eslint-plugin-sonarjs 4.0.0 → 4.0.2

package/cjs/helpers/chai.js

@@ -3,51 +3,49 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Chai = void 0;
-const index_js_1 = require("./index.js");
+exports.isImported = isImported;
+exports.isTSAssertion = isTSAssertion;
+exports.isAssertion = isAssertion;
+const module_js_1 = require("./module.js");
+const module_ts_js_1 = require("./module-ts.js");
+const ast_js_1 = require("./ast.js");
 const typescript_1 = __importDefault(require("typescript"));
-var Chai;
-(function (Chai) {
-    function isImported(context) {
-        return ((0, index_js_1.getRequireCalls)(context).some(r => r.arguments[0].type === 'Literal' && r.arguments[0].value === 'chai') || (0, index_js_1.getImportDeclarations)(context).some(i => i.source.value === 'chai'));
+function isImported(context) {
+    return ((0, module_js_1.getRequireCalls)(context).some(r => r.arguments[0].type === 'Literal' && r.arguments[0].value === 'chai') || (0, module_js_1.getImportDeclarations)(context).some(i => i.source.value === 'chai'));
+}
+function isTSAssertion(services, node) {
+    if (node.kind !== typescript_1.default.SyntaxKind.CallExpression) {
+        return false;
     }
-    Chai.isImported = isImported;
-    function isTSAssertion(services, node) {
-        if (node.kind !== typescript_1.default.SyntaxKind.CallExpression) {
-            return false;
-        }
-        const fqn = (0, index_js_1.getFullyQualifiedNameTS)(services, node);
-        if (!fqn) {
-            return false;
-        }
-        return fqn.startsWith('chai.assert') || fqn.startsWith('chai.expect') || fqn.includes('should');
+    const fqn = (0, module_ts_js_1.getFullyQualifiedNameTS)(services, node);
+    if (!fqn) {
+        return false;
     }
-    Chai.isTSAssertion = isTSAssertion;
-    function isAssertion(context, node) {
-        return isAssertUsage(context, node) || isExpectUsage(context, node) || isShouldUsage(node);
+    return fqn.startsWith('chai.assert') || fqn.startsWith('chai.expect') || fqn.includes('should');
+}
+function isAssertion(context, node) {
+    return isAssertUsage(context, node) || isExpectUsage(context, node) || isShouldUsage(node);
+}
+function isAssertUsage(context, node) {
+    // assert(), assert.<expr>(), chai.assert(), chai.assert.<expr>()
+    const fqn = extractFQNforCallExpression(context, node);
+    if (!fqn) {
+        return false;
     }
-    Chai.isAssertion = isAssertion;
-    function isAssertUsage(context, node) {
-        // assert(), assert.<expr>(), chai.assert(), chai.assert.<expr>()
-        const fqn = extractFQNforCallExpression(context, node);
-        if (!fqn) {
-            return false;
-        }
-        const names = fqn.split('.');
-        return names[0] === 'chai' && names[1] === 'assert';
+    const names = fqn.split('.');
+    return names[0] === 'chai' && names[1] === 'assert';
+}
+function isExpectUsage(context, node) {
+    // expect(), chai.expect()
+    return extractFQNforCallExpression(context, node) === 'chai.expect';
+}
+function isShouldUsage(node) {
+    // <expr>.should.<expr>
+    return node.type === 'MemberExpression' && (0, ast_js_1.isIdentifier)(node.property, 'should');
+}
+function extractFQNforCallExpression(context, node) {
+    if (node.type !== 'CallExpression') {
+        return undefined;
     }
-    function isExpectUsage(context, node) {
-        // expect(), chai.expect()
-        return extractFQNforCallExpression(context, node) === 'chai.expect';
-    }
-    function isShouldUsage(node) {
-        // <expr>.should.<expr>
-        return node.type === 'MemberExpression' && (0, index_js_1.isIdentifier)(node.property, 'should');
-    }
-    function extractFQNforCallExpression(context, node) {
-        if (node.type !== 'CallExpression') {
-            return undefined;
-        }
-        return (0, index_js_1.getFullyQualifiedName)(context, node);
-    }
-})(Chai || (exports.Chai = Chai = {}));
+    return (0, module_js_1.getFullyQualifiedName)(context, node);
+}

package/cjs/helpers/configs.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.defaultOptions = defaultOptions;
+exports.applyTransformations = applyTransformations;
 function defaultOptions(configuration) {
     return configuration?.map(element => {
         if (Array.isArray(element)) {
@@ -11,3 +12,94 @@ function defaultOptions(configuration) {
         }
     });
 }
+/**
+ * Applies `customForConfiguration` transformations to merged configuration values.
