oxlint-plugin-react-doctor 0.5.6-dev.451beeb → 0.5.6-dev.5d1347e

package/dist/index.d.ts

@@ -36,7 +36,6 @@ interface ControlFlowAnalysis {
   readonly cfgFor: (functionLike: EsTreeNode) => FunctionCfg | null;
   readonly enclosingFunction: (node: EsTreeNode) => EsTreeNode | null;
   readonly isUnconditionalFromEntry: (node: EsTreeNode) => boolean;
-  readonly dominatesExit: (node: EsTreeNode) => boolean;
 }
 //#endregion
 //#region src/plugin/semantic/scope-analysis.d.ts

package/dist/index.js

@@ -890,24 +890,64 @@ const advancedEventHandlerRefs = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/security-scan/utils/strip-comments-preserving-positions.ts
-const stripCommentsPreservingPositions = (content) => {
+const WHITESPACE_PATTERN = /\s/;
+const quotedLiteralHasWhitespace = (content, openQuoteIndex, delimiter) => {
+	for (let cursor = openQuoteIndex + 1; cursor < content.length; cursor += 1) {
+		const character = content[cursor];
+		if (character === "\\") {
+			cursor += 1;
+			continue;
+		}
+		if (character === delimiter) return false;
+		if (WHITESPACE_PATTERN.test(character)) return true;
+	}
+	return false;
+};
+const blankNonCodePreservingPositions = (content, blankStringContents) => {
 	const characters = content.split("");
 	let stringDelimiter = null;
+	let isBlankingString = false;
+	const templateExpressionDepths = [];
 	let index = 0;
+	const blankUnlessNewline = (offset) => {
+		if (offset < content.length && content[offset] !== "\n") characters[offset] = " ";
+	};
 	while (index < content.length) {
 		const character = content[index];
 		const nextCharacter = content[index + 1];
 		if (stringDelimiter !== null) {
 			if (character === "\\") {
+				if (isBlankingString) {
+					blankUnlessNewline(index);
+					blankUnlessNewline(index + 1);
+				}
 				index += 2;
 				continue;
 			}
-			if (character === stringDelimiter) stringDelimiter = null;
+			if (character === stringDelimiter) {
+				stringDelimiter = null;
+				index += 1;
+				continue;
+			}
+			if (blankStringContents && stringDelimiter === "`" && character === "$" && nextCharacter === "{") {
+				templateExpressionDepths.push(0);
+				stringDelimiter = null;
+				index += 2;
+				continue;
+			}
+			if (isBlankingString) blankUnlessNewline(index);
 			index += 1;
 			continue;
 		}
-		if (character === "\"" || character === "'" || character === "`") {
+		if (character === "\"" || character === "'") {
 			stringDelimiter = character;
+			isBlankingString = blankStringContents && quotedLiteralHasWhitespace(content, index, character);
+			index += 1;
+			continue;
+		}
+		if (character === "`") {
+			stringDelimiter = "`";
+			isBlankingString = blankStringContents;
 			index += 1;
 			continue;
 		}
@@ -926,29 +966,42 @@ const stripCommentsPreservingPositions = (content) => {
 					index += 2;
 					break;
 				}
-				if (content[index] !== "\n") characters[index] = " ";
+				blankUnlessNewline(index);
 				index += 1;
 			}
 			continue;
 		}
+		if (templateExpressionDepths.length > 0) {
+			const innermost = templateExpressionDepths.length - 1;
+			if (character === "{") templateExpressionDepths[innermost] += 1;
+			else if (character === "}") if (templateExpressionDepths[innermost] === 0) {
+				templateExpressionDepths.pop();
+				stringDelimiter = "`";
+				isBlankingString = blankStringContents;
+			} else templateExpressionDepths[innermost] -= 1;
+		}
 		index += 1;
 	}
 	return characters.join("");
 };
+const stripCommentsPreservingPositions = (content) => blankNonCodePreservingPositions(content, false);
+const stripCommentsAndStringLiteralsPreservingPositions = (content) => blankNonCodePreservingPositions(content, true);
 //#endregion
 //#region src/plugin/rules/security-scan/utils/scan-by-pattern.ts
