npm - oxlint-plugin-react-doctor - Versions diffs - 0.5.4 → 0.5.5-dev.bac7c82 - Mend

oxlint-plugin-react-doctor 0.5.4 → 0.5.5-dev.bac7c82

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -323,9 +323,18 @@ const BROWSER_ARTIFACT_PATH_PATTERNS = [
 const AGENT_TOOL_DANGEROUS_CAPABILITY_PATTERN = /\b(?:exec|execSync|spawn|child_process|eval|new Function|vm\.run|readFile|writeFile|fs\.read|fs\.write|fetch|axios|http\.request|sandbox|runCode|executeCode)\b/;
 //#endregion
 //#region src/plugin/rules/security-scan/utils/is-browser-artifact-path.ts
-const isServerOnlyBuildArtifactPath = (relativePath) => /(?:^|\/)(?:\.next\/server|\.output\/server)\//.test(relativePath);
+const SERVER_BUILD_ROOT_SEGMENTS = new Set([".next", ".output"]);
+const isNonShippedBuildArtifactPath = (relativePath) => {
+	const segments = relativePath.split("/");
+	for (let index = 0; index < segments.length; index += 1) {
+		if (!SERVER_BUILD_ROOT_SEGMENTS.has(segments[index])) continue;
+		if (segments[index] === ".next" && segments[index + 1] === "dev") return true;
+		if (segments[index + 1] === "server" && index + 2 < segments.length) return true;
+	}
+	return false;
+};
 const isBrowserArtifactPath = (relativePath, isGeneratedBundle) => {
-	if (isServerOnlyBuildArtifactPath(relativePath)) return false;
+	if (isNonShippedBuildArtifactPath(relativePath)) return false;
 	if (isGeneratedBundle) return true;
 	if (relativePath.endsWith(".map")) return true;
 	return BROWSER_ARTIFACT_PATH_PATTERNS.some((pattern) => pattern.test(relativePath));
@@ -1108,6 +1117,11 @@ const getImportedNameFromModule = (contextNode, localIdentifierName, moduleSourc
 	if (info.source !== moduleSource) return null;
 	return info.imported;
 };
+const getImportSourceForName = (contextNode, localIdentifierName) => {
+	const lookup = getImportLookup(contextNode);
+	if (!lookup) return null;
+	return lookup.get(localIdentifierName)?.source ?? null;
+};
 //#endregion
 //#region src/plugin/utils/find-variable-initializer.ts
 const FUNCTION_LIKE_TYPES$1 = new Set([
@@ -12705,6 +12719,7 @@ const keyLifecycleRisk = defineRule({
 	id: "key-lifecycle-risk",
 	title: "Long-lived key material in repository",
 	severity: "error",
+	committedFilesOnly: true,
 	recommendation: "Remove private keys from source, rotate exposed credentials, prefer short-lived deploy credentials, and document revocation/expiry for release keys.",
 	scan: scanByPattern({
 		shouldScan: (file) => !TEST_CONTEXT_PATTERN.test(file.relativePath) && !DOCUMENTATION_CONTEXT_PATTERN.test(file.relativePath),
@@ -22559,9 +22574,10 @@ const TANSTACK_ROUTE_CREATION_FUNCTIONS = new Set([
 	"createRootRouteWithContext"
 ]);
 const TANSTACK_SERVER_FN_NAMES = new Set(["createServerFn"]);
+const TANSTACK_INPUT_VALIDATOR_METHOD_NAMES = new Set(["validator", "inputValidator"]);
 const TANSTACK_MIDDLEWARE_METHOD_ORDER = [
 	"middleware",
-	"inputValidator",
+	"validator",
 	"client",
 	"server",
 	"handler"
@@ -27034,6 +27050,8 @@ const publicEnvSecretName = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/tanstack-query/query-destructure-result.ts
+const TANSTACK_QUERY_PACKAGE_PATTERN = /^@tanstack\/[\w-]*query[\w-]*$/;
+const isTanstackQuerySource = (source) => TANSTACK_QUERY_PACKAGE_PATTERN.test(source) || source === "react-query";
 const queryDestructureResult = defineRule({
 	id: "query-destructure-result",
 	title: "Whole query result subscribes to every field",
@@ -27046,6 +27064,8 @@ const queryDestructureResult = defineRule({
