projscan 4.4.0 → 4.6.0

package/dist/core/taint.js

@@ -1,4 +1,5 @@
 import { FRAMEWORK_REQUEST_SOURCES, frameworkRequestSourceForFunction, } from './frameworkSources.js';
+import { isDefaultChildProcessEnvPassthrough, pickSinkHit, pickSourceHit, } from './taintMatching.js';
 export const DEFAULT_TAINT_SOURCES = [
     'env', // process.env.X
     'argv', // process.argv
@@ -33,45 +34,6 @@ export const DEFAULT_TAINT_SINKS = [
     'innerHTML', // DOM XSS — actually a property assignment, not a call;
     //             included only when call-shaped helpers wrap it (e.g. setInnerHtml).
 ];
-const JAVASCRIPT_CHILD_PROCESS_SINKS = new Set(['exec', 'execSync', 'spawn', 'spawnSync']);
-const DEFAULT_DATABASE_SINKS = new Set(['query', 'execute', '$queryRaw', '$executeRaw', 'raw']);
-const DATABASE_RECEIVERS = new Set([
-    'db',
-    'database',
-    'pool',
-    'client',
-    'connection',
-    'conn',
-    'prisma',
-    'knex',
-    'sequelize',
-    'repository',
-    'repo',
-    'manager',
-    'sql',
-]);
-const CALL_SHAPED_DEFAULT_SOURCES = new Set(['getInput', 'readFile', 'readFileSync', 'stdin']);
-const DEFAULT_HTTP_PROPERTY_SOURCES = new Set(['body', 'query', 'params', 'headers', 'cookies']);
-const DATABASE_MODULE_NAMES = new Set([
-    'db',
-    'database',
-    'sql',
-    'pool',
-    'client',
-    'repository',
-    'repo',
-]);
-const KNOWN_DATABASE_PACKAGES = new Set([
-    'pg',
-    'postgres',
-    'mysql',
-    'mysql2',
-    'sqlite3',
-    'better-sqlite3',
-    'knex',
-    'sequelize',
-    '@prisma/client',
-]);
 /**
  * Compute taint flows over the given code graph. Per-function callSites
  * are required (1.5+ ships these for every adapter); functions without
@@ -103,27 +65,31 @@ export function computeTaint(graph, config) {
             const callees = fn.callSites ?? [];
             const directCallSites = fn.directCallSites ?? [];
             const memberCallSites = fn.memberCallSites ?? [];
+            const memberReferences = fn.memberReferences ?? [];
             const memberAliases = fn.memberAliases ?? [];
             const references = fn.references ?? [];
             totalCallSites += callees.length;
             // Default sources mostly match property/reference reads; custom sources
             // may still be call-shaped. Sinks are call-shaped, so callSites only.
-            const sourceHit = frameworkRequestSourceForFunction(file, fn.name, memberCallSites, fn.parameters ?? [], sources, references, fn.contextualCallSite, gf.imports) ?? pickSourceHit(callees, references, sources, customSources);
+            const sourceHit = frameworkRequestSourceForFunction(file, fn.name, memberCallSites, memberReferences, fn.parameters ?? [], sources, references, fn.contextualCallSite, gf.imports) ?? pickSourceHit(callees, references, sources, customSources);
             const sinkHit = pickSinkHit(callees, directCallSites, memberCallSites, memberAliases, sinks, customSinks, file, gf);
-            const hasSource = sourceHit !== null;
+            const hasSource = sourceHit !== null &&
+                !isDefaultChildProcessEnvPassthrough(sourceHit, sinkHit, memberReferences, customSources, customSinks);
             const hasSink = sinkHit !== null;
             const node = {
+                id: `${file}::${fn.name}@${fn.line}`,
                 qualName: fn.name,
                 bareName: bareName(fn.name),
                 file,
                 callees,
                 references,
+                memberReferences,
                 sourceHit,
                 sinkHit,
                 hasSource,
                 hasSink,
             };
-            fnByQual.set(`${file}::${fn.name}`, node);
+            fnByQual.set(node.id, node);
             let list = fnsByBareName.get(node.bareName);
             if (!list) {
                 list = [];
@@ -143,7 +109,7 @@ export function computeTaint(graph, config) {
         };
     }
     const flows = [];
-    const seen = new Set(); // dedupe key: sourceFnQual::sinkFnQual
+    const seen = new Set(); // dedupe key: sourceFnId::sinkFnId
     // 1.8+ — track which source functions hit MAX_DEPTH with frontier
     // still non-empty. The agent gets these in `truncatedSources` so it
     // knows where the analysis was clipped.
@@ -167,7 +133,7 @@ export function computeTaint(graph, config) {
             continue;
         // Same-function shortcut.
         if (sourceFn.hasSink) {
-            const key = `${sourceFn.file}::${sourceFn.qualName}::${sourceFn.file}::${sourceFn.qualName}`;
+            const key = `${sourceFn.id}::${sourceFn.id}`;
             if (!seen.has(key)) {
                 seen.add(key);
                 flows.push({
@@ -181,7 +147,7 @@ export function computeTaint(graph, config) {
             }
         }
         // BFS through callees.