 const strippedContentCache = /* @__PURE__ */ new WeakMap();
-const getScannableContent = (file) => {
+const stringStrippedContentCache = /* @__PURE__ */ new WeakMap();
+const getScannableContent = (file, ignoreStringLiterals = false) => {
 	if (!SOURCE_FILE_PATTERN.test(file.relativePath)) return file.content;
-	const cachedContent = strippedContentCache.get(file);
+	const cache = ignoreStringLiterals ? stringStrippedContentCache : strippedContentCache;
+	const cachedContent = cache.get(file);
 	if (cachedContent !== void 0) return cachedContent;
-	const strippedContent = stripCommentsPreservingPositions(file.content);
-	strippedContentCache.set(file, strippedContent);
+	const strippedContent = ignoreStringLiterals ? stripCommentsAndStringLiteralsPreservingPositions(file.content) : stripCommentsPreservingPositions(file.content);
+	cache.set(file, strippedContent);
 	return strippedContent;
 };
-const scanByPattern = ({ shouldScan, pattern, requireAll, suppressWhen, message }) => (file) => {
+const scanByPattern = ({ shouldScan, pattern, requireAll, suppressWhen, ignoreStringLiterals, message }) => (file) => {
 	if (!shouldScan(file)) return [];
-	const content = getScannableContent(file);
+	const content = getScannableContent(file, ignoreStringLiterals);
 	if (requireAll !== void 0 && !requireAll.every((gate) => gate.test(content))) return [];
 	const matchedPattern = (pattern instanceof RegExp ? [pattern] : pattern).find((candidate) => candidate.test(content));
 	if (matchedPattern === void 0) return [];
@@ -973,6 +1026,7 @@ const agentToolCapabilityRisk = defineRule({
 		shouldScan: (file) => isProductionSourcePath(file.relativePath) && AGENT_TOOL_CONTEXT_PATH_PATTERN.test(file.relativePath),
 		pattern: AGENT_TOOL_DEFINITION_PATTERN,
 		requireAll: [AGENT_TOOL_DANGEROUS_CAPABILITY_PATTERN],
+		ignoreStringLiterals: true,
 		message: "An agent-callable tool appears to expose network, filesystem, shell, or code-execution capability."
 	})
 });
@@ -2965,7 +3019,7 @@ const ABSTRACT_ROLES = new Set([
 	"widget",
 	"window"
 ]);
-const PRESENTATION_ROLES$2 = new Set(["presentation", "none"]);
+const PRESENTATION_ROLES$1 = new Set(["presentation", "none"]);
 //#endregion
 //#region src/plugin/rules/a11y/aria-role.ts
 const buildBaseMessage = (suffix) => `This \`role\` is not a valid ARIA role, so assistive tech cannot expose it correctly. Use a real, non-abstract role.${suffix}`;
@@ -3085,7 +3139,7 @@ const artifactBaasAuthoritySurface = defineRule({
 	scan: scanByPattern({
 		shouldScan: (file) => isBrowserArtifactPath(file.relativePath, file.isGeneratedBundle),
 		pattern: /\b(?:collection\s*\(\s*["'](?:boosts|sessions|sessions_admin|users|orgs|candidateJobs|conversations|documents|profiles)|from\s*\(\s*["'](?:users|profiles|documents|organizations|memberships)|creatorID|creatorId|providerId|ghostOrg|ownerId|orgId|tenantId|workspaceId|role|roles|isAdmin|SuperAdmin)\b/i,
-		requireAll: [/\b(?:initializeApp|firebase|firestore|getFirestore|createClient)\b[\s\S]{0,700}\b(?:apiKey|authDomain|projectId|databaseURL|storageBucket|supabase|SUPABASE_URL)\b|\b(?:apiKey|authDomain|projectId|databaseURL|storageBucket)\b[\s\S]{0,700}\b(?:firebase|firestore|getFirestore|initializeApp)\b/i],
+		requireAll: [/\b(?:initializeApp|firebase|firestore|getFirestore)\b[\s\S]{0,700}\b(?:apiKey|authDomain|projectId|databaseURL|storageBucket)\b|\b(?:apiKey|authDomain|projectId|databaseURL|storageBucket)\b[\s\S]{0,700}\b(?:firebase|firestore|getFirestore|initializeApp)\b|\bcreateClient\b[\s\S]{0,700}\b(?:supabase|SUPABASE_URL)\b|\b(?:supabase|SUPABASE_URL)\b[\s\S]{0,700}\bcreateClient\b/i],
 		message: "A browser artifact exposes Firebase/Supabase config together with sensitive collections or authorization fields."