 		if (!node.init || !isNodeOfType(node.init, "CallExpression")) return;
 		const calleeName = isNodeOfType(node.init.callee, "Identifier") ? node.init.callee.name : null;
 		if (!calleeName || !TANSTACK_QUERY_HOOKS.has(calleeName)) return;
+		const importSource = getImportSourceForName(node, calleeName);
+		if (importSource !== null && !isTanstackQuerySource(importSource)) return;
 		context.report({
 			node: node.id,
 			message: `Destructure ${calleeName}() results instead of assigning the whole query object, so TanStack Query only subscribes to the fields you use.`
@@ -27888,6 +27908,7 @@ const repositorySecretFile = defineRule({
 	id: "repository-secret-file",
 	title: "Secret file checked into repository",
 	severity: "error",
+	committedFilesOnly: true,
 	recommendation: "Remove committed env files, service-account credentials, npm auth tokens, and webhook URLs; rotate exposed values and keep only redacted examples in source.",
 	scan: (file) => {
 		if (!isRepositorySecretFilePath(file.relativePath)) return [];
@@ -35200,7 +35221,7 @@ const walkServerFnChain = (outerNode) => {
 	const result = {
 		isServerFnChain: false,
 		specifiedMethod: null,
-		hasInputValidator: false
+		hasInputValidation: false
 	};
 	if (!isNodeOfType(outerNode, "CallExpression")) return result;
 	if (!isNodeOfType(outerNode.callee, "MemberExpression")) return result;
@@ -35214,7 +35235,7 @@ const walkServerFnChain = (outerNode) => {
 				for (const property of optionsArgument.properties ?? []) if (isNodeOfType(property, "Property") && isNodeOfType(property.key, "Identifier") && property.key.name === "method" && isNodeOfType(property.value, "Literal") && typeof property.value.value === "string") result.specifiedMethod = property.value.value;
 			}
 		}
-		if (calleeName === "inputValidator") result.hasInputValidator = true;
+		if (calleeName && TANSTACK_INPUT_VALIDATOR_METHOD_NAMES.has(calleeName)) result.hasInputValidation = true;
 		if (isNodeOfType(currentNode.callee, "MemberExpression")) currentNode = currentNode.callee.object;
 		else break;
 	}
@@ -35768,13 +35789,14 @@ const tanstackStartRoutePropertyOrder = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/tanstack-start/tanstack-start-server-fn-method-order.ts
+const toMethodOrderToken = (methodName) => TANSTACK_INPUT_VALIDATOR_METHOD_NAMES.has(methodName) ? "validator" : methodName;
 const tanstackStartServerFnMethodOrder = defineRule({
 	id: "tanstack-start-server-fn-method-order",
 	title: "Server function method order breaks type inference",
 	tags: ["test-noise"],
 	requires: ["tanstack-start"],
 	severity: "error",
-	recommendation: "Chain methods in order: .middleware() → .inputValidator() → .client() → .server() → .handler(). Types depend on this sequence.",
+	recommendation: "Chain methods in order: .middleware() → .validator() → .client() → .server() → .handler(). Types depend on this sequence.",
 	create: (context) => ({ CallExpression(node) {
 		if (!isNodeOfType(node.callee, "MemberExpression")) return;
 		const methodNames = [];
@@ -35789,10 +35811,10 @@ const tanstackStartServerFnMethodOrder = defineRule({
 		} else return;
 		const ownMethodName = isNodeOfType(node.callee.property, "Identifier") ? node.callee.property.name : null;
 		if (methodNames[methodNames.length - 1] !== ownMethodName) return;
-		const orderSensitiveMethods = methodNames.filter((name) => TANSTACK_MIDDLEWARE_METHOD_ORDER.includes(name));
+		const orderSensitiveMethods = methodNames.filter((name) => TANSTACK_MIDDLEWARE_METHOD_ORDER.includes(toMethodOrderToken(name)));
