\.)/.test(mod))
+      s.hasFastApi = true;
+    if (/^celery(\b|\.)/.test(mod))
+      s.hasCelery = true;
+    if (/^numba(\b|\.)/.test(mod))
+      s.hasNumba = true;
+    if (/^click(\b|\.)/.test(mod))
+      s.hasClick = true;
+    if (/^pytest(\b|\.)/.test(mod))
+      s.hasPytest = true;
+  }
+  return s;
+}
+function extractPythonRuntimeRegistrations(tree, cache, imports) {
+  const out2 = [];
+  const importSummary = summarisePythonImports(imports);
+  const decoratedDefs = getNodesFromCache(tree.rootNode, "decorated_definition", cache);
+  for (const dd of decoratedDefs) {
+    let fnNode = null;
+    const decorators = [];
+    for (let i2 = 0;i2 < dd.childCount; i2++) {
+      const child = dd.child(i2);
+      if (!child)
+        continue;
+      if (child.type === "decorator") {
+        decorators.push(child);
+      } else if (child.type === "function_definition" || child.type === "async_function_definition") {
+        fnNode = child;
+      }
+    }
+    if (!fnNode || decorators.length === 0)
+      continue;
+    const handler = pythonHandlerFromFunctionDef(fnNode);
+    if (!handler)
+      continue;
+    for (const dec of decorators) {
+      const parsed = parsePythonDecorator(dec);
+      if (!parsed)
+        continue;
+      const { receiver, method, path, line, column } = parsed;
+      const { kind, framework } = classifyPythonDecorator(receiver, method, importSummary);
+      out2.push({
+        kind,
+        framework,
+        registrar: { method, receiver, line, column },
+        ...path !== undefined ? { path } : {},
+        handler
+      });
+    }
+  }
+  return out2;
+}
+function pythonHandlerFromFunctionDef(fn) {
+  const nameNode = fn.childForFieldName("name");
+  if (!nameNode)
+    return null;
+  return {
+    name: getNodeText(nameNode),
+    line: fn.startPosition.row + 1,
+    column: fn.startPosition.column
+  };
+}
+function parsePythonDecorator(dec) {
+  let target = null;
+  for (let i2 = 0;i2 < dec.childCount; i2++) {
+    const child = dec.child(i2);
+    if (!child || child.type === "@")
+      continue;
+    target = child;
+    break;
+  }
+  if (!target)
+    return null;
+  const line = dec.startPosition.row + 1;
+  const column = dec.startPosition.column;
+  if (target.type === "identifier") {
+    return { receiver: "", method: getNodeText(target), line, column };
+  }
+  if (target.type === "attribute") {
+    const { receiver, method } = splitDottedAttribute(target);
+    return { receiver, method, line, column };
+  }
+  if (target.type === "call") {
+    const fnNode = target.childForFieldName("function");
+    if (!fnNode)
+      return null;
+    let receiver = "";
+    let method = "";
+    if (fnNode.type === "identifier") {
+      method = getNodeText(fnNode);
+    } else if (fnNode.type === "attribute") {
+      const split = splitDottedAttribute(fnNode);
+      receiver = split.receiver;
+      method = split.method;
+    } else {
+      method = getNodeText(fnNode);
+    }
+    const path = extractFirstStringArg(target);
+    return { receiver, method, path, line, column };
+  }
+  return null;
+}
+function splitDottedAttribute(attr) {
+  const objectNode = attr.childForFieldName("object");
+  const attrNode = attr.childForFieldName("attribute");
+  const method = attrNode ? getNodeText(attrNode) : "";
+  const receiver = objectNode ? getNodeText(objectNode) : "";
+  return { receiver, method };
+}
+function extractFirstStringArg(call) {
+  const argsNode = call.childForFieldName("arguments");
+  if (!argsNode)
+    return;
+  for (let i2 = 0;i2 < argsNode.childCount; i2++) {
+    const child = argsNode.child(i2);
+    if (!child)
+      continue;
+    if (child.type === "(" || child.type === ")" || child.type === ",")
+      continue;
+    if (child.type === "string") {
+      return stripPythonStringQuotes(getNodeText(child));
+    }
+    return;
+  }
+  return;
+}
+function stripPythonStringQuotes(s) {
+  const m = s.match(/^[bBrRuUfF]{0,2}(['"])(.*)\1$/s);
+  if (m)
+    return m[2];
+  if (s.length >= 2 && (s[0] === '"' || s[0] === "'") && s[s.length - 1] === s[0]) {
+    return s.slice(1, -1);
+  }
+  return s;
+}
+function classifyPythonDecorator(receiver, method, imp) {