 	})
 });
@@ -4656,6 +4710,14 @@ const checkedRequiresOnchangeOrReadonly = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/utils/is-presentation-role.ts
+const isPresentationRole = (openingElement) => {
+	const roleAttribute = hasJsxPropIgnoreCase(openingElement.attributes, "role");
+	if (!roleAttribute) return false;
+	const value = getJsxPropStringValue(roleAttribute);
+	return value !== null && PRESENTATION_ROLES$1.has(value);
+};
+//#endregion
 //#region src/plugin/utils/is-pure-event-blocker-handler.ts
 const BLOCKER_METHOD_NAMES = new Set([
 	"stopPropagation",
@@ -4693,7 +4755,6 @@ const isPureEventBlockerHandler = (attribute) => {
 };
 //#endregion
 //#region src/plugin/rules/a11y/click-events-have-key-events.ts
-const PRESENTATION_ROLES$1 = new Set(["presentation", "none"]);
 const MESSAGE$56 = "Keyboard users can't trigger this click handler because there's no keyboard one, so add `onKeyUp`, `onKeyDown`, or `onKeyPress`.";
 const KEY_HANDLERS = [
 	"onKeyUp",
@@ -4718,11 +4779,7 @@ const clickEventsHaveKeyEvents = defineRule({
 			if (!onClick) return;
 			if (isPureEventBlockerHandler(onClick)) return;
 			if (isHiddenFromScreenReader(node, context.settings)) return;
-			const roleAttribute = hasJsxPropIgnoreCase(node.attributes, "role");
-			if (roleAttribute) {
-				const roleValue = getJsxPropStringValue(roleAttribute);
-				if (roleValue && PRESENTATION_ROLES$1.has(roleValue)) return;
-			}
+			if (isPresentationRole(node)) return;
 			if (KEY_HANDLERS.some((handler) => hasJsxPropIgnoreCase(node.attributes, handler))) return;
 			context.report({
 				node: node.name,
@@ -5693,7 +5750,7 @@ const displayName = defineRule({
 	category: "Architecture",
 	create: (context) => {
 		const settings = resolveSettings$44(context.settings);
-		const ignoreNamed = settings.ignoreTranspilerName ? false : true;
+		const ignoreNamed = !settings.ignoreTranspilerName;
 		const reportAt = (node) => {
 			context.report({
 				node,
@@ -8116,7 +8173,6 @@ const htmlHasLang = defineRule({
 		return { JSXOpeningElement(node) {
 			const tag = getElementType(node, context.settings);
 			if (!tagSet.has(tag)) return;
-			const hasSpread = node.attributes.some((attribute) => isNodeOfType(attribute, "JSXSpreadAttribute"));
 			const lang = hasJsxPropIgnoreCase(node.attributes, "lang");
 			if (!lang) {
 				context.report({
@@ -8125,16 +8181,8 @@ const htmlHasLang = defineRule({
 				});
 				return;
 			}
-			const verdict = evaluateLang(lang.value);
-			if (verdict === "missing" || verdict === "empty") {
-				context.report({
-					node: lang,
-					message: MESSAGE$50
-				});
-				return;
-			}
-			if (hasSpread && !lang) context.report({
-				node: node.name,
+			if (evaluateLang(lang.value) === "empty") context.report({
+				node: lang,
 				message: MESSAGE$50
 			});
 		} };
@@ -8848,14 +8896,6 @@ const isNonInteractiveElement = (elementType, openingElement) => {
 //#region src/plugin/utils/is-non-interactive-role.ts
 const isNonInteractiveRole = (role) => NON_INTERACTIVE_ROLES.has(role);
 //#endregion
-//#region src/plugin/utils/is-presentation-role.ts
-const isPresentationRole = (openingElement) => {
-	const roleAttribute = hasJsxPropIgnoreCase(openingElement.attributes, "role");