 		let lastIndex = -1;
 		for (const methodName of orderSensitiveMethods) {
-			const currentIndex = TANSTACK_MIDDLEWARE_METHOD_ORDER.indexOf(methodName);
+			const currentIndex = TANSTACK_MIDDLEWARE_METHOD_ORDER.indexOf(toMethodOrderToken(methodName));
 			if (currentIndex < lastIndex) {
 				const expectedBefore = TANSTACK_MIDDLEWARE_METHOD_ORDER[lastIndex];
 				context.report({
@@ -35813,7 +35835,7 @@ const tanstackStartServerFnValidateInput = defineRule({
 	tags: ["test-noise"],
 	requires: ["tanstack-start"],
 	severity: "warn",
-	recommendation: "Add `.inputValidator(schema)` before `.handler()`. This data crosses the network and must be validated at runtime.",
+	recommendation: "Add `.validator(schema)` before `.handler()`. This data crosses the network and must be validated at runtime.",
 	create: (context) => ({ CallExpression(node) {
 		if (!isNodeOfType(node.callee, "MemberExpression")) return;
 		if (!isNodeOfType(node.callee.property, "Identifier")) return;
@@ -35827,9 +35849,9 @@ const tanstackStartServerFnValidateInput = defineRule({
 			if (isNodeOfType(child, "MemberExpression") && isNodeOfType(child.property, "Identifier") && child.property.name === "data") accessesData = true;
 			if (isNodeOfType(child, "ObjectPattern") && child.properties?.some((property) => isNodeOfType(property, "Property") && isNodeOfType(property.key, "Identifier") && property.key.name === "data")) accessesData = true;
 		});
-		if (accessesData && !chainInfo.hasInputValidator) context.report({
+		if (accessesData && !chainInfo.hasInputValidation) context.report({
 			node,
-			message: "This server function reads network data with no inputValidator(), so anyone can send unvalidated input."
+			message: "This server function reads network data with no validator(), so anyone can send unvalidated input."
 		});
 	} })
 });
@@ -36001,7 +36023,7 @@ const voidDomElementsNoChildren = defineRule({
 //#region src/plugin/rules/security-scan/webhook-signature-risk.ts
 const WEBHOOK_HANDLER_PATTERN = /(?:^|\/)[^/]*webhook[^/]*\/|(?:^|\/)[^/]*webhook[^/]*\.[cm]?[jt]s$|\bwebhook\b/i;
 const WEBHOOK_ENTRYPOINT_PATTERN = /\b(?:export\s+(?:async\s+)?function\s+POST|export\s+const\s+(?:POST|handler|webhook)|webhookHandler|webhookRoute)\b/i;
-const WEBHOOK_SIGNATURE_VERIFICATION_PATTERN = /verifySignature|verify.*signature|verify\w*(?:Webhook|Auth)|constructEvent|createHmac|timingSafeEqual|svix|webhookSecret|stripe\.webhooks|["'][\w-]*signature["']/i;
+const WEBHOOK_SIGNATURE_VERIFICATION_PATTERN = new RegExp(`${/verifySignature|verify.*signature|verify\w*(?:Webhook|Auth)|constructEvent|createHmac|timingSafeEqual|svix|webhookSecret|stripe\.webhooks|["'][\w-]*signature["']/.source}|${/\b[A-Za-z]{0,40}(?:verif|valid|check|assert|authenticat|compare|guard)[A-Za-z]{0,40}(?:secret|signature|hmac|webhook|digest)[A-Za-z]{0,40}\s*\(/.source}`, "i");
 const OUTBOUND_WEBHOOK_URL_MENTION_PATTERN = /webhook[\s_-]?ur[il]\w*/gi;
 const OUTBOUND_WEBHOOK_CONFIG_PATTERN = /process\.env\.\w*WEBHOOK_URL|\b(?:send|post|dispatch|publish|notify)\w*Webhook/;
 const REQUEST_READ_PATTERN = /\b(?:req|request)\b/;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "oxlint-plugin-react-doctor",
-  "version": "0.5.4",
+  "version": "0.5.5-dev.bac7c82",
   "description": "oxlint plugin for React Doctor: diagnose React codebases for security, performance, correctness, accessibility, bundle-size, and architecture issues",
   "keywords": [
     "accessibility",