-        const visited = new Set([`${sourceFn.file}::${sourceFn.qualName}`]);
+        const visited = new Set([sourceFn.id]);
         let frontier = [{ node: sourceFn, path: [sourceFn] }];
         let depth = 0;
         let frontierCapped = false;
@@ -195,13 +161,12 @@ export function computeTaint(graph, config) {
                 for (const calleeName of entry.node.callees) {
                     const candidates = fnsByBareName.get(calleeName) ?? [];
                     for (const candidate of candidates) {
-                        const key = `${candidate.file}::${candidate.qualName}`;
-                        if (visited.has(key))
+                        if (visited.has(candidate.id))
                             continue;
-                        visited.add(key);
+                        visited.add(candidate.id);
                         const newPath = [...entry.path, candidate];
                         if (candidate.hasSink) {
-                            const flowKey = `${sourceFn.file}::${sourceFn.qualName}::${candidate.file}::${candidate.qualName}`;
+                            const flowKey = `${sourceFn.id}::${candidate.id}`;
                             if (!seen.has(flowKey)) {
                                 seen.add(flowKey);
                                 const filesInPath = [];
@@ -261,86 +226,10 @@ export function computeTaint(graph, config) {
         maxDepth: MAX_DEPTH,
     };
 }
-function pickSinkHit(callees, directCallSites, memberCallSites, memberAliases, sinks, customSinks, file, graphFile) {
-    for (const callee of callees) {
-        if (!sinks.has(callee))
-            continue;
-        if (isDefaultMisidentifiedJavaScriptShellSink(callee, customSinks, file, graphFile))
-            continue;
-        if (isDefaultMisidentifiedDatabaseSink(callee, directCallSites, memberCallSites, memberAliases, customSinks, file, graphFile))
-            continue;
-        return callee;
-    }
-    return null;
-}
-function isDefaultMisidentifiedJavaScriptShellSink(callee, customSinks, file, graphFile) {
-    if (customSinks.has(callee))
-        return false;
-    if (!JAVASCRIPT_CHILD_PROCESS_SINKS.has(callee))
-        return false;
-    if (!isJavaScriptLikeFile(file, graphFile.adapterId))
-        return false;
-    return !graphFile.imports.some((imp) => (imp.source === 'node:child_process' || imp.source === 'child_process') &&
-        (imp.specifiers.includes(callee) || imp.specifiers.length === 0));
-}
-function isDefaultMisidentifiedDatabaseSink(callee, directCallSites, memberCallSites, memberAliases, customSinks, file, graphFile) {
-    if (customSinks.has(callee))
-        return false;
-    if (!DEFAULT_DATABASE_SINKS.has(callee))
-        return false;
-    if (!isJavaScriptLikeFile(file, graphFile.adapterId))
-        return false;
-    if (memberCallSites.some((member) => isDatabaseMemberCall(member, callee)))
-        return false;
-    if (directCallSites.includes(callee) && isImportedDatabaseHelper(callee, graphFile.imports))
-        return false;
-    if (directCallSites.includes(callee) &&
-        memberAliases.some((alias) => isDatabaseMemberAlias(alias, callee)))
-        return false;
-    return true;
-}
-function isDatabaseMemberCall(member, callee) {
-    const parts = member.split('.');
-    if (parts[parts.length - 1] !== callee)
-        return false;
-    const receiver = parts.length >= 2 ? parts[parts.length - 2].toLowerCase() : '';
-    return DATABASE_RECEIVERS.has(receiver);
-}
-function isImportedDatabaseHelper(callee, imports) {
-    return imports.some((imp) => imp.specifiers.includes(callee) && isDatabaseModule(imp.source));
-}
-function isDatabaseModule(source) {
-    if (KNOWN_DATABASE_PACKAGES.has(source))
-        return true;
-    const normalized = source.replace(/\\/g, '/');
-    const last = normalized.split('/').pop() ?? normalized;
-    const basename = last.replace(/\.(?:c|m)?(?:j|t)sx?$/i, '').toLowerCase();
-    return DATABASE_MODULE_NAMES.has(basename);
-}
-function isDatabaseMemberAlias(alias, callee) {
-    const [localName, member] = alias.split('=');
-    return localName === callee && isDatabaseMemberCall(member ?? '', callee);
-}
-function isJavaScriptLikeFile(file, adapterId) {
-    return adapterId === 'javascript' || /\.(?:cjs|mjs|js|jsx|ts|tsx)$/.test(file);
-}
 function bareName(qualified) {
     const dot = qualified.lastIndexOf('.');
     if (dot < 0)
         return qualified;
     return qualified.slice(dot + 1);
 }
-function pickSourceHit(callees, references, sources, customSources) {
-    for (const value of references) {
-        if (customSources.has(value))
-            return value;
-        if (sources.has(value) && !DEFAULT_HTTP_PROPERTY_SOURCES.has(value))
-            return value;
-    }
-    for (const value of callees) {
-        if (customSources.has(value) || CALL_SHAPED_DEFAULT_SOURCES.has(value))
-            return value;
-    }
-    return null;
-}
 //# sourceMappingURL=taint.js.map

package/dist/core/taint.js.map

@@ -1 +1 @@
-{"version":3,"file":"taint.js","sourceRoot":"","sources":["../../src/core/taint.ts"],"names":[],"mappings":"AACA,OAAO,EACL,yBAAyB,EACzB,iCAAiC,GAClC,MAAM,uBAAuB,CAAC;AAyD/B,MAAM,CAAC,MAAM,qBAAqB,GAA0B;IAC1D,KAAK,EAAE,gBAAgB;IACvB,MAAM,EAAE,eAAe;IACvB,MAAM,EAAE,WAAW;IACnB,OAAO,EAAE,4EAA4E;IACrF,QAAQ,EAAE,aAAa;IACvB,SAAS,EAAE,cAAc;IACzB,SAAS,EAAE,cAAc;IACzB,UAAU,EAAE,wBAAwB;IACpC,cAAc;IACd,OAAO,EAAE,gBAAgB;IACzB,UAAU,EAAE,wBAAwB;IACpC,GAAG,yBAAyB;CAC7B,CAAC;AAEF,MAAM,CAAC,MAAM,mBAAmB,GAA0B;IACxD,MAAM,EAAE,qBAAqB;IAC7B,UAAU;IACV,OAAO,EAAE,sBAAsB;IAC/B,WAAW;IACX,MAAM,EAAE,cAAc;IACtB,UAAU,EAAE,yCAAyC;IACrD,WAAW,EAAE,6BAA6B;IAC1C,eAAe;IACf,QAAQ,EAAE,gCAAgC;IAC1C,QAAQ;IACR,IAAI;IACJ,OAAO,EAAE,uBAAuB;IAChC,SAAS,EAAE,yBAAyB;IACpC,QAAQ,EAAE,sBAAsB;IAChC,WAAW;IACX,YAAY,EAAE,2BAA2B;IACzC,WAAW,EAAE,wDAAwD;IACrE,kFAAkF;CACnF,CAAC;AAEF,MAAM,8BAA8B,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC;AAC3F,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,aAAa,EAAE,KAAK,CAAC,CAAC,CAAC;AAChG,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,IAAI;IACJ,UAAU;IACV,MAAM;IACN,QAAQ;IACR,YAAY;IACZ,MAAM;IACN,QAAQ;IACR,MAAM;IACN,WAAW;IACX,YAAY;IACZ,MAAM;IACN,SAAS;IACT,KAAK;CACN,CAAC,CAAC;AACH,MAAM,2BAA2B,GAAG,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,UAAU,EAAE,cAAc,EAAE,OAAO,CAAC,CAAC,CAAC;AAC/F,MAAM,6BAA6B,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;AACjG,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,IAAI;IACJ,UAAU;IACV,KAAK;IACL,MAAM;IACN,QAAQ;IACR,YAAY;IACZ,MAAM;CACP,CAAC,CAAC;AACH,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,IAAI;IACJ,UAAU;IACV,OAAO;IACP,QAAQ;IACR,SAAS;IACT,gBAAgB;IAChB,MAAM;IACN,WAAW;IACX,gBAAgB;CACjB,CAAC,CAAC;AAgDH;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,YAAY,CAAC,KAAgB,EAAE,MAAmB;IAChE,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,qBAAqB,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IACvE,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,mBAAmB,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACjE,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC9C,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAiB1C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC3C,MAAM,aAAa,GAAG,IAAI,GAAG,EAAoB,CAAC;IAClD,IAAI,cAAc,GAAG,CAAC,CAAC;IAEvB,KAAK,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QACrC,IAAI,CAAC,EAAE,CAAC,SAAS;YAAE,SAAS;QAC5B,KAAK,MAAM,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,EAAE,CAAC,SAAS,IAAI,EAAE,CAAC;YACnC,MAAM,eAAe,GAAG,EAAE,CAAC,eAAe,IAAI,EAAE,CAAC;YACjD,MAAM,eAAe,GAAG,EAAE,CAAC,eAAe,IAAI,EAAE,CAAC;YACjD,MAAM,aAAa,GAAG,EAAE,CAAC,aAAa,IAAI,EAAE,CAAC;YAC7C,MAAM,UAAU,GAAG,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC;YACvC,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC;YACjC,wEAAwE;YACxE,sEAAsE;YACtE,MAAM,SAAS,GACb,iCAAiC,CAC/B,IAAI,EACJ,EAAE,CAAC,IAAI,EACP,eAAe,EACf,EAAE,CAAC,UAAU,IAAI,EAAE,EACnB,OAAO,EACP,UAAU,EACV,EAAE,CAAC,kBAAkB,EACrB,EAAE,CAAC,OAAO,CACX,IAAI,aAAa,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,aAAa,CAAC,CAAC;YAClE,MAAM,OAAO,GAAG,WAAW,CACzB,OAAO,EACP,eAAe,EACf,eAAe,EACf,aAAa,EACb,KAAK,EACL,WAAW,EACX,IAAI,EACJ,EAAE,CACH,CAAC;YACF,MAAM,SAAS,GAAG,SAAS,KAAK,IAAI,CAAC;YACrC,MAAM,OAAO,GAAG,OAAO,KAAK,IAAI,CAAC;YACjC,MAAM,IAAI,GAAW;gBACnB,QAAQ,EAAE,EAAE,CAAC,IAAI;gBACjB,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC,IAAI,CAAC;gBAC3B,IAAI;gBACJ,OAAO;gBACP,UAAU;gBACV,SAAS;gBACT,OAAO;gBACP,SAAS;gBACT,OAAO;aACR,CAAC;YACF,QAAQ,CAAC,GAAG,CAAC,GAAG,IAAI,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE,IAAI,CAAC,CAAC;YAC1C,IAAI,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC5C,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,IAAI,GAAG,EAAE,CAAC;gBACV,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YACzC,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,IAAI,KAAK,CAAC,IAAI,cAAc,KAAK,CAAC,EAAE,CAAC;QAChD,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,MAAM,EACJ,yFAAyF;YAC3F,SAAS,EAAE,CAAC;YACZ,KAAK,EAAE,EAAE;YACT,gBAAgB,EAAE,CAAC,GAAG,OAAO,CAAC;YAC9B,cAAc,EAAE,CAAC,GAAG,KAAK,CAAC;SAC3B,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC,CAAC,uCAAuC;IACvE,kEAAkE;IAClE,oEAAoE;IACpE,wCAAwC;IACxC,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,oEAAoE;IACpE,mEAAmE;IACnE,gEAAgE;IAChE,8DAA8D;IAC9D,8BAA8B;IAC9B,MAAM,SAAS,GAAG,EAAE,CAAC;IACrB,mEAAmE;IACnE,yEAAyE;IACzE,gEAAgE;IAChE,sEAAsE;IACtE,mEAAmE;IACnE,sEAAsE;IACtE,iDAAiD;IACjD,MAAM,qBAAqB,GAAG,IAAI,CAAC;IAEnC,KAAK,MAAM,QAAQ,IAAI,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;QACzC,IAAI,CAAC,QAAQ,CAAC,SAAS;YAAE,SAAS;QAClC,0BAA0B;QAC1B,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACrB,MAAM,GAAG,GAAG,GAAG,QAAQ,CAAC,IAAI,KAAK,QAAQ,CAAC,QAAQ,KAAK,QAAQ,CAAC,IAAI,KAAK,QAAQ,CAAC,QAAQ,EAAE,CAAC;YAC7F,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACd,KAAK,CAAC,IAAI,CAAC;oBACT,QAAQ,EAAE,QAAQ,CAAC,QAAQ;oBAC3B,MAAM,EAAE,QAAQ,CAAC,QAAQ;oBACzB,MAAM,EAAE,QAAQ,CAAC,SAAU;oBAC3B,IAAI,EAAE,QAAQ,CAAC,OAAQ;oBACvB,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBACzB,KAAK,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC;iBACvB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,uBAAuB;QACvB,MAAM,OAAO,GAAG,IAAI,GAAG,CAAS,CAAC,GAAG,QAAQ,CAAC,IAAI,KAAK,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;QAE5E,IAAI,QAAQ,GAAoB,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QACvE,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,IAAI,cAAc,GAAG,KAAK,CAAC;QAC3B,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,GAAG,SAAS,EAAE,CAAC;YAChD,KAAK,IAAI,CAAC,CAAC;YACX,MAAM,IAAI,GAAoB,EAAE,CAAC;YACjC,IAAI,OAAO,GAAG,KAAK,CAAC;YACpB,KAAK,MAAM,KAAK,IAAI,QAAQ,EAAE,CAAC;gBAC7B,IAAI,OAAO;oBAAE,MAAM;gBACnB,KAAK,MAAM,UAAU,IAAI,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;oBAC5C,MAAM,UAAU,GAAG,aAAa,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;oBACvD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;wBACnC,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC,IAAI,KAAK,SAAS,CAAC,QAAQ,EAAE,CAAC;wBACvD,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;4BAAE,SAAS;wBAC/B,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;wBACjB,MAAM,OAAO,GAAG,CAAC,GAAG,KAAK,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;wBAC3C,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;4BACtB,MAAM,OAAO,GAAG,GAAG,QAAQ,CAAC,IAAI,KAAK,QAAQ,CAAC,QAAQ,KAAK,SAAS,CAAC,IAAI,KAAK,SAAS,CAAC,QAAQ,EAAE,CAAC;4BACnG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gCACvB,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gCAClB,MAAM,WAAW,GAAa,EAAE,CAAC;gCACjC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;oCACxB,IAAI,WAAW,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI;wCAAE,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;gCAC/E,CAAC;gCACD,KAAK,CAAC,IAAI,CAAC;oCACT,QAAQ,EAAE,QAAQ,CAAC,QAAQ;oCAC3B,MAAM,EAAE,SAAS,CAAC,QAAQ;oCAC1B,MAAM,EAAE,QAAQ,CAAC,SAAU;oCAC3B,IAAI,EAAE,SAAS,CAAC,OAAQ;oCACxB,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC;oCACpC,KAAK,EAAE,WAAW;iCACnB,CAAC,CAAC;4BACL,CAAC;4BACD,qDAAqD;4BACrD,SAAS;wBACX,CAAC;wBACD,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;wBAC9C,IAAI,IAAI,CAAC,MAAM,IAAI,qBAAqB,EAAE,CAAC;4BACzC,6DAA6D;4BAC7D,yDAAyD;4BACzD,8DAA8D;4BAC9D,qCAAqC;4BACrC,cAAc,GAAG,IAAI,CAAC;4BACtB,OAAO,GAAG,