fallow 2.91.0 → 2.93.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -12,7 +12,7 @@ Fallow turns a JS/TS repository into a trusted quality report: health score, cha
12
12
 
13
13
  It helps you answer: what changed, what got riskier, what should be reviewed, what should be refactored, and what can be safely removed. No AI inside the analyzer. Fallow produces deterministic findings, typed output contracts, and traceable explanations that downstream tools can trust.
14
14
 
15
- Static analysis is free and open source. An optional paid runtime layer (Fallow Runtime) adds production execution evidence. Rust-native, sub-second, 97 framework plugins, 5-41x faster than [knip](https://knip.dev) v5 (2-18x faster than knip v6), 8-29x faster than [jscpd](https://github.com/kucherenko/jscpd) for duplication detection, with no Node.js runtime dependency for analysis.
15
+ Static analysis is free and open source. An optional paid runtime layer (Fallow Runtime) adds production execution evidence. Rust-native, sub-second, 122 framework plugins, 5-18x faster than [knip](https://knip.dev) v5 (2.7-9x faster than knip v6), 8-29x faster than [jscpd](https://github.com/kucherenko/jscpd) for duplication detection, with no Node.js runtime dependency for analysis.
16
16
 
17
17
  ## Installation
18
18
 
@@ -90,7 +90,7 @@ Every issue in `--format json` carries a machine-actionable `actions` array with
90
90
 
91
91
  ## Framework support
92
92
 
93
- 97 built-in plugins covering Next.js, Nuxt, Remix, Qwik, SvelteKit, Gatsby, Astro, Angular, NestJS, AdonisJS, Ember, Expo Router, Vite, Webpack, Vitest, Jest, Playwright, Cypress, Storybook, ESLint, TypeScript, Tailwind, UnoCSS, Prisma, Drizzle, Convex, Turborepo, Hardhat, and many more. Auto-detected from your `package.json`.
93
+ 122 built-in plugins covering Next.js, Nuxt, Remix, Qwik, SvelteKit, Gatsby, Astro, Angular, NestJS, AdonisJS, Ember, Expo Router, Vite, Webpack, Vitest, Jest, Playwright, Cypress, Storybook, ESLint, TypeScript, Tailwind, UnoCSS, Prisma, Drizzle, Convex, Turborepo, Hardhat, and many more. Auto-detected from your `package.json`.
94
94
 