+ *
+ * When SonarQube sends rule parameters, the values may not match what the underlying
+ * ESLint rule expects. For example, S1441 (quotes) exposes a boolean `singleQuotes`
+ * property in SonarQube, but the ESLint rule expects the string `"single"` or `"double"`.
+ * The `customForConfiguration` function on a field definition bridges this gap.
+ *
+ * This function walks the `mergedValues` array (the result of merging default options
+ * with user-provided configurations) and applies any `customForConfiguration` transform
+ * found in the corresponding `fields` element. It handles both configuration patterns:
+ *
+ * - **Primitive elements** (e.g., S1441's boolean → string mapping): the transform is
+ *   called directly on the merged value.
+ * - **Object elements** (e.g., S6418's `randomnessSensibility` string → number): each
+ *   named property within the object is checked individually, and only properties that
+ *   define `customForConfiguration` are transformed.
+ *
+ * Values without a corresponding field definition or without `customForConfiguration`
+ * are passed through unchanged.
+ *
+ * @param fields - The rule's field definitions from its `config.ts` (may contain transforms)
+ * @param mergedValues - The merged configuration array (defaults + user overrides)
+ * @returns A new array with transformed values ready to pass to the ESLint rule
+ *
+ * @example
+ * // S1441: primitive transform (boolean → string)
+ * // fields[0] has customForConfiguration: (v) => v ? 'single' : 'double'
+ * applyTransformations(fields, [true, {avoidEscape: true}])
+ * // → ['single', {avoidEscape: true}]
+ *
+ * @example
+ * // S6418: object property transform (string → number)
+ * // fields[0][1] has customForConfiguration: (v) => Number(v)
+ * applyTransformations(fields, [{secretWords: 'api_key', randomnessSensibility: '5.0'}])
+ * // → [{secretWords: 'api_key', randomnessSensibility: 5}]
+ */
+function applyTransformations(fields, mergedValues) {
+    if (!fields || !mergedValues) {
+        return mergedValues ?? [];
+    }
+    // Walk mergedValues in parallel with fields. Each position in the array
+    // corresponds to one element in the rule's config.ts `fields` definition.
+    // For example, S1441 fields = [primitive, object]:
+    //   mergedValues[0] = true          → fields[0] = { default: 'single', customForConfiguration: ... }
+    //   mergedValues[1] = {avoidEscape} → fields[1] = [{field: 'avoidEscape', ...}, ...]
+    return mergedValues.map((mergedConfigEntry, index) => {
+        // Extra values beyond what fields defines (shouldn't happen, but safe to pass through)
+        if (index >= fields.length) {
+            return mergedConfigEntry;
+        }
+        const fieldDefinition = fields[index];
+        if (Array.isArray(fieldDefinition)) {
+            // ── Object config element ──
+            // fieldDefinition is an array of named properties: [{field, default, ...}, ...]
