xploitscan 1.1.4 → 1.1.5

package/dist/index.js

@@ -45380,7 +45380,12 @@ var complianceMap = {
 var consoleLogProduction = {
   id: "VC097",
   title: "Console.log Left in Production Code",
-  severity: "low",
+  // Demoted from "low" to "info" 2026-05-11. This is a code-hygiene
+  // signal (leaked debug logs, occasionally PII), not a security
+  // vulnerability in the OWASP sense. Was inflating severity counts
+  // on real codebases (11+ hits on vibecheck's own scan), drowning
+  // the actual security signal.
+  severity: "info",
   category: "Performance",
   description: "console.log statements left in production code can leak sensitive data, slow down rendering, and clutter browser consoles.",
   check(content, filePath) {
@@ -45420,7 +45425,11 @@ var todoLeftInCode = {
 var emptyCatchBlock = {
   id: "VC104",
   title: "Empty Catch Block",
-  severity: "medium",
+  // Demoted from "medium" to "info" 2026-05-11. Already a Code-Quality
+  // category — empty catch blocks are a maintainability concern, not a
+  // security vulnerability. Worth flagging, not worth counting as a
+  // security "medium" alongside actual SQL-injection / XSS findings.
+  severity: "info",
   category: "Code Quality",
   description: "Empty catch blocks silently swallow errors, making bugs impossible to diagnose. At minimum, log the error.",
   check(content, filePath) {
@@ -48219,7 +48228,7 @@ async function cursorInstallCommand(opts = {}) {
 var program = new Command();
 program.name("xploitscan").description(
   "AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do."
-).version("1.1.4");
+).version("1.1.5");
 program.command("scan").description("Scan a directory for security vulnerabilities").argument("[directory]", "Directory to scan", ".").option("--no-ai", "Skip AI-powered analysis").option(
   "-f, --format <format>",
   "Output format: terminal, json, sarif, splunk-hec, elastic-ecs, datadog-logs",