-	if (!roleAttribute) return false;
-	const value = getJsxPropStringValue(roleAttribute);
-	return value !== null && PRESENTATION_ROLES$2.has(value);
-};
-//#endregion
 //#region src/plugin/rules/a11y/interactive-supports-focus.ts
 const buildTabbableMessage = (role) => `Keyboard users can't tab to this '${role}' because it isn't focusable, so add \`tabIndex={0}\`.`;
 const buildFocusableMessage = (role) => `Keyboard users can't focus this '${role}' because it can't receive focus, so add \`tabIndex={0}\` or \`tabIndex={-1}\`.`;
@@ -10630,6 +10670,24 @@ const hasJsxKeyAttribute = (openingElement) => {
 	return false;
 };
 //#endregion
+//#region src/plugin/utils/is-non-children-jsx-attribute-value.ts
+const ascendThroughJsxValueWrappers = (node) => {
+	let current = node;
+	while (current.parent) {
+		const parent = current.parent;
+		if (!(isNodeOfType(parent, "ChainExpression") || isNodeOfType(parent, "TSAsExpression") || isNodeOfType(parent, "TSSatisfiesExpression") || isNodeOfType(parent, "TSNonNullExpression") || isNodeOfType(parent, "LogicalExpression") || isNodeOfType(parent, "ConditionalExpression") && parent.test !== current)) break;
+		current = parent;
+	}
+	return current;
+};
+const isNonChildrenJsxAttributeValue = (node) => {
+	const container = ascendThroughJsxValueWrappers(node).parent;
+	if (!container || !isNodeOfType(container, "JSXExpressionContainer")) return false;
+	const attribute = container.parent;
+	if (!attribute || !isNodeOfType(attribute, "JSXAttribute")) return false;
+	return getJsxAttributeName(attribute.name) !== "children";
+};
+//#endregion
 //#region src/plugin/rules/react-builtins/jsx-key.ts
 const ITERATOR_METHOD_NAMES = new Set([
 	"map",
@@ -10668,6 +10726,7 @@ const findEnclosingIteratorContext = (jsxNode) => {
 			const arrayParent = parent.parent;
 			if (arrayParent && isNodeOfType(arrayParent, "Property")) return null;
 			if (arrayParent && isNodeOfType(arrayParent, "ArrayExpression")) return null;
+			if (isNonChildrenJsxAttributeValue(parent)) return null;
 			return { kind: "array" };
 		} else if (isNodeOfType(parent, "CallExpression")) {
 			const callee = parent.callee;
@@ -10680,10 +10739,13 @@ const findEnclosingIteratorContext = (jsxNode) => {
 			if (!targetArg) return null;
 			let walker = current;
 			while (walker && walker !== parent) {
-				if (walker === targetArg) return {
-					kind: "iterator",
-					callExpression: parent
-				};
+				if (walker === targetArg) {
+					if (isNonChildrenJsxAttributeValue(parent)) return null;
+					return {
+						kind: "iterator",
+						callExpression: parent
+					};
+				}
 				walker = walker.parent ?? null;
 			}
 			return null;
@@ -13466,6 +13528,7 @@ const mcpToolCapabilityRisk = defineRule({
 		shouldScan: (file) => isProductionSourcePath(file.relativePath),
 		pattern: /\bserver\.\s*tool\s*\(|\bregisterTool\s*\(|\bsetRequestHandler\s*\(\s*CallToolRequestSchema/,
 		requireAll: [/\bfrom\s+["']@modelcontextprotocol\/sdk[^"']*["']|\bMcpServer\b|\bMcpAgent\b/, AGENT_TOOL_DANGEROUS_CAPABILITY_PATTERN],
+		ignoreStringLiterals: true,
 		message: "An MCP tool/resource/prompt handler appears to expose file, shell, network, or code-execution capability."