+            // mergedConfigEntry is an object: { fieldName: value, ... }
+            //
+            // Example — S6418 fields = [[ {field: 'secretWords', ...}, {field: 'randomnessSensibility', customForConfiguration: (v) => Number(v)} ]]
+            // mergedConfigEntry = { secretWords: 'api_key', randomnessSensibility: '5.0' }
+            // After transform: { secretWords: 'api_key', randomnessSensibility: 5 }
+            if (mergedConfigEntry &&
+                typeof mergedConfigEntry === 'object' &&
+                !Array.isArray(mergedConfigEntry)) {
+                const transformedEntry = { ...mergedConfigEntry };
+                for (const propertyDef of fieldDefinition) {
+                    // Only transform properties that define customForConfiguration and are present in the object
+                    if ('customForConfiguration' in propertyDef &&
+                        typeof propertyDef.customForConfiguration === 'function' &&
+                        propertyDef.field in transformedEntry) {
+                        transformedEntry[propertyDef.field] = propertyDef.customForConfiguration(transformedEntry[propertyDef.field]);
+                    }
+                }
+                return transformedEntry;
+            }
+        }
+        else if ('customForConfiguration' in fieldDefinition &&
+            typeof fieldDefinition.customForConfiguration === 'function') {
+            // ── Primitive config element with a transform ──
+            // fieldDefinition is a single property: { default, customForConfiguration, ... }
+            // mergedConfigEntry is a scalar value (string, number, boolean)
+            //
+            // Example — S1441 fieldDefinition = { default: 'single', customDefault: true, customForConfiguration: (v) => v ? 'single' : 'double' }
+            // mergedConfigEntry = true (boolean from SQ)
+            // After transform: 'single' (string expected by ESLint quotes rule)
+            return fieldDefinition.customForConfiguration(mergedConfigEntry);
+        }
+        // No transform defined for this element — pass through unchanged.
+        // This is the common case for most rules (e.g., S134 threshold, S100 format pattern).
+        return mergedConfigEntry;
+    });
+}

package/cjs/helpers/cookie-flag-check.js

@@ -1,7 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.CookieFlagCheck = void 0;
-const index_js_1 = require("./index.js");
+const location_js_1 = require("./location.js");
+const ast_js_1 = require("./ast.js");
+const module_js_1 = require("./module.js");
 class CookieFlagCheck {
     constructor(context, flag) {
         this.context = context;
@@ -13,7 +15,7 @@ class CookieFlagCheck {
         this.checkSensitiveCookieArgument(callExpression, 0);
     }
     checkCookiesMethodCall(callExpression) {
-        if (!(0, index_js_1.isIdentifier)(callExpression.callee.property, 'set')) {
+        if (!(0, ast_js_1.isIdentifier)(callExpression.callee.property, 'set')) {
             return;
         }
         // Sensitive argument is third argument for "cookies.set" calls
@@ -25,12 +27,12 @@ class CookieFlagCheck {
         if (cookieProperty) {
             // csurf cookie property can be passed as a boolean literal,
             // in which case neither "secure" nor "httponly" are enabled by default
-            const cookiePropertyLiteral = (0, index_js_1.getValueOfExpression)(this.context, cookieProperty.value, 'Literal');
+            const cookiePropertyLiteral = (0, ast_js_1.getValueOfExpression)(this.context, cookieProperty.value, 'Literal');
             if (cookiePropertyLiteral?.value === true) {
-                (0, index_js_1.report)(this.context, {
+                (0, location_js_1.report)(this.context, {
                     node: callExpression.callee,
                     message: this.issueMessage,
-                }, [(0, index_js_1.toSecondaryLocation)(cookiePropertyLiteral)]);
+                }, [(0, location_js_1.toSecondaryLocation)(cookiePropertyLiteral)]);
             }
         }
     }
@@ -43,7 +45,7 @@ class CookieFlagCheck {