IAAI,CAAC;4BACf,MAAM;wBACR,CAAC;oBACH,CAAC;oBACD,IAAI,OAAO;wBAAE,MAAM;gBACrB,CAAC;YACH,CAAC;YACD,QAAQ,GAAG,IAAI,CAAC;QAClB,CAAC;QACD,sEAAsE;QACtE,sEAAsE;QACtE,kDAAkD;QAClD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,cAAc,EAAE,CAAC;YAC1C,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAClB,IAAI,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,QAAQ;YAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC3E,OAAO,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,SAAS,EAAE,IAAI;QACf,SAAS,EAAE,KAAK,CAAC,MAAM;QACvB,KAAK;QACL,gBAAgB,EAAE,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,EAAE;QACrC,cAAc,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,IAAI,EAAE;QACjC,SAAS,EAAE,gBAAgB,CAAC,MAAM,GAAG,CAAC;QACtC,gBAAgB,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,EAAE;QACvD,QAAQ,EAAE,SAAS;KACpB,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAClB,OAAiB,EACjB,eAAyB,EACzB,eAAyB,EACzB,aAAuB,EACvB,KAAkB,EAClB,WAAwB,EACxB,IAAY,EACZ,SAA2F;IAE3F,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,SAAS;QACjC,IAAI,yCAAyC,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS,CAAC;YAAE,SAAS;QAC9F,IACE,kCAAkC,CAChC,MAAM,EACN,eAAe,EACf,eAAe,EACf,aAAa,EACb,WAAW,EACX,IAAI,EACJ,SAAS,CACV;YAED,SAAS;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,yCAAyC,CAChD,MAAc,EACd,WAAwB,EACxB,IAAY,EACZ,SAA2F;IAE3F,IAAI,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,CAAC,8BAA8B,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9D,IAAI,CAAC,oBAAoB,CAAC,IAAI,EAAE,SAAS,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IACnE,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAC5B,CAAC,GAAG,EAAE,EAAE,CACN,CAAC,GAAG,CAAC,MAAM,KAAK,oBAAoB,IAAI,GAAG,CAAC,MAAM,KAAK,eAAe,CAAC;QACvE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,CAAC,CACnE,CAAC;AACJ,CAAC;AAED,SAAS,kCAAkC,CACzC,MAAc,EACd,eAAyB,EACzB,eAAyB,EACzB,aAAuB,EACvB,WAAwB,EACxB,IAAY,EACZ,SAA2F;IAE3F,IAAI,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IACtD,IAAI,CAAC,oBAAoB,CAAC,IAAI,EAAE,SAAS,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IACnE,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,oBAAoB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACzF,IAAI,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,wBAAwB,CAAC,MAAM,EAAE,SAAS,CAAC,OAAO,CAAC;QACzF,OAAO,KAAK,CAAC;IACf,IACE,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC;QAChC,aAAa,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,qBAAqB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAEnE,OAAO,KAAK,CAAC;IACf,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAc,EAAE,MAAc;IAC1D,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,MAAM;QAAE,OAAO,KAAK,CAAC;IACrD,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAChF,OAAO,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AAC1C,CAAC;AAED,SAAS,wBAAwB,CAC/B,MAAc,EACd,OAAwD;IAExD,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;AAChG,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAc;IACtC,IAAI,uBAAuB,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IACrD,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC9C,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,UAAU,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,wBAAwB,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC1E,OAAO,qBAAqB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAa,EAAE,MAAc;IAC1D,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7C,OAAO,SAAS,KAAK,MAAM,IAAI,oBAAoB,CAAC,MAAM,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;AAC5E,CAAC;AAED,SAAS,oBAAoB,CAAC,IAAY,EAAE,SAAkB;IAC5D,OAAO,SAAS,KAAK,YAAY,IAAI,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACjF,CAAC;AAED,SAAS,QAAQ,CAAC,SAAiB;IACjC,MAAM,GAAG,GAAG,SAAS,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,GAAG,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IAC9B,OAAO,SAAS,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,aAAa,CACpB,OAAiB,EACjB,UAAoB,EACpB,OAAoB,EACpB,aAA0B;IAE1B,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;QAC/B,IAAI,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC3C,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,6BAA6B,CAAC,GAAG,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;IACpF,CAAC;IACD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,2BAA2B,CAAC,GAAG,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;IACvF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}
+{"version":3,"file":"taint.js","sourceRoot":"","sources":["../../src/core/taint.ts"],"names":[],"mappings":"AACA,OAAO,EACL,yBAAyB,EACzB,iCAAiC,GAClC,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,mCAAmC,EACnC,WAAW,EACX,aAAa,GACd,MAAM,oBAAoB,CAAC;AAyD5B,MAAM,CAAC,MAAM,qBAAqB,GAA0B;IAC1D,KAAK,EAAE,gBAAgB;IACvB,MAAM,EAAE,eAAe;IACvB,MAAM,EAAE,WAAW;IACnB,OAAO,EAAE,4EAA4E;IACrF,QAAQ,EAAE,aAAa;IACvB,SAAS,EAAE,cAAc;IACzB,SAAS,EAAE,cAAc;IACzB,UAAU,EAAE,wBAAwB;IACpC,cAAc;IACd,OAAO,EAAE,gBAAgB;IACzB,UAAU,EAAE,wBAAwB;IACpC,GAAG,yBAAyB;CAC7B,CAAC;AAEF,MAAM,CAAC,MAAM,mBAAmB,GAA0B;IACxD,MAAM,EAAE,qBAAqB;IAC7B,UAAU;IACV,OAAO,EAAE,sBAAsB;IAC/B,WAAW;IACX,MAAM,EAAE,cAAc;IACtB,UAAU,EAAE,yCAAyC;IACrD,WAAW,EAAE,6BAA6B;IAC1C,eAAe;IACf,QAAQ,EAAE,gCAAgC;IAC1C,QAAQ;IACR,IAAI;IACJ,OAAO,EAAE,uBAAuB;IAChC,SAAS,EAAE,yBAAyB;IACpC,QAAQ,EAAE,sBAAsB;IAChC,WAAW;IACX,YAAY,EAAE,2BAA2B;IACzC,WAAW,EAAE,wDAAwD;IACrE,kFAAkF;CACnF,CAAC;AAgDF;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,YAAY,CAAC,KAAgB,EAAE,MAAmB;IAChE,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,qBAAqB,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IACvE,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,mBAAmB,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACjE,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC9C,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAmB1C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC3C,MAAM,aAAa,GAAG,IAAI,GAAG,EAAoB,CAAC;IAClD,IAAI,cAAc,GAAG,CAAC,CAAC;IAEvB,KAAK,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QACrC,IAAI,CAAC,EAAE,CAAC,SAAS;YAAE,SAAS;QAC5B,KAAK,MAAM,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,EAAE,CAAC,SAAS,IAAI,EAAE,CAAC;YACnC,MAAM,eAAe,GAAG,EAAE,CAAC,eAAe,IAAI,EAAE,CAAC;YACjD,MAAM,eAAe,GAAG,EAAE,CAAC,eAAe,IAAI,EAAE,CAAC;YACjD,MAAM,gBAAgB,GAAG,EAAE,CAAC,gBAAgB,IAAI,EAAE,CAAC;YACnD,MAAM,aAAa,GAAG,EAAE,CAAC,aAAa,IAAI,EAAE,CAAC;YAC7C,MAAM,UAAU,GAAG,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC;YACvC,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC;YACjC,wEAAwE;YACxE,sEAAsE;YACtE,MAAM,SAAS,GACb,iCAAiC,CAC/B,IAAI,EACJ,EAAE,CAAC,IAAI,EACP,eAAe,EACf,gBAAgB,EAChB,EAAE,CAAC,UAAU,IAAI,EAAE,EACnB,OAAO,EACP,UAAU,EACV,EAAE,CAAC,kBAAkB,EACrB,EAAE,CAAC,OAAO,CACX,IAAI,aAAa,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,aAAa,CAAC,CAAC;YAClE,MAAM,OAAO,GAAG,WAAW,CACzB,OAAO,EACP,eAAe,EACf,eAAe,EACf,aAAa,EACb,KAAK,EACL,WAAW,EACX,IAAI,EACJ,EAAE,CACH,CAAC;YACF,MAAM,SAAS,GACb,SAAS,KAAK,IAAI;gBAClB,CAAC,mCAAmC,CAClC,SAAS,EACT,OAAO,EACP,gBAAgB,EAChB,aAAa,EACb,WAAW,CACZ,CAAC;YACJ,MAAM,OAAO,GAAG,OAAO,KAAK,IAAI,CAAC;YACjC,MAAM,IAAI,GAAW;gBACnB,EAAE,EAAE,GAAG,IAAI,KAAK,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,IAAI,EAAE;gBACpC,QAAQ,EAAE,EAAE,CAAC,IAAI;gBACjB,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC,IAAI,CAAC;gBAC3B,IAAI;gBACJ,OAAO;gBACP,UAAU;gBACV,gBAAgB;gBAChB,SAAS;gBACT,OAAO;gBACP,SAAS;gBACT,OAAO;aACR,CAAC;YACF,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;YAC5B,IAAI,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC5C,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,IAAI,GAAG,EAAE,CAAC;gBACV,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YACzC,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,IAAI,KAAK,CAAC,IAAI,cAAc,KAAK,CAAC,EAAE,CAAC;QAChD,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,MAAM,EACJ,yFAAyF;YAC3F,SAAS,EAAE,CAAC;YACZ,KAAK,EAAE,EAAE;YACT,gBAAgB,EAAE,CAAC,GAAG,OAAO,CAAC;YAC9B,cAAc,EAAE,CAAC,GAAG,KAAK,CAAC;SAC3B,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC,CAAC,mCAAmC;IACnE,kEAAkE;IAClE,oEAAoE;IACpE,wCAAwC;IACxC,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,oEAAoE;IACpE,mEAAmE;IACnE,gEAAgE;IAChE,8DAA8D;IAC9D,8BAA8B;IAC9B,MAAM,SAAS,GAAG,EAAE,CAAC;IACrB,mEAAmE;IACnE,yEAAyE;IACzE,gEAAgE;IAChE,sEAAsE;IACtE,mEAAmE;IACnE,sEAAsE;IACtE,iDAAiD;IACjD,MAAM,qBAAqB,GAAG,IAAI,CAAC;IAEnC,KAAK,MAAM,QAAQ,IAAI,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;QACzC,IAAI,CAAC,QAAQ,CAAC,SAAS;YAAE,SAAS;QAClC,0BAA0B;QAC1B,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACrB,MAAM,GAAG,GAAG,GAAG,QAAQ,CAAC,EAAE,KAAK,QAAQ,CAAC,EAAE,EAAE,CAAC;YAC7C,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACd,KAAK,CAAC,IAAI,CAAC;oBACT,QAAQ,EAAE,QAAQ,CAAC,QAAQ;oBAC3B,MAAM,EAAE,QAAQ,CAAC,QAAQ;oBACzB,MAAM,EAAE,QAAQ,CAAC,SAAU;oBAC3B,IAAI,EAAE,QAAQ,CAAC,OAAQ;oBACvB,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBACzB,KAAK,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC;iBACvB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,uBAAuB;QACvB,MAAM,OAAO,GAAG,IAAI,GAAG,CAAS,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;QAE/C,IAAI,QAAQ,GAAoB,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QACvE,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,IAAI,cAAc,GAAG,KAAK,CAAC;QAC3B,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,GAAG,SAAS,EAAE,CAAC;YAChD,KAAK,IAAI,CAAC,CAAC;YACX,MAAM,IAAI,GAAoB,EAAE,CAAC;YACjC,IAAI,OAAO,GAAG,KAAK,CAAC;YACpB,KAAK,MAAM,KAAK,IAAI,QAAQ,EAAE,CAAC;gBAC7B,IAAI,OAAO;oBAAE,MAAM;gBACnB,KAAK,MAAM,UAAU,IAAI,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;oBAC5C,MAAM,UAAU,GAAG,aAAa,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;oBACvD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;wBACnC,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;4BAAE,SAAS;wBACxC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;wBAC1B,MAAM,OAAO,GAAG,CAAC,GAAG,KAAK,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;wBAC3C,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;4BACtB,MAAM,OAAO,GAAG,GAAG,QAAQ,CAAC,EAAE,KAAK,SAAS,CAAC,EAAE,EAAE,CAAC;4BAClD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gCACvB,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gCAClB,MAAM,WAAW,GAAa,EAAE,CAAC;gCACjC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;oCACxB,IAAI,WAAW,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI;wCAAE,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;gCAC/E,CAAC;gCACD,KAAK,CAAC,IAAI,CAAC;oCACT,QAAQ,EAAE,QAAQ,CAAC,QAAQ;oCAC3B,MAAM,EAAE,SAAS,CAAC,QAAQ;oCAC1B,MAAM,EAAE,QAAQ,CAAC,SAAU;oCAC3B,IAAI,EAAE,SAAS,CAAC,OAAQ;oCACxB,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC;oCACpC,KAAK,EAAE,WAAW;iCACnB,CAAC,CAAC;4BACL,CAAC;4BACD,qDAAqD;4BACrD,SAAS;wBACX,CAAC;wBACD,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;wBAC9C,IAAI,IAAI,CAAC,MAAM,IAAI,qBAAqB,EAAE,CAAC;4BACzC,6DAA6D;4BAC7D,yDAAyD;4BACzD,8DAA8D;4BAC9D,qCAAqC;4BACrC,cAAc,GAAG,IAAI,CAAC;4BACtB,OAAO,GAAG,IAAI,CAAC;4BACf,MAAM;wBACR,CAAC;oBACH,CAAC;oBACD,IAAI,OAAO;wBAAE,MAAM;gBACrB,CAAC;YACH,CAAC;YACD,QAAQ,GAAG,IAAI,CAAC;QAClB,CAAC;QACD,sEAAsE;QACtE,sEAAsE;QACtE,kDAAkD;QAClD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,cAAc,EAAE,CAAC;YAC1C,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAClB,IAAI,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,QAAQ;YAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC3E,OAAO,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,SAAS,EAAE,IAAI;QACf,SAAS,EAAE,KAAK,CAAC,MAAM;QACvB,KAAK;QACL,gBAAgB,EAAE,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,EAAE;QACrC,cAAc,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,IAAI,EAAE;QACjC,SAAS,EAAE,gBAAgB,CAAC,MAAM,GAAG,CAAC;QACtC,gBAAgB,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,EAAE;QACvD,QAAQ,EAAE,SAAS;KACpB,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,SAAiB;IACjC,MAAM,GAAG,GAAG,SAAS,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,GAAG,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IAC9B,OAAO,SAAS,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;AAClC,CAAC"}

package/dist/core/taintMatching.d.ts

@@ -0,0 +1,11 @@
+type TaintGraphFile = {
+    imports: Array<{
+        source: string;
+        specifiers: string[];
+    }>;
+    adapterId?: string;
+};
+export declare function pickSourceHit(callees: string[], references: string[], sources: Set<string>, customSources: Set<string>): string | null;