 	})
 });
@@ -17375,6 +17438,7 @@ const noDanger = defineRule({
 	title: "Raw HTML injection can run unsafe markup",
 	severity: "warn",
 	category: "Security",
+	defaultEnabled: false,
 	recommendation: "Render trusted content as React children so attacker-controlled HTML cannot run in users' browsers.",
 	create: (context) => ({
 		JSXOpeningElement(node) {
@@ -20135,15 +20199,20 @@ const noInlineExhaustiveStyle = defineRule({
 	severity: "warn",
 	tags: ["test-noise", "react-jsx-only"],
 	recommendation: "Move the styles to a CSS class, CSS module, Tailwind utilities, or a styled component. Big inline objects are hard to read and rebuild on every update.",
-	create: (context) => ({ JSXAttribute(node) {
-		const expression = getInlineStyleExpression(node);
-		if (!expression) return;
-		const propertyCount = expression.properties?.filter((property) => isNodeOfType(property, "Property")).length ?? 0;
-		if (propertyCount >= 8) context.report({
-			node: expression,
-			message: `This inline style has ${propertyCount} properties, which is hard to read & rebuilds every render. Move it to a CSS class, CSS module, or styled component.`
-		});
-	} })
+	create: (context) => {
+		if (isGeneratedImageRenderContext(context)) return {};
+		return { JSXAttribute(node) {
+			const expression = getInlineStyleExpression(node);
+			if (!expression) return;
+			const propertyCount = expression.properties?.filter((property) => isNodeOfType(property, "Property")).length ?? 0;
+			if (propertyCount < 8) return;
+			if (isGeneratedImageRenderContext(context, node.parent ?? void 0)) return;
+			context.report({
+				node: expression,
+				message: `This inline style has ${propertyCount} properties, which is hard to read & rebuilds every render. Move it to a CSS class, CSS module, or styled component.`
+			});
+		} };
+	}
 });
 //#endregion
 //#region src/plugin/rules/performance/no-inline-prop-on-memo-component.ts
@@ -25359,15 +25428,8 @@ const expressionContainsJsxOrCreateElement = (root) => {
 	visit(root);
 	return found;
 };
-const classExtendsReactComponent$1 = (classNode) => {
-	const superClass = classNode.superClass;
-	if (!superClass) return false;
-	if (isNodeOfType(superClass, "Identifier") && (superClass.name === "Component" || superClass.name === "PureComponent")) return true;
-	if (isNodeOfType(superClass, "MemberExpression") && isNodeOfType(superClass.object, "Identifier") && superClass.object.name === "React" && isNodeOfType(superClass.property, "Identifier") && (superClass.property.name === "Component" || superClass.property.name === "PureComponent")) return true;
-	return false;
-};
 const isReactClassComponent = (classNode) => {
-	if (classExtendsReactComponent$1(classNode)) return true;
+	if (isEs6Component(classNode)) return true;
 	return expressionContainsJsxOrCreateElement(classNode);
 };
 const findEnclosingComponent = (node) => {
@@ -25527,7 +25589,7 @@ const noUnstableNestedComponents = defineRule({
 	create: (context) => {
 		const settings = resolveSettings$8(context.settings);
 		const renderPropRegex = compileGlob(settings.propNamePattern);
-		const reportCandidate = (candidateNode, reportNode, candidateName) => {
+		const reportCandidate = (candidateNode, reportNode) => {
 			if (isFirstArgumentOfHocCall(candidateNode)) return;
 			if (isReturnOfMapCallback(candidateNode)) return;
 			const propInfo = isComponentDeclaredInProp(candidateNode);
@@ -25548,7 +25610,7 @@ const noUnstableNestedComponents = defineRule({
 			const inferredName = inferFunctionLikeName(node);
 			const propInfo = isComponentDeclaredInProp(node);
 			if (!(inferredName !== null && isReactComponentName(inferredName) || propInfo !== null || isObjectCallbackCandidate(node))) return;
-			reportCandidate(node, node, inferredName);
+			reportCandidate(node, node);
 		};
 		return {
 			FunctionDeclaration: checkFunctionLike,
@@ -25558,18 +25620,18 @@ const noUnstableNestedComponents = defineRule({
 				if (!node.id) return;
 				if (!isReactComponentName(node.id.name)) return;
 				if (!isReactClassComponent(node)) return;
-				reportCandidate(node, node, node.id.name);
+				reportCandidate(node, node);
 			},
 			ClassExpression(node) {
 				const inferredName = node.id?.name ?? inferFunctionLikeName(node);
 				if (!inferredName || !isReactComponentName(inferredName)) return;
 				if (!isReactClassComponent(node)) return;
-				reportCandidate(node, node, inferredName);
+				reportCandidate(node, node);
 			},
 			CallExpression(node) {
 				if (!isHocCallee$1(node)) return;
 				if (!hocCallContainsComponent(node)) return;
-				reportCandidate(node, node, null);
+				reportCandidate(node, node);
 			}
 		};
 	}
@@ -26009,13 +26071,6 @@ const skipTsExpression = (expression) => {
 	if (expression.type === "TSAsExpression" || expression.type === "TSSatisfiesExpression" || expression.type === "TSNonNullExpression") return skipTsExpression(expression.expression);
 	return expression;
 };
-const classExtendsReactComponent = (classNode) => {