             return;
         }
         const sensitiveArgument = callExpression.arguments[sensitiveArgumentIndex];
-        const cookieObjectExpression = (0, index_js_1.getValueOfExpression)(this.context, sensitiveArgument, 'ObjectExpression');
+        const cookieObjectExpression = (0, ast_js_1.getValueOfExpression)(this.context, sensitiveArgument, 'ObjectExpression');
         if (!cookieObjectExpression) {
             return;
         }
@@ -54,15 +56,15 @@ class CookieFlagCheck {
             return;
         }
         const firstArgument = callExpression.arguments[argumentIndex];
-        const objectExpression = (0, index_js_1.getValueOfExpression)(this.context, firstArgument, 'ObjectExpression');
+        const objectExpression = (0, ast_js_1.getValueOfExpression)(this.context, firstArgument, 'ObjectExpression');
         if (!objectExpression) {
             return;
         }
-        const cookieProperty = (0, index_js_1.getProperty)(objectExpression, 'cookie', this.context);
+        const cookieProperty = (0, ast_js_1.getProperty)(objectExpression, 'cookie', this.context);
         if (!cookieProperty) {
             return;
         }
-        const cookiePropertyValue = (0, index_js_1.getValueOfExpression)(this.context, cookieProperty.value, 'ObjectExpression');
+        const cookiePropertyValue = (0, ast_js_1.getValueOfExpression)(this.context, cookieProperty.value, 'ObjectExpression');
         if (cookiePropertyValue) {
             this.checkFlagOnCookieExpression(cookiePropertyValue, firstArgument, objectExpression, callExpression);
             return;
@@ -70,15 +72,15 @@ class CookieFlagCheck {
         return cookieProperty;
     }
     checkFlagOnCookieExpression(cookiePropertyValue, firstArgument, objectExpression, callExpression) {
-        const flagProperty = (0, index_js_1.getProperty)(cookiePropertyValue, this.flag, this.context);
+        const flagProperty = (0, ast_js_1.getProperty)(cookiePropertyValue, this.flag, this.context);
         if (flagProperty) {
-            const flagPropertyValue = (0, index_js_1.getValueOfExpression)(this.context, flagProperty.value, 'Literal');
+            const flagPropertyValue = (0, ast_js_1.getValueOfExpression)(this.context, flagProperty.value, 'Literal');
             if (flagPropertyValue?.value === false) {
-                const secondaryLocations = [(0, index_js_1.toSecondaryLocation)(flagPropertyValue)];
+                const secondaryLocations = [(0, location_js_1.toSecondaryLocation)(flagPropertyValue)];
                 if (firstArgument !== objectExpression) {
-                    secondaryLocations.push((0, index_js_1.toSecondaryLocation)(objectExpression));
+                    secondaryLocations.push((0, location_js_1.toSecondaryLocation)(objectExpression));
                 }
-                (0, index_js_1.report)(this.context, {
+                (0, location_js_1.report)(this.context, {
                     node: callExpression.callee,
                     message: this.issueMessage,
                 }, secondaryLocations);
@@ -88,7 +90,7 @@ class CookieFlagCheck {
     checkCookiesFromCallExpression(node) {
         const callExpression = node;
         const { callee } = callExpression;
-        const fqn = (0, index_js_1.getFullyQualifiedName)(this.context, callee);
+        const fqn = (0, module_js_1.getFullyQualifiedName)(this.context, callee);
         if (fqn === 'cookie-session') {
             this.checkCookieSession(callExpression);
             return;
@@ -102,8 +104,8 @@ class CookieFlagCheck {
             return;
         }
         if (callee.type === 'MemberExpression') {
-            const objectValue = (0, index_js_1.getValueOfExpression)(this.context, callee.object, 'NewExpression');
-            if (objectValue && (0, index_js_1.getFullyQualifiedName)(this.context, objectValue.callee) === 'cookies') {
+            const objectValue = (0, ast_js_1.getValueOfExpression)(this.context, callee.object, 'NewExpression');
+            if (objectValue && (0, module_js_1.getFullyQualifiedName)(this.context, objectValue.callee) === 'cookies') {