+  if (!receiver && PY_STDLIB_DECORATORS.has(method)) {
+    return { kind: "decorator", framework: "stdlib" };
+  }
+  if (receiver) {
+    const head = receiver.split(".")[0];
+    if (head === "pytest") {
+      return { kind: "decorator", framework: "pytest" };
+    }
+    if (head === "click") {
+      return { kind: "decorator", framework: "click" };
+    }
+    if (head === "numba" || head === "nb") {
+      return { kind: "decorator", framework: "numba" };
+    }
+    if (head === "celery") {
+      return { kind: "decorator", framework: "celery" };
+    }
+  }
+  if (receiver && PY_HTTP_ROUTE_METHODS.has(method)) {
+    const isRoutey = isPyRouterReceiver(receiver);
+    if (isRoutey) {
+      let framework = "unknown";
+      if (imp.hasFlask)
+        framework = "flask";
+      else if (imp.hasFastApi)
+        framework = "fastapi";
+      else if (method === "route")
+        framework = "flask";
+      else
+        framework = "fastapi";
+      return { kind: "http_route", framework };
+    }
+  }
+  if (receiver && PY_MIDDLEWARE_METHODS.has(method)) {
+    return { kind: "middleware", framework: imp.hasFlask ? "flask" : imp.hasFastApi ? "fastapi" : "unknown" };
+  }
+  if (receiver && PY_EVENT_METHODS.has(method)) {
+    return { kind: "event_listener", framework: imp.hasFlask ? "flask" : imp.hasFastApi ? "fastapi" : "unknown" };
+  }
+  if (method === "task" && imp.hasCelery) {
+    return { kind: "decorator", framework: "celery" };
+  }
+  if (!receiver && (method === "login_required" || method === "require_http_methods" || method === "api_view")) {
+    return { kind: "decorator", framework: "django" };
+  }
+  return { kind: "decorator", framework: "unknown" };
+}
+function isPyRouterReceiver(receiver) {
+  const head = receiver.split(".")[0];
+  if (!head)
+    return false;
+  if (["app", "router", "blueprint", "bp", "api", "application"].includes(head))
+    return true;
+  if (/_(router|bp|blueprint|app|api)$/.test(head))
+    return true;
+  return false;
+}
 // ../circle-ir/dist/analysis/config-loader.js
 var DEFAULT_SOURCES = [
   { method: "getParameter", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
@@ -9125,6 +9603,11 @@ var DEFAULT_SOURCES = [
   { method: "getContent", class: "Block", type: "io_input", severity: "high", return_tainted: true },
   { method: "getParameters", class: "Block", type: "io_input", severity: "high", return_tainted: true },
   { method: "getRawContent", type: "io_input", severity: "high", return_tainted: true },
+  { method: "get", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameter", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterValues", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterMap", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getHeader", class: "XWikiRequest", type: "http_header", severity: "high", return_tainted: true },
   { method: "getAttributes", class: "XMLReader", type: "io_input", severity: "high", return_tainted: true },
   { method: "getValue", class: "Attributes", type: "io_input", severity: "high", return_tainted: true },
   { method: "getLocalName", class: "Attributes", type: "io_input", severity: "high", return_tainted: true },
@@ -9622,6 +10105,8 @@ var DEFAULT_SINKS = [
   { method: "eval", class: "MVEL", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "createValueExpression", class: "ExpressionFactory", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
   { method: "createMethodExpression", class: "ExpressionFactory", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
+  { method: "evaluateAttributeExpressions", class: "PropertyValue", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  { method: "evaluateAttributeExpressions", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
   { method: "evaluate", class: "GroovyShell", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "parse", class: "GroovyShell", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "parseClass", class: "GroovyClassLoader", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
@@ -9775,6 +10260,21 @@ var DEFAULT_SINKS = [