-	const superClass = classNode.superClass;
-	if (!superClass) return false;
-	if (isNodeOfType(superClass, "Identifier") && (superClass.name === "Component" || superClass.name === "PureComponent")) return true;
-	if (isNodeOfType(superClass, "MemberExpression") && isNodeOfType(superClass.object, "Identifier") && superClass.object.name === "React" && isNodeOfType(superClass.property, "Identifier") && (superClass.property.name === "Component" || superClass.property.name === "PureComponent")) return true;
-	return false;
-};
 const isReactCreateContext = (initializer) => {
 	if (!initializer) return false;
 	const expression = skipTsExpression(initializer);
@@ -26206,7 +26261,7 @@ const onlyExportComponents = defineRule({
 						if (stripped.id) {
 							const idNode = stripped.id;
 							isExportedNodeIds.add(stripped);
-							if (isReactComponentName(idNode.name) && classExtendsReactComponent(stripped)) hasReactExport = true;
+							if (isReactComponentName(idNode.name) && isEs6Component(stripped)) hasReactExport = true;
 							else exports.push({
 								kind: "non-component",
 								reportNode: idNode
@@ -26266,7 +26321,7 @@ const onlyExportComponents = defineRule({
 							exports.push(classifyExport(declaration.id.name, declaration.id, true, null, state));
 						} else if (isNodeOfType(declaration, "ClassDeclaration") && declaration.id) {
 							isExportedNodeIds.add(declaration);
-							if (isReactComponentName(declaration.id.name) && classExtendsReactComponent(declaration)) exports.push({ kind: "react-component" });
+							if (isReactComponentName(declaration.id.name) && isEs6Component(declaration)) exports.push({ kind: "react-component" });
 							else exports.push({
 								kind: "non-component",
 								reportNode: declaration.id
@@ -35525,13 +35580,7 @@ const serverNoMutableModuleState = defineRule({
 const collectDeclaredNames = (declaration) => {
 	const names = /* @__PURE__ */ new Set();
 	if (!isNodeOfType(declaration, "VariableDeclaration")) return names;
-	for (const declarator of declaration.declarations ?? []) if (isNodeOfType(declarator.id, "Identifier")) names.add(declarator.id.name);
-	else if (isNodeOfType(declarator.id, "ObjectPattern")) {
-		for (const property of declarator.id.properties ?? []) if (isNodeOfType(property, "Property") && isNodeOfType(property.value, "Identifier")) names.add(property.value.name);
-		else if (isNodeOfType(property, "RestElement") && isNodeOfType(property.argument, "Identifier")) names.add(property.argument.name);
-	} else if (isNodeOfType(declarator.id, "ArrayPattern")) {
-		for (const element of declarator.id.elements ?? []) if (isNodeOfType(element, "Identifier")) names.add(element.name);
-	}
+	for (const declarator of declaration.declarations ?? []) collectPatternNames(declarator.id, names);
 	return names;
 };
 const declarationStartsWithAwait = (declaration) => {
@@ -35541,11 +35590,15 @@ const declarationStartsWithAwait = (declaration) => {
 };
 const declarationReadsAnyName = (declaration, names) => {
 	if (names.size === 0) return false;
+	if (!isNodeOfType(declaration, "VariableDeclaration")) return false;
 	let didRead = false;
-	walkAst(declaration, (child) => {
-		if (didRead) return;
-		if (isNodeOfType(child, "Identifier") && names.has(child.name)) didRead = true;
-	});
+	for (const declarator of declaration.declarations ?? []) {
+		if (!declarator.init) continue;
+		walkAst(declarator.init, (child) => {
+			if (didRead) return;
+			if (isNodeOfType(child, "Identifier") && names.has(child.name)) didRead = true;
+		});
+	}
 	return didRead;
 };
 const serverSequentialIndependentAwait = defineRule({
@@ -36805,7 +36858,7 @@ const urlPrefilledPrivilegedAction = defineRule({
 	recommendation: "Require server-side validation and explicit confirmation for URL-sourced invite, role, permission, redirect, or sharing parameters.",
 	scan: scanByPattern({
 		shouldScan: (file) => isClientSourcePath(file.relativePath),
-		pattern: /(?<!(?:safe|valid|sanitiz|relativ|allowlist|whitelist)[\w$]*\(\s*(?:new\s+)?)\b(?:searchParams|useSearchParams\s*\(\s*\)|URLSearchParams\s*\([^)]{0,120}\))(?:[?!])?\.get(?:All)?\s*\(\s*["'](?:userstoinvite|role|permission|sharingaction|invite|admin|next|continue|returnTo|redirect_uri|callbackUrl)["']|\bsearchParams\.(?:userstoinvite|role|permission|sharingaction|invite|admin|returnTo|redirect_uri|callbackUrl)\b/i,
+		pattern: /(?<!(?:safe|valid|sanitiz|relativ|allowlist|whitelist)[\w$]*\(\s*(?:new\s+)?(?:[\w$]+\s*\.\s*){0,4})\b(?:searchParams|useSearchParams\s*\(\s*\)|URLSearchParams\s*\([^)]{0,120}\))(?:[?!])?\.get(?:All)?\s*\(\s*["'](?:userstoinvite|role|permission|sharingaction|invite|admin|next|continue|returnTo|redirect_uri|callbackUrl)["']|\bsearchParams\.(?:userstoinvite|role|permission|sharingaction|invite|admin|returnTo|redirect_uri|callbackUrl)\b/i,
 		message: "Client code reads sensitive action state from the URL, which can pre-fill invites, roles, redirects, or sharing flows with attacker values."