                 this.checkCookiesMethodCall(callExpression);
             }
         }

package/cjs/helpers/{decorators/index.js → entropy.js}

@@ -1,19 +1,4 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-};
-Object.defineProperty(exports, "__esModule", { value: true });
 /*
  * SonarQube JavaScript Plugin
  * Copyright (C) 2011-2025 SonarSource Sàrl
@@ -30,5 +15,19 @@ Object.defineProperty(exports, "__esModule", { value: true });
  * You should have received a copy of the Sonar Source-Available License
  * along with this program; if not, see https://sonarsource.com/license/ssal/
  */
-__exportStar(require("./interceptor.js"), exports);
-__exportStar(require("./merger.js"), exports);
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.shannonEntropy = shannonEntropy;
+function shannonEntropy(str) {
+    if (!str) {
+        return 0;
+    }
+    const len = str.length;
+    const occurrences = {};
+    for (const ch of str) {
+        occurrences[ch] = (occurrences[ch] ?? 0) + 1;
+    }
+    return (Object.values(occurrences)
+        .map(count => count / len)
+        .map(freq => -freq * Math.log(freq))
+        .reduce((acc, e) => acc + e, 0) / Math.log(2));
+}

package/cjs/helpers/express.js

@@ -1,144 +1,143 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Express = void 0;
-const index_js_1 = require("./index.js");
+exports.attemptFindAppInstantiation = attemptFindAppInstantiation;
+exports.attemptFindAppInjection = attemptFindAppInjection;
+exports.isUsingMiddleware = isUsingMiddleware;
+exports.isMiddlewareInstance = isMiddlewareInstance;
+exports.SensitiveMiddlewarePropertyRule = SensitiveMiddlewarePropertyRule;
+const module_js_1 = require("./module.js");
+const ast_js_1 = require("./ast.js");
+const ancestor_js_1 = require("./ancestor.js");
+const location_js_1 = require("./location.js");
 /**
  * This modules provides utilities for writing rules about Express.js.
  */
-var Express;
-(function (Express) {
-    const EXPRESS = 'express';
-    /**
-     * Checks whether the declaration looks somewhat like `<id> = express()`
-     * and returns `<id>` if it matches.
-     */
-    function attemptFindAppInstantiation(varDecl, context) {
-        const rhs = varDecl.init;
-        if (rhs?.type === 'CallExpression' && (0, index_js_1.getFullyQualifiedName)(context, rhs) === EXPRESS) {
-            const pattern = varDecl.id;
-            return pattern.type === 'Identifier' ? pattern : undefined;
-        }
-        return undefined;
+const EXPRESS = 'express';
+/**
+ * Checks whether the declaration looks somewhat like `<id> = express()`
+ * and returns `<id>` if it matches.
+ */
+function attemptFindAppInstantiation(varDecl, context) {
+    const rhs = varDecl.init;
+    if (rhs?.type === 'CallExpression' && (0, module_js_1.getFullyQualifiedName)(context, rhs) === EXPRESS) {
+        const pattern = varDecl.id;
+        return pattern.type === 'Identifier' ? pattern : undefined;
     }
-    Express.attemptFindAppInstantiation = attemptFindAppInstantiation;
-    /**
-     * Checks whether the function injects an instantiated app and is exported like `module.exports = function(app) {}`
-     * or `module.exports.property = function(app) {}`, and returns app if it matches.
-     */
-    function attemptFindAppInjection(functionDef, context, node) {
-        const app = functionDef.params.find(param => param.type === 'Identifier' && param.name === 'app');
-        if (app) {
-            const parent = (0, index_js_1.getParent)(context, node);
-            if (parent?.type === 'AssignmentExpression') {
-                const { left } = parent;
-                if (left.type === 'MemberExpression' &&
-                    ((0, index_js_1.isModuleExports)(left) || (0, index_js_1.isModuleExports)(left.object))) {
-                    return app;
-                }
+    return undefined;
+}
+/**
+ * Checks whether the function injects an instantiated app and is exported like `module.exports = function(app) {}`
+ * or `module.exports.property = function(app) {}`, and returns app if it matches.