+export declare function pickSinkHit(callees: string[], directCallSites: string[], memberCallSites: string[], memberAliases: string[], sinks: Set<string>, customSinks: Set<string>, file: string, graphFile: TaintGraphFile): string | null;
+export declare function isDefaultChildProcessEnvPassthrough(sourceHit: string, sinkHit: string | null, memberReferences: string[], customSources: Set<string>, customSinks: Set<string>): boolean;
+export {};

package/dist/core/taintMatching.js

@@ -0,0 +1,126 @@
+const JAVASCRIPT_CHILD_PROCESS_SINKS = new Set(['exec', 'execSync', 'spawn', 'spawnSync']);
+const DEFAULT_DATABASE_SINKS = new Set(['query', 'execute', '$queryRaw', '$executeRaw', 'raw']);
+const DATABASE_RECEIVERS = new Set([
+    'db',
+    'database',
+    'pool',
+    'client',
+    'connection',
+    'conn',
+    'prisma',
+    'knex',
+    'sequelize',
+    'repository',
+    'repo',
+    'manager',
+    'sql',
+]);
+const CALL_SHAPED_DEFAULT_SOURCES = new Set(['getInput', 'readFile', 'readFileSync', 'stdin']);
+const DEFAULT_HTTP_PROPERTY_SOURCES = new Set(['body', 'query', 'params', 'headers', 'cookies']);
+const DATABASE_MODULE_NAMES = new Set([
+    'db',
+    'database',
+    'sql',
+    'pool',
+    'client',
+    'repository',
+    'repo',
+]);
+const KNOWN_DATABASE_PACKAGES = new Set([
+    'pg',
+    'postgres',
+    'mysql',
+    'mysql2',
+    'sqlite3',
+    'better-sqlite3',
+    'knex',
+    'sequelize',
+    '@prisma/client',
+]);
+export function pickSourceHit(callees, references, sources, customSources) {
+    for (const value of references) {
+        if (customSources.has(value))
+            return value;
+        if (sources.has(value) && !DEFAULT_HTTP_PROPERTY_SOURCES.has(value))
+            return value;
+    }
+    for (const value of callees) {
+        if (customSources.has(value) || CALL_SHAPED_DEFAULT_SOURCES.has(value))
+            return value;
+    }
+    return null;
+}
+export function pickSinkHit(callees, directCallSites, memberCallSites, memberAliases, sinks, customSinks, file, graphFile) {
+    for (const callee of callees) {
+        if (!sinks.has(callee))
+            continue;
+        if (isDefaultMisidentifiedJavaScriptShellSink(callee, customSinks, file, graphFile))
+            continue;
+        if (isDefaultMisidentifiedDatabaseSink(callee, directCallSites, memberCallSites, memberAliases, customSinks, file, graphFile))
+            continue;
+        return callee;
+    }
+    return null;
+}
+export function isDefaultChildProcessEnvPassthrough(sourceHit, sinkHit, memberReferences, customSources, customSinks) {
+    if (sourceHit !== 'env')
+        return false;
+    if (!sinkHit || !JAVASCRIPT_CHILD_PROCESS_SINKS.has(sinkHit))
+        return false;
+    if (customSources.has(sourceHit) || customSinks.has(sinkHit))
+        return false;
+    return (memberReferences.includes('process.env') &&
+        !memberReferences.some((reference) => reference.startsWith('process.env.')));
+}
+function isDefaultMisidentifiedJavaScriptShellSink(callee, customSinks, file, graphFile) {
+    if (customSinks.has(callee))
+        return false;
+    if (!JAVASCRIPT_CHILD_PROCESS_SINKS.has(callee))
+        return false;
+    if (!isJavaScriptLikeFile(file, graphFile.adapterId))
+        return false;
+    return !graphFile.imports.some((imp) => (imp.source === 'node:child_process' || imp.source === 'child_process') &&
+        (imp.specifiers.includes(callee) || imp.specifiers.length === 0));
+}
+function isDefaultMisidentifiedDatabaseSink(callee, directCallSites, memberCallSites, memberAliases, customSinks, file, graphFile) {
+    if (customSinks.has(callee))
+        return false;
+    if (!DEFAULT_DATABASE_SINKS.has(callee))
+        return false;
+    if (!isJavaScriptLikeFile(file, graphFile.adapterId))
+        return false;
+    if (memberCallSites.some((member) => isDatabaseMemberCall(member, callee)))
+        return false;
+    if (directCallSites.includes(callee) && isImportedDatabaseHelper(callee, graphFile.imports))
+        return false;
+    if (directCallSites.includes(callee) &&
+        memberAliases.some((alias) => isDatabaseMemberAlias(alias, callee)))
+        return false;
+    return true;
+}
+function isDatabaseMemberCall(member, callee) {
+    const parts = member.split('.');
+    if (parts[parts.length - 1] !== callee)
+        return false;
+    const receiver = parts.length >= 2 ? parts[parts.length - 2].toLowerCase() : '';
+    return DATABASE_RECEIVERS.has(receiver);
+}
+function isImportedDatabaseHelper(callee, imports) {
+    return imports.some((imp) => imp.specifiers.includes(callee) && isDatabaseModule(imp.source));
+}
+function isDatabaseModule(source) {
+    if (KNOWN_DATABASE_PACKAGES.has(source))
+        return true;
+    const normalized = source.replace(/\\/g, '/');
+    const last = normalized.split('/').pop() ?? normalized;
+    const basename = last.replace(/\.(?:c|m)?(?:j|t)sx?$/i, '').toLowerCase();
+    return DATABASE_MODULE_NAMES.has(basename);
+}
+function isDatabaseMemberAlias(alias, callee) {
+    const [localName, member] = alias.split('=');
+    return localName === callee && isDatabaseMemberCall(member ?? '', callee);
+}
+function isJavaScriptLikeFile(file, adapterId) {
+    return adapterId === 'javascript' || /\.(?:cjs|mjs|js|jsx|ts|tsx)$/.test(file);
+}
+//# sourceMappingURL=taintMatching.js.map