 	})
 });
@@ -42224,32 +42277,6 @@ const computeUnconditionalSet = (cfg) => {
 	}
 	return unconditional;
 };
-const computeDominatesExit = (cfg) => {
-	const reachableToExit = /* @__PURE__ */ new Set();
-	const queue = [cfg.exit];
-	while (queue.length > 0) {
-		const block = queue.shift();
-		if (reachableToExit.has(block)) continue;
-		reachableToExit.add(block);
-		for (const edge of block.predecessors) queue.push(edge.from);
-	}
-	const dominatesExit = /* @__PURE__ */ new Set();
-	const visit = (block) => {
-		if (block === cfg.exit) return true;
-		if (dominatesExit.has(block)) return true;
-		if (block.successors.length === 0) return false;
-		dominatesExit.add(block);
-		let allReach = true;
-		for (const edge of block.successors) if (!visit(edge.to)) {
-			allReach = false;
-			break;
-		}
-		if (!allReach) dominatesExit.delete(block);
-		return allReach;
-	};
-	for (const block of cfg.blocks) visit(block);
-	return dominatesExit;
-};
 const analyzeControlFlow = (program) => {
 	nextBlockId = 0;
 	const functionCfgs = /* @__PURE__ */ new Map();
@@ -42257,8 +42284,7 @@ const analyzeControlFlow = (program) => {
 		const cfg = buildFunctionCfg(functionNode, body);
 		functionCfgs.set(functionNode, {
 			cfg,
-			unconditionalSet: computeUnconditionalSet(cfg),
-			dominatesExitSet: computeDominatesExit(cfg)
+			unconditionalSet: computeUnconditionalSet(cfg)
 		});
 	};
 	if (isNodeOfType(program, "Program")) buildFor(program, {
@@ -42301,20 +42327,10 @@ const analyzeControlFlow = (program) => {
 		if (!block) return true;
 		return entry.unconditionalSet.has(block);
 	};
-	const dominatesExit = (node) => {
-		const owner = enclosingFunction(node);
-		if (!owner) return true;
-		const entry = functionCfgs.get(owner);
-		if (!entry) return true;
-		const block = entry.cfg.blockOf(node);
-		if (!block) return true;
-		return entry.dominatesExitSet.has(block);
-	};
 	return {
 		cfgFor,
 		enclosingFunction,
-		isUnconditionalFromEntry,
-		dominatesExit
+		isUnconditionalFromEntry
 	};
 };
 //#endregion
@@ -42339,8 +42355,7 @@ const buildFallbackScopes = () => ({
 const FALLBACK_CFG = {
 	cfgFor: () => null,
 	enclosingFunction: () => null,
-	isUnconditionalFromEntry: () => false,
-	dominatesExit: () => false
+	isUnconditionalFromEntry: () => false
 };
 const wrapWithSemanticContext = (rule) => ({
 	...rule,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oxlint-plugin-react-doctor",
-  "version": "0.5.6-dev.451beeb",
+  "version": "0.5.6-dev.5d1347e",
   "description": "oxlint plugin for React Doctor: diagnose React codebases for security, performance, correctness, accessibility, bundle-size, and architecture issues",
   "keywords": [
     "accessibility",