+ */
+function attemptFindAppInjection(functionDef, context, node) {
+    const app = functionDef.params.find(param => param.type === 'Identifier' && param.name === 'app');
+    if (app) {
+        const parent = (0, ancestor_js_1.getParent)(context, node);
+        if (parent?.type === 'AssignmentExpression') {
+            const { left } = parent;
+            if (left.type === 'MemberExpression' &&
+                ((0, ast_js_1.isModuleExports)(left) || (0, ast_js_1.isModuleExports)(left.object))) {
+                return app;
             }
         }
-        return undefined;
     }
-    Express.attemptFindAppInjection = attemptFindAppInjection;
-    /**
-     * Checks whether the expression looks somewhat like `app.use(m1, [m2, m3], ..., mN)`,
-     * where one of `mK`-nodes satisfies the given predicate.
-     */
-    function isUsingMiddleware(context, callExpression, app, middlewareNodePredicate) {
-        if ((0, index_js_1.isMethodInvocation)(callExpression, app.name, 'use', 1)) {
-            const flattenedArgs = (0, index_js_1.flattenArgs)(context, callExpression.arguments);
-            return flattenedArgs.some(middlewareNodePredicate);
-        }
-        return false;
+    return undefined;
+}
+/**
+ * Checks whether the expression looks somewhat like `app.use(m1, [m2, m3], ..., mN)`,
+ * where one of `mK`-nodes satisfies the given predicate.
+ */
+function isUsingMiddleware(context, callExpression, app, middlewareNodePredicate) {
+    if ((0, ast_js_1.isMethodInvocation)(callExpression, app.name, 'use', 1)) {
+        const flattenedArgs = (0, ast_js_1.flattenArgs)(context, callExpression.arguments);
+        return flattenedArgs.some(middlewareNodePredicate);
     }
-    Express.isUsingMiddleware = isUsingMiddleware;
-    /**
-     * Checks whether a node looks somewhat like `require('m')()` for
-     * some middleware `m` from the list of middlewares.
-     */
-    function isMiddlewareInstance(context, middlewares, n) {
-        if (n.type === 'CallExpression') {
-            const fqn = (0, index_js_1.getFullyQualifiedName)(context, n);
-            return fqn !== null && middlewares.includes(fqn);
-        }
-        return false;
+    return false;
+}
+/**
+ * Checks whether a node looks somewhat like `require('m')()` for
+ * some middleware `m` from the list of middlewares.
+ */
+function isMiddlewareInstance(context, middlewares, n) {
+    if (n.type === 'CallExpression') {
+        const fqn = (0, module_js_1.getFullyQualifiedName)(context, n);
+        return fqn !== null && middlewares.includes(fqn);
     }
-    Express.isMiddlewareInstance = isMiddlewareInstance;
-    /**
-     * Rule factory for detecting sensitive settings that are passed to
-     * middlewares eventually used by Express.js applications:
-     *
-     * app.use(
-     *   middleware(settings)
-     * )
-     *
-     * or
-     *
-     * app.use(
-     *   middleware.method(settings)
-     * )
-     *
-     * @param sensitivePropertyFinder - a function looking for a sensitive setting on a middleware call
-     * @param message - the reported message when an issue is raised
-     * @param meta - the rule metadata
-     * @returns a rule module that raises issues when a sensitive property is found
-     */
-    function SensitiveMiddlewarePropertyRule(sensitivePropertyFinder, message, meta = {}) {
-        return {
-            meta,
-            create(context) {
-                let app;
-                let sensitiveProperties;
-                function isExposing(middlewareNode) {
-                    return Boolean(sensitiveProperties.push(...findSensitiveProperty(middlewareNode)));
-                }
-                function findSensitiveProperty(middlewareNode) {
-                    if (middlewareNode.type === 'CallExpression') {
-                        return sensitivePropertyFinder(context, middlewareNode);
-                    }
-                    return [];
+    return false;
+}
+/**
+ * Rule factory for detecting sensitive settings that are passed to
+ * middlewares eventually used by Express.js applications:
+ *
+ * app.use(
+ *   middleware(settings)
+ * )
+ *
+ * or
+ *
+ * app.use(
+ *   middleware.method(settings)
+ * )
+ *
+ * @param sensitivePropertyFinder - a function looking for a sensitive setting on a middleware call
+ * @param message - the reported message when an issue is raised
+ * @param meta - the rule metadata
+ * @returns a rule module that raises issues when a sensitive property is found
+ */
+function SensitiveMiddlewarePropertyRule(sensitivePropertyFinder, message, meta = {}) {
+    return {
+        meta,
+        create(context) {
+            let app;
+            let sensitiveProperties;