95
95
  ## Configuration
96
96
 
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "fallow",
3
- "version": "2.91.0",
4
- "description": "Deterministic codebase intelligence for TypeScript and JavaScript. Quality, risk, architecture, dependencies, duplication, and safe cleanup evidence for humans, CI, and agents. Optional runtime intelligence layer (Fallow Runtime) adds production execution evidence. Rust-native, sub-second, 96 framework plugins.",
3
+ "version": "2.93.0",
4
+ "description": "Deterministic codebase intelligence for TypeScript and JavaScript. Quality, risk, architecture, dependencies, duplication, and safe cleanup evidence for humans, CI, and agents. Optional runtime intelligence layer (Fallow Runtime) adds production execution evidence. Rust-native, sub-second, zero-config framework support.",
5
5
  "license": "MIT",
6
6
  "repository": {
7
7
  "type": "git",
@@ -83,13 +83,13 @@
83
83
  "@tanstack/intent": "0.0.41"
84
84
  },
85
85
  "optionalDependencies": {
86
- "@fallow-cli/darwin-arm64": "2.91.0",
87
- "@fallow-cli/darwin-x64": "2.91.0",
88
- "@fallow-cli/linux-x64-gnu": "2.91.0",
89
- "@fallow-cli/linux-arm64-gnu": "2.91.0",
90
- "@fallow-cli/linux-x64-musl": "2.91.0",
91
- "@fallow-cli/linux-arm64-musl": "2.91.0",
92
- "@fallow-cli/win32-arm64-msvc": "2.91.0",
93
- "@fallow-cli/win32-x64-msvc": "2.91.0"
86
+ "@fallow-cli/darwin-arm64": "2.93.0",
87
+ "@fallow-cli/darwin-x64": "2.93.0",
88
+ "@fallow-cli/linux-x64-gnu": "2.93.0",
89
+ "@fallow-cli/linux-arm64-gnu": "2.93.0",
90
+ "@fallow-cli/linux-x64-musl": "2.93.0",
91
+ "@fallow-cli/linux-arm64-musl": "2.93.0",
92
+ "@fallow-cli/win32-arm64-msvc": "2.93.0",
93
+ "@fallow-cli/win32-x64-msvc": "2.93.0"
94
94
  }
95
95
  }
package/schema.json CHANGED
@@ -169,7 +169,8 @@
169
169
  "unused-dependency-overrides": "warn",
170
170
  "misconfigured-dependency-overrides": "error",
171
171
  "security-client-server-leak": "off",
172
- "security-sink": "off"
172
+ "security-sink": "off",
173
+ "policy-violation": "warn"
173
174
  }
174
175
  },
175
176
  "boundaries": {
@@ -212,6 +213,13 @@
212
213
  },
213
214
  "default": []
214
215
  },
216
+ "rulePacks": {
217
+ "description": "Paths to declarative rule-pack files (JSON or JSONC), relative to the\nproject root. Each pack declares `banned-call` / `banned-import` rules\nthat report as `policy-violation` findings. Packs are pure data: no\nproject code is executed. Invalid or missing packs fail config load.",
218
+ "type": "array",
219
+ "items": {
220
+ "type": "string"
221
+ }
222
+ },
215
223
  "dynamicallyLoaded": {
216
224
  "type": "array",
217
225
  "items": {
@@ -992,6 +1000,11 @@
992
1000
  "description": "Opt-in (default off): a syntactic tainted-sink candidate matched against\nthe data-driven catalogue (`security_matchers.toml`). ONE knob gates ALL\ncatalogue categories. Surfaced only by `fallow security`; never under\nbare `fallow` or the `audit` gate.",
993
1001
  "$ref": "#/$defs/Severity",
994
1002
  "default": "off"
1003
+ },
1004
+ "policy-violation": {
1005
+ "description": "Master severity for rule-pack findings (`rulePacks` config). Defaults\nto `warn` so enabling a brand-new policy pack never hard-fails CI on\nits first run; individual pack rules opt up via `\"severity\": \"error\"`.\n`off` is a kill switch that disables the whole evaluator (per-rule\nseverity cannot resurrect it).",
1006
+ "$ref": "#/$defs/Severity",
1007
+ "default": "warn"
995
1008
  }
996
1009
  }
997
1010
  },
@@ -1045,6 +1058,14 @@
1045
1058
  "$ref": "#/$defs/BoundaryRule"
1046
1059
  },
1047
1060
  "default": []
1061
+ },
1062
+ "coverage": {
1063
+ "description": "Optional policy for files that match no zone.",
1064
+ "$ref": "#/$defs/BoundaryCoverageConfig"
1065
+ },
1066
+ "calls": {
1067
+ "description": "Optional forbidden-call policy for zoned files.",
1068
+ "$ref": "#/$defs/BoundaryCallsConfig"
1048
1069
  }
1049
1070
  }
1050
1071
  },
@@ -1135,6 +1156,70 @@
1135
1156
  "from"
1136
1157
  ]
1137
1158
  },
1159
+ "BoundaryCoverageConfig": {
1160
+ "description": "Boundary zone coverage policy.",
1161
+ "type": "object",
1162
+ "properties": {
1163
+ "requireAllFiles": {
1164
+ "description": "Report source files that do not match any boundary zone.",
1165
+ "type": "boolean"
1166
+ },
1167
+ "allowUnmatched": {
1168
+ "description": "Glob patterns for files that may remain unmatched by any zone.",
