technical-debt-radar 1.14.1 → 1.15.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/index.js +5 -2
  2. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -14490,7 +14490,10 @@ var require_runtime_risk_detector = __commonJS({
14490
14490
  violations.push(makeViolation(shared_1.RUNTIME_RISK_RULES.REDOS_VULNERABLE_REGEX, filePath, node.getStartLineNumber(), "Dynamic regex construction from user input used with $regex \u2014 ReDoS vulnerability", policy, fn?.name, "Use a safe text search method (MongoDB $text index) instead of $regex with user input. Escape special regex characters."));
14491
14491
  });
14492
14492
  }
14493
- function isRedosVulnerable(pattern) {
14493
+ function isRedosVulnerable(rawPattern) {
14494
+ const pattern = rawPattern.replace(/\[(?:[^\]\\]|\\.)*\]/g, "X");
14495
+ if (/^X+[gimsuy]*$/.test(pattern))
14496
+ return false;
14494
14497
  const nestedQuantifier = /([+*])\)?[+*{]/;
14495
14498
  const groupWithQuantifierRepeated = /\([^)]*[+*][^)]*\)[+*{]/;
14496
14499
  const overlappingAlternation = /\([^)]*\|[^)]*\)[+*{]/;
@@ -22875,7 +22878,7 @@ program.command("validate").description("Validate radar.yml + rules.yml syntax a
22875
22878
  program.command("run <path>").description("CI-friendly scan \u2014 exits 1 on critical violations").option("-c, --config <path>", "Path to radar.yml", "./radar.yml").option("-r, --rules <path>", "Path to rules.yml (default: ./rules.yml)").action(async (targetPath, options) => {
22876
22879
  await runCommand(targetPath, options);
22877
22880
  });
22878
- program.command("badge").description("Generate badge markdown for your README").requiredOption("--owner <owner>", "Repository owner (org or user)").requiredOption("--repo <repo>", "Repository name").option("--api-url <url>", "Radar API base URL", "https://radar-api.example.com").action((options) => {
22881
+ program.command("badge").description("Generate badge markdown for your README").requiredOption("--owner <owner>", "Repository owner (org or user)").requiredOption("--repo <repo>", "Repository name").option("--api-url <url>", "Radar API base URL", loadConfig()?.apiUrl || getDefaultApiUrl()).action((options) => {
22879
22882
  badgeCommand(options);
22880
22883
  });
22881
22884
  var packCmd = program.command("pack").description("Manage rule packs \u2014 pre-configured rules for specific stacks");
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "technical-debt-radar",
3
- "version": "1.14.1",
3
+ "version": "1.15.1",
4
4
  "description": "Stop Node.js production crashes before merge. 47 detection patterns across 5 categories.",
5
5
  "bin": {
6
6
  "radar": "dist/index.js",