+            function isExposing(middlewareNode) {
+                return Boolean(sensitiveProperties.push(...findSensitiveProperty(middlewareNode)));
+            }
+            function findSensitiveProperty(middlewareNode) {
+                if (middlewareNode.type === 'CallExpression') {
+                    return sensitivePropertyFinder(context, middlewareNode);
                 }
-                return {
-                    Program: () => {
-                        app = null;
-                        sensitiveProperties = [];
-                    },
-                    CallExpression: (node) => {
-                        if (app) {
-                            const callExpr = node;
-                            const isSafe = !isUsingMiddleware(context, callExpr, app, isExposing);
-                            if (!isSafe) {
-                                for (const sensitive of sensitiveProperties) {
-                                    (0, index_js_1.report)(context, {
-                                        node: callExpr,
-                                        message,
-                                    }, [(0, index_js_1.toSecondaryLocation)(sensitive)]);
-                                }
-                                sensitiveProperties = [];
+                return [];
+            }
+            return {
+                Program: () => {
+                    app = null;
+                    sensitiveProperties = [];
+                },
+                CallExpression: (node) => {
+                    if (app) {
+                        const callExpr = node;
+                        const isSafe = !isUsingMiddleware(context, callExpr, app, isExposing);
+                        if (!isSafe) {
+                            for (const sensitive of sensitiveProperties) {
+                                (0, location_js_1.report)(context, {
+                                    node: callExpr,
+                                    message,
+                                }, [(0, location_js_1.toSecondaryLocation)(sensitive)]);
                             }
+                            sensitiveProperties = [];
                         }
-                    },
-                    VariableDeclarator: (node) => {
-                        if (!app) {
-                            const varDecl = node;
-                            const instantiatedApp = attemptFindAppInstantiation(varDecl, context);
-                            if (instantiatedApp) {
-                                app = instantiatedApp;
-                            }
+                    }
+                },
+                VariableDeclarator: (node) => {
+                    if (!app) {
+                        const varDecl = node;
+                        const instantiatedApp = attemptFindAppInstantiation(varDecl, context);
+                        if (instantiatedApp) {
+                            app = instantiatedApp;
                         }
-                    },
-                    ':function': (node) => {
-                        if (!app) {
-                            const functionDef = node;
-                            const injectedApp = attemptFindAppInjection(functionDef, context, node);
-                            if (injectedApp) {
-                                app = injectedApp;
-                            }
+                    }
+                },
+                ':function': (node) => {
+                    if (!app) {
+                        const functionDef = node;
+                        const injectedApp = attemptFindAppInjection(functionDef, context, node);
+                        if (injectedApp) {
+                            app = injectedApp;
                         }
-                    },
-                };
-            },
-        };
-    }
-    Express.SensitiveMiddlewarePropertyRule = SensitiveMiddlewarePropertyRule;
-})(Express || (exports.Express = Express = {}));
+                    }
+                },
+            };
+        },
+    };
+}

package/cjs/helpers/find-up/all-in-parent-dirs.js

@@ -4,22 +4,6 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.patternInParentsCache = void 0;
-/*
- * SonarQube JavaScript Plugin
- * Copyright (C) 2011-2025 SonarSource Sàrl
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
- * See the Sonar Source-Available License for more details.
- *
- * You should have received a copy of the Sonar Source-Available License
- * along with this program; if not, see https://sonarsource.com/license/ssal/
- */
 const find_minimatch_js_1 = require("./find-minimatch.js");
 const files_js_1 = require("../files.js");
 const cache_js_1 = require("../cache.js");