1169
+ "type": "array",
1170
+ "items": {
1171
+ "type": "string"
1172
+ }
1173
+ }
1174
+ }
1175
+ },
1176
+ "BoundaryCallsConfig": {
1177
+ "description": "Boundary forbidden-call policy. Applies only to files classified into a\nzone; unzoned files are unrestricted, matching the import rules.",
1178
+ "type": "object",
1179
+ "properties": {
1180
+ "forbidden": {
1181
+ "description": "Callee patterns that files in a zone may not call.",
1182
+ "type": "array",
1183
+ "items": {
1184
+ "$ref": "#/$defs/ForbiddenCallRule"
1185
+ }
1186
+ }
1187
+ }
1188
+ },
1189
+ "ForbiddenCallRule": {
1190
+ "description": "One forbidden-call entry: files in zone `from` may not call callees\nmatching `callee`.",
1191
+ "type": "object",
1192
+ "properties": {
1193
+ "from": {
1194
+ "description": "Zone whose files may not make matching calls.",
1195
+ "type": "string"
1196
+ },
1197
+ "callee": {
1198
+ "description": "Forbidden callee pattern(s). Matching is segment-aware, not substring:\n`child_process.*` matches `child_process.exec` (and named imports from\n`child_process` / `node:child_process`), `fetch` matches only `fetch`,\nand a leading `*.` suffix-matches any object (`*.innerHTML`).",
1199
+ "$ref": "#/$defs/ForbiddenCallee"
1200
+ }
1201
+ },
1202
+ "required": [
1203
+ "from",
1204
+ "callee"
1205
+ ]
1206
+ },
1207
+ "ForbiddenCallee": {
1208
+ "description": "One callee pattern or a list of patterns for a single `from` zone.",
1209
+ "anyOf": [
1210
+ {
1211
+ "description": "A single callee pattern.",
1212
+ "type": "string"
1213
+ },
1214
+ {
1215
+ "description": "Multiple callee patterns sharing the same `from` zone.",
1216
+ "type": "array",
1217
+ "items": {
1218
+ "type": "string"
1219
+ }
1220
+ }
1221
+ ]
1222
+ },
1138
1223
  "FlagsConfig": {
1139
1224
  "description": "Feature flag detection configuration.\n\nControls which patterns fallow uses to detect feature flags in source code.\nConfigured via the `flags` section in `.fallowrc.json`, `.fallowrc.jsonc`, `fallow.toml`, or `.fallow.toml`.\n\n# Examples\n\n```json\n{\n \"flags\": {\n \"sdkPatterns\": [\n { \"function\": \"useFlag\", \"nameArg\": 0, \"provider\": \"LaunchDarkly\" }\n ],\n \"envPrefixes\": [\"FEATURE_\", \"NEXT_PUBLIC_ENABLE_\"],\n \"configObjectHeuristics\": false\n }\n}\n```",
1140
1225
  "type": "object",
@@ -1188,7 +1273,7 @@
1188
1273
  ]
1189
1274
  },
1190
1275
  "SecurityConfig": {
1191
- "description": "Scopes the security categories used by `fallow security`. An absent block\nadmits every catalogue category. `hardcoded-secret` is include-required and\nonly runs when explicitly listed in `security.categories.include`.",
1276
+ "description": "Scopes `fallow security` catalogue behavior. An absent category block admits\nevery catalogue category. `hardcoded-secret` is include-required and only\nruns when explicitly listed in `security.categories.include`.",
1192
1277
  "type": "object",
1193
1278
  "properties": {
1194
1279
  "categories": {
@@ -1201,6 +1286,13 @@
1201
1286
  "type": "null"
1202
1287
  }
1203
1288
  ]
1289
+ },
1290
+ "requestReceivers": {
1291
+ "description": "Additional project-local names for HTTP request objects. These names\nextend the built-in receiver allowlist for `*.query`, `*.params`, and\n`*.body` source patterns. They do not replace the built-ins and do not\ngate `*.searchParams`, which intentionally stays ungated.",
1292
+ "type": "array",
1293
+ "items": {
1294
+ "type": "string"
1295
+ }
1204
1296
  }
1205
1297
  },
1206
1298
  "additionalProperties": false
@@ -1593,6 +1685,16 @@
1593
1685
  "type": "null"
1594
1686
  }
1595
1687
  ]
1688
+ },
1689
+ "policy-violation": {
1690
+ "anyOf": [
1691
+ {
1692
+ "$ref": "#/$defs/Severity"
1693
+ },
1694
+ {
1695
+ "type": "null"
1696
+ }
1697
+ ]
1596
1698
  }
1597
1699
  }
1598
1700
  },
@@ -1715,6 +1817,24 @@
1715
1817
  "format": "uint",
1716
1818
  "minimum": 0,
1717
1819
  "default": 0
1820
+ },
1821
+ "boundaryCoverageViolations": {
1822
+ "type": "integer",
1823
+ "format": "uint",
1824
+ "minimum": 0,
1825
+ "default": 0
1826
+ },
1827
+ "boundaryCallViolations": {
1828
+ "type": "integer",
1829
+ "format": "uint",
1830
+ "minimum": 0,
1831
+ "default": 0
1832
+ },
1833
+ "policyViolations": {
1834
+ "type": "integer",
1835
+ "format": "uint",
1836
+ "minimum": 0,
1837
+ "default": 0
1718
1838
  }
1719
1839
  }
1720
1840
  },