package/dist/core/taintMatching.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"taintMatching.js","sourceRoot":"","sources":["../../src/core/taintMatching.ts"],"names":[],"mappings":"AAAA,MAAM,8BAA8B,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC;AAC3F,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,aAAa,EAAE,KAAK,CAAC,CAAC,CAAC;AAChG,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,IAAI;IACJ,UAAU;IACV,MAAM;IACN,QAAQ;IACR,YAAY;IACZ,MAAM;IACN,QAAQ;IACR,MAAM;IACN,WAAW;IACX,YAAY;IACZ,MAAM;IACN,SAAS;IACT,KAAK;CACN,CAAC,CAAC;AACH,MAAM,2BAA2B,GAAG,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,UAAU,EAAE,cAAc,EAAE,OAAO,CAAC,CAAC,CAAC;AAC/F,MAAM,6BAA6B,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;AACjG,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,IAAI;IACJ,UAAU;IACV,KAAK;IACL,MAAM;IACN,QAAQ;IACR,YAAY;IACZ,MAAM;CACP,CAAC,CAAC;AACH,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,IAAI;IACJ,UAAU;IACV,OAAO;IACP,QAAQ;IACR,SAAS;IACT,gBAAgB;IAChB,MAAM;IACN,WAAW;IACX,gBAAgB;CACjB,CAAC,CAAC;AAOH,MAAM,UAAU,aAAa,CAC3B,OAAiB,EACjB,UAAoB,EACpB,OAAoB,EACpB,aAA0B;IAE1B,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;QAC/B,IAAI,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC3C,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,6BAA6B,CAAC,GAAG,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;IACpF,CAAC;IACD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,2BAA2B,CAAC,GAAG,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;IACvF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,WAAW,CACzB,OAAiB,EACjB,eAAyB,EACzB,eAAyB,EACzB,aAAuB,EACvB,KAAkB,EAClB,WAAwB,EACxB,IAAY,EACZ,SAAyB;IAEzB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,SAAS;QACjC,IAAI,yCAAyC,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS,CAAC;YAAE,SAAS;QAC9F,IACE,kCAAkC,CAChC,MAAM,EACN,eAAe,EACf,eAAe,EACf,aAAa,EACb,WAAW,EACX,IAAI,EACJ,SAAS,CACV;YAED,SAAS;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,mCAAmC,CACjD,SAAiB,EACjB,OAAsB,EACtB,gBAA0B,EAC1B,aAA0B,EAC1B,WAAwB;IAExB,IAAI,SAAS,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,CAAC,OAAO,IAAI,CAAC,8BAA8B,CAAC,GAAG,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3E,IAAI,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3E,OAAO,CACL,gBAAgB,CAAC,QAAQ,CAAC,aAAa,CAAC;QACxC,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAC5E,CAAC;AACJ,CAAC;AAED,SAAS,yCAAyC,CAChD,MAAc,EACd,WAAwB,EACxB,IAAY,EACZ,SAAyB;IAEzB,IAAI,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,CAAC,8BAA8B,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9D,IAAI,CAAC,oBAAoB,CAAC,IAAI,EAAE,SAAS,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IACnE,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAC5B,CAAC,GAAG,EAAE,EAAE,CACN,CAAC,GAAG,CAAC,MAAM,KAAK,oBAAoB,IAAI,GAAG,CAAC,MAAM,KAAK,eAAe,CAAC;QACvE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,CAAC,CACnE,CAAC;AACJ,CAAC;AAED,SAAS,kCAAkC,CACzC,MAAc,EACd,eAAyB,EACzB,eAAyB,EACzB,aAAuB,EACvB,WAAwB,EACxB,IAAY,EACZ,SAAyB;IAEzB,IAAI,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IACtD,IAAI,CAAC,oBAAoB,CAAC,IAAI,EAAE,SAAS,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IACnE,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,oBAAoB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACzF,IAAI,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,wBAAwB,CAAC,MAAM,EAAE,SAAS,CAAC,OAAO,CAAC;QACzF,OAAO,KAAK,CAAC;IACf,IACE,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC;QAChC,aAAa,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,qBAAqB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAEnE,OAAO,KAAK,CAAC;IACf,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAc,EAAE,MAAc;IAC1D,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,MAAM;QAAE,OAAO,KAAK,CAAC;IACrD,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAChF,OAAO,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AAC1C,CAAC;AAED,SAAS,wBAAwB,CAC/B,MAAc,EACd,OAAwD;IAExD,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;AAChG,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAc;IACtC,IAAI,uBAAuB,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IACrD,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC9C,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,UAAU,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,wBAAwB,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC1E,OAAO,qBAAqB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAa,EAAE,MAAc;IAC1D,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7C,OAAO,SAAS,KAAK,MAAM,IAAI,oBAAoB,CAAC,MAAM,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;AAC5E,CAAC;AAED,SAAS,oBAAoB,CAAC,IAAY,EAAE,SAAkB;IAC5D,OAAO,SAAS,KAAK,YAAY,IAAI,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACjF,CAAC"}

package/dist/core/upgradePreview.d.ts

@@ -1,16 +1,5 @@
 import type { FileEntry, UpgradePreview } from '../types.js';
-/**
- * Validate a package name against the npm grammar before any filesystem
- * operation. Rejects traversal (`..`), absolute paths, backslashes, spaces,
- * and any other shape that could escape node_modules/<name>/.
- *
- * This is security-critical: `previewUpgrade` is exposed via MCP
- * (`projscan_upgrade`) where the argument comes from AI agents that can be
- * influenced by untrusted content. A name containing `../` would otherwise
- * escape node_modules and return arbitrary CHANGELOG / package.json contents
- * to the caller.
- */
-export declare function isValidPackageName(name: string): boolean;
+export { isValidPackageName } from './upgradePreviewNpmEvidence.js';
 export interface PreviewUpgradeOptions {
     /**
      * 1.3+ — when true, fetch the actual latest version from the npm

package/dist/core/upgradePreview.js

@@ -1,44 +1,9 @@
-import fs from 'node:fs/promises';
-import path from 'node:path';
-import { drift as semverDrift, parse as parseSemver, compare as compareSemver, } from '../utils/semver.js';
+import { drift as semverDrift } from '../utils/semver.js';
 import { buildImportGraph, filesImporting } from './importGraph.js';
 import { OFFLINE_ENV, isOfflineMode } from './privacy.js';
-const CHANGELOG_NAMES = ['CHANGELOG.md', 'CHANGELOG', 'History.md', 'HISTORY.md'];
-const BREAKING_MARKERS = [
-    /BREAKING\s+CHANGE/i,
-    /^#{1,6}.*breaking/im,
-    /\*\s*Breaking:/i,
-    /deprecat/i,
-    /removed\s+support/i,
-    /no\s+longer\s+supported/i,
-];
-// npm package-name grammar: optional scope + name, letters/digits/._-
-// No slashes other than the single scope separator. No `..`, no absolute paths.
-const PACKAGE_NAME_RE = /^(?:@[a-z0-9][\w.-]*\/)?[a-z0-9][\w.-]*$/i;
-/**
- * Validate a package name against the npm grammar before any filesystem
- * operation. Rejects traversal (`..`), absolute paths, backslashes, spaces,
- * and any other shape that could escape node_modules/<name>/.