   { method: "cleanAttributes", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "printXMLElement", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "printXMLStartElement", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "WikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "WikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "DefaultWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "DefaultWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXML", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLComment", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLElement", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLStartElement", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "render", class: "BlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "render", class: "AbstractBlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "render", class: "DefaultBlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "initialize", class: "HTML5Renderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "initialize", class: "XHTMLRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "beginFormat", class: "HTML5ChainingRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -17880,7 +18380,7 @@ function extractEventHandlers(elementNode, eventHandlers) {
     const valueNode = findChildByType2(child, "quoted_attribute_value") ?? findChildByType2(child, "attribute_value");
     if (!valueNode)
       continue;
-    const code = stripQuotes(valueNode.text);
+    const code = stripQuotes2(valueNode.text);
     if (code) {
       eventHandlers.push({
         code,
@@ -17913,7 +18413,7 @@ function getAttributeValue(tag, name2) {
     const nameNode = findChildByType2(child, "attribute_name");
     if (nameNode?.text.toLowerCase() === name2) {
       const valueNode = findChildByType2(child, "quoted_attribute_value") ?? findChildByType2(child, "attribute_value");
-      return valueNode ? stripQuotes(valueNode.text) : "";
+      return valueNode ? stripQuotes2(valueNode.text) : "";
     }
   }
   return;
@@ -17926,7 +18426,7 @@ function findChildByType2(node, type) {
   }
   return null;
 }
-function stripQuotes(text) {
+function stripQuotes2(text) {
   if (text.startsWith('"') && text.endsWith('"') || text.startsWith("'") && text.endsWith("'")) {
     return text.slice(1, -1);
   }
@@ -24242,7 +24742,7 @@ class SecurityHeadersPass {
 }
 function literalOf(arg) {
   if (arg.literal !== null && arg.literal !== undefined && arg.literal !== "") {
-    return stripQuotes2(arg.literal);
+    return stripQuotes3(arg.literal);
   }
   const expr = arg.expression.trim();
   if (expr.startsWith('"') && expr.endsWith('"') || expr.startsWith("'") && expr.endsWith("'") || expr.startsWith("`") && expr.endsWith("`")) {
@@ -24252,7 +24752,7 @@ function literalOf(arg) {
   }
   return null;
 }
-function stripQuotes2(s) {
+function stripQuotes3(s) {
   if (s.length < 2)
     return s;
   const first = s[0];
@@ -25716,7 +26216,9 @@ function getNodeTypesForLanguage(language) {
         "import_from_statement",
         "assignment",
         "attribute",
-        "subscript"
+        "subscript",
+        "decorated_definition",
+        "decorator"
       ]);
     case "javascript":
     case "typescript":
@@ -25808,6 +26310,7 @@ async function analyze(code, filePath, language, options = {}) {
     const exports = extractExports(types);
     const cfg = buildCFG(tree, language);
     const dfg = buildDFG(tree, nodeCache, language);
+    const runtimeRegistrations = extractRuntimeRegistrations(tree, nodeCache, language, imports);
     const graph = new CodeGraph({
       meta,
       types,
@@ -25934,7 +26437,8 @@ async function analyze(code, filePath, language, options = {}) {
       unresolved,
       enriched,
       findings: findings.length > 0 ? findings : undefined,
-      metrics: { file: filePath, metrics: metricValues }
+      metrics: { file: filePath, metrics: metricValues },
+      runtime_registrations: runtimeRegistrations.length > 0 ? runtimeRegistrations : undefined
     };
   } finally {
     disposeTree(tree);
@@ -26083,7 +26587,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.30.0";
+var version = "3.33.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.30.0",
+  "version": "3.33.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.30.0"
+    "circle-ir": "^3.33.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",