npm - xploitscan-shared-rules - Versions diffs - 1.6.1 → 1.6.2 - Mend

xploitscan-shared-rules 1.6.1 → 1.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.cjs CHANGED Viewed

@@ -4604,7 +4604,12 @@ var complianceMap = {
 var consoleLogProduction = {
   id: "VC097",
   title: "Console.log Left in Production Code",
-  severity: "low",
+  // Demoted from "low" to "info" 2026-05-11. This is a code-hygiene
+  // signal (leaked debug logs, occasionally PII), not a security
+  // vulnerability in the OWASP sense. Was inflating severity counts
+  // on real codebases (11+ hits on vibecheck's own scan), drowning
+  // the actual security signal.
+  severity: "info",
   category: "Performance",
   description: "console.log statements left in production code can leak sensitive data, slow down rendering, and clutter browser consoles.",
   check(content, filePath) {
@@ -4627,7 +4632,11 @@ var consoleLogProduction = {
 var syncFileOps = {
   id: "VC098",
   title: "Synchronous File Operations",
-  severity: "medium",
+  // Demoted from "medium" to "info" 2026-05-11. Already a Performance-
+  // category rule (see below) — it's a perf concern, not a security
+  // one, so it shouldn't have been at "medium" alongside actual
+  // security findings. The severity scale should reflect risk class.
+  severity: "info",
   category: "Performance",
   description: "Synchronous file operations (readFileSync, writeFileSync) block the event loop, causing all other requests to wait.",
   check(content, filePath) {
@@ -4664,7 +4673,9 @@ var eventListenerLeak = {
 var nPlusOneQuery = {
   id: "VC100",
   title: "N+1 Query Pattern Detected",
-  severity: "medium",
+  // Demoted from "medium" to "info" 2026-05-11. Performance pattern,
+  // not a security issue — same rationale as VC098.
+  severity: "info",
   category: "Performance",
   description: "Database queries inside loops cause N+1 performance problems \u2014 one query per iteration instead of a single batch query.",
   check(content, filePath) {
@@ -4749,7 +4760,11 @@ var todoLeftInCode = {
 var emptyCatchBlock = {
   id: "VC104",
   title: "Empty Catch Block",
-  severity: "medium",
+  // Demoted from "medium" to "info" 2026-05-11. Already a Code-Quality
+  // category — empty catch blocks are a maintainability concern, not a
+  // security vulnerability. Worth flagging, not worth counting as a
+  // security "medium" alongside actual SQL-injection / XSS findings.
+  severity: "info",
   category: "Code Quality",
   description: "Empty catch blocks silently swallow errors, making bugs impossible to diagnose. At minimum, log the error.",
   check(content, filePath) {
@@ -4783,7 +4798,11 @@ var callbackHell = {
 var magicNumbers = {
   id: "VC106",
   title: "Magic Numbers in Code",
-  severity: "low",
+  // Demoted from "low" to "info" 2026-05-11. Already a Code-Quality
+  // category — magic numbers are a style/readability concern, not a
+  // security vulnerability. Was the single noisiest rule on the
+  // vibecheck self-scan (44 hits) drowning real security signal.
+  severity: "info",
   category: "Code Quality",
   description: "Unnamed numeric constants in conditions or calculations make code hard to understand. Extract them into named constants.",
   check(content, filePath) {