- *
- * This is security-critical: `previewUpgrade` is exposed via MCP
- * (`projscan_upgrade`) where the argument comes from AI agents that can be
- * influenced by untrusted content. A name containing `../` would otherwise
- * escape node_modules and return arbitrary CHANGELOG / package.json contents
- * to the caller.
- */
-export function isValidPackageName(name) {
-    if (typeof name !== 'string')
-        return false;
-    if (name.length === 0 || name.length > 214)
-        return false;
-    if (name !== name.trim())
-        return false;
-    if (name.includes('..'))
-        return false;
-    if (name.includes('\\'))
-        return false;
-    return PACKAGE_NAME_RE.test(name);
-}
+import { isValidPackageName, readDeclaredVersion, readInstalledVersion, readNpmChangelogEvidence, } from './upgradePreviewNpmEvidence.js';
+import { previewPythonUpgrade } from './upgradePreviewPython.js';
+export { isValidPackageName } from './upgradePreviewNpmEvidence.js';
 export async function previewUpgrade(rootPath, pkgName, files, options = {}) {
     if (!isValidPackageName(pkgName)) {
         return {
@@ -74,6 +39,9 @@ export async function previewUpgrade(rootPath, pkgName, files, options = {}) {
         }
     }
     if (!declaredVersions && !installed) {
+        const pythonPreview = await previewPythonUpgrade(rootPath, pkgName, files);
+        if (pythonPreview)
+            return pythonPreview;
         return {
             available: false,
             reason: `Package "${pkgName}" not found in package.json or node_modules`,
@@ -87,6 +55,9 @@ export async function previewUpgrade(rootPath, pkgName, files, options = {}) {
         };
     }
     if (!installed) {
+        const pythonPreview = await previewPythonUpgrade(rootPath, pkgName, files);
+        if (pythonPreview?.available)
+            return pythonPreview;
         return {
             available: false,
             reason: `Package "${pkgName}" not installed - run npm install and retry`,
@@ -100,19 +71,7 @@ export async function previewUpgrade(rootPath, pkgName, files, options = {}) {
         };
     }
     const drift = semverDrift(declaredVersions, installed);
-    let changelog;
-    let breakingMarkers = [];
-    try {
-        changelog = await readChangelog(rootPath, pkgName);
-        if (changelog) {
-            const slice = sliceBetween(changelog, declaredVersions, installed);
-            breakingMarkers = detectBreakingMarkers(slice);
-            changelog = truncate(slice, 4000);
-        }
-    }
-    catch {
-        // ignore
-    }
+    const { breakingMarkers, changelogExcerpt } = await readNpmChangelogEvidence(rootPath, pkgName, declaredVersions, installed);
     const graph = await buildImportGraph(rootPath, files);
     const importers = filesImporting(graph, pkgName);
     const latestSource = options.checkRegistry
@@ -128,7 +87,7 @@ export async function previewUpgrade(rootPath, pkgName, files, options = {}) {
         latest,
         drift,
         breakingMarkers,
-        changelogExcerpt: changelog,
+        changelogExcerpt,
         importers,
         ...(latestSource ? { latestSource } : {}),
         ...(registryError ? { registryError } : {}),
@@ -173,111 +132,4 @@ async function fetchLatestFromRegistry(pkgName, options) {
         clearTimeout(timer);
     }
 }
-async function readDeclaredVersion(rootPath, name) {
-    const pkgPath = path.join(rootPath, 'package.json');
-    try {
-        const raw = await fs.readFile(pkgPath, 'utf-8');
-        const pkg = JSON.parse(raw);
-        return (pkg.dependencies?.[name] ??
-            pkg.devDependencies?.[name] ??
-            pkg.peerDependencies?.[name] ??
-            null);
-    }
-    catch {
-        return null;
-    }
-}
-async function readInstalledVersion(rootPath, name) {
-    const nodeModules = path.resolve(rootPath, 'node_modules');
-    const pkgDir = path.resolve(nodeModules, name);
-    if (!isInside(pkgDir, nodeModules))
-        return null;
-    const p = path.join(pkgDir, 'package.json');
-    try {
-        const raw = await fs.readFile(p, 'utf-8');
-        const pkg = JSON.parse(raw);
-        return pkg.version ?? null;
-    }
-    catch {
-        return null;
-    }
-}
-async function readChangelog(rootPath, name) {
-    const nodeModules = path.resolve(rootPath, 'node_modules');
-    const base = path.resolve(nodeModules, name);
-    if (!isInside(base, nodeModules))
-        return undefined;
-    for (const filename of CHANGELOG_NAMES) {
-        const p = path.join(base, filename);
-        try {
-            return await fs.readFile(p, 'utf-8');
-        }
-        catch {
-            // try next
-        }
-    }
-    return undefined;
-}
-/** True iff `candidate` resolves to `parent` itself or a path inside `parent`. */
-function isInside(candidate, parent) {
-    const rel = path.relative(parent, candidate);
-    return rel === '' || (!rel.startsWith('..') && !path.isAbsolute(rel));
-}
-/**
- * Extract the CHANGELOG section strictly *between* two versions (exclusive of
- * the lower version's body, inclusive up to the upper version). If we can't
- * locate headings, return the top 100 lines.
- */
-function sliceBetween(changelog, from, to) {
-    const fromParsed = from ? parseSemver(from) : null;
-    const toParsed = to ? parseSemver(to) : null;
-    const lines = changelog.split('\n');
-    const versionHeadingRe = /^#{1,3}\s*(?:\[?v?(\d+\.\d+\.\d+)(?:[-+][^\]\s]+)?]?)/;
-    let startIdx = 0;
-    let endIdx = Math.min(lines.length, 200);
-    if (toParsed) {
-        for (let i = 0; i < lines.length; i++) {
-            const m = versionHeadingRe.exec(lines[i]);
-            if (!m)
-                continue;
-            const v = parseSemver(m[1]);
-            if (!v)
-                continue;
-            if (compareSemver(m[1], to) === 0) {
-                startIdx = i;
-                break;
-            }
-        }
-    }
-    if (fromParsed) {
-        for (let i = startIdx + 1; i < lines.length; i++) {
-            const m = versionHeadingRe.exec(lines[i]);
-            if (!m)
-                continue;
-            const v = parseSemver(m[1]);
-            if (!v)
-                continue;
-            if (compareSemver(m[1], from) <= 0) {
-                endIdx = i;
-                break;
-            }
-        }
-    }
-    return lines.slice(startIdx, endIdx).join('\n').trim();
-}
-function detectBreakingMarkers(text) {
-    const markers = [];
-    for (const re of BREAKING_MARKERS) {
-        const m = re.exec(text);
-        if (m) {
-            markers.push(m[0].slice(0, 120));
-        }
-    }
-    return [...new Set(markers)];
-}
-function truncate(s, max) {
-    if (s.length <= max)
-        return s;
-    return s.slice(0, max) + '\n… (truncated)';
-}
 //# sourceMappingURL=upgradePreview.js.map