Skip to content

chore(deps): bump the nodesecure-dependencies group across 1 directory with 3 updates #660

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): bump the nodesecure-dependencies group across 1 directory with 3 updates #660

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 2, 2026

Bumps the nodesecure-dependencies group with 3 updates in the / directory: @nodesecure/js-x-ray, @nodesecure/scanner and @nodesecure/mama.

Updates @nodesecure/js-x-ray from 11.1.0 to 11.4.0

Release notes

Sourced from @​nodesecure/js-x-ray's releases.

@​nodesecure/js-x-ray@​11.4.0

Minor Changes

  • #468 317d679 Thanks @​7amed3li! - feat(isLiteral): add email collection using CollectableSet API

    Implemented email detection and collection in the isLiteral probe. The probe now identifies email addresses in string literals using the same regex pattern as the CLI and collects them via the CollectableSet API.

    • Added email regex constant matching CLI implementation
    • Email addresses are now collected when CollectableSet("email") is provided
    • Added comprehensive test cases covering valid/invalid formats and edge cases

  • #462 ed0a637 Thanks @​7amed3li! - Support multiple named main handlers in probes (resolves #460)

    Introduces support for multiple named main entrypoints in probes, allowing probes to define different handlers for various analysis scenarios. This enables more flexible probe implementations while maintaining full backward compatibility.

    Key Changes:

    • Added NamedMainHandlers type supporting multiple handler functions with required default handler
    • Extended ProbeContext with setEntryPoint(handlerName: string) method for handler selection
    • Updated Probe interface to accept either single main function or NamedMainHandlers object
    • Implemented handler resolution logic in ProbeRunner#runProbe with automatic cleanup
    • Added comprehensive test coverage (all 14 existing tests + 8 new tests passing)

    Backward Compatibility:

    • Existing probes with single main function continue to work without changes
    • setEntryPoint method available but optional for backward-compatible probes
    • No breaking changes to existing API

    This is the core infrastructure PR. Future work will include example probe refactoring and documentation updates.

  • #456 9f4e420 Thanks @​7amed3li! - Add sensitivity option to AstAnalyser for configurable warning detection

    Introduces a new sensitivity option in AstAnalyserOptions that allows users to control the strictness of warning detection:

    • conservative (default): Maintains current strict behavior to minimize false positives. Suitable for scanning ecosystem libraries.
    • aggressive: Detects all child_process usage for maximum visibility in local project scanning.

    This change implements the sensitivity option for the isUnsafeCommand probe. Additional probes (isSerializeEnv, data-exfiltration) can be updated in future releases.

  • #480 d9e0481 Thanks @​clemgbld! - feat(js-x-ray): add sql-injection probe

  • #467 8948caa Thanks @​7amed3li! - feat(isSerializeEnv): add named handler for direct process.env access detection

    Introduces a named handler pattern in the isSerializeEnv probe to detect direct process.env access when running in aggressive sensitivity mode.

    Changes:

    • Added validateProcessEnv validator to detect process.env MemberExpression nodes
    • Added processEnvHandler named handler that triggers only in aggressive mode

... (truncated)

Changelog

Sourced from @​nodesecure/js-x-ray's changelog.

11.4.0

Minor Changes

  • #468 317d679 Thanks @​7amed3li! - feat(isLiteral): add email collection using CollectableSet API

    Implemented email detection and collection in the isLiteral probe. The probe now identifies email addresses in string literals using the same regex pattern as the CLI and collects them via the CollectableSet API.

    • Added email regex constant matching CLI implementation
    • Email addresses are now collected when CollectableSet("email") is provided
    • Added comprehensive test cases covering valid/invalid formats and edge cases

  • #462 ed0a637 Thanks @​7amed3li! - Support multiple named main handlers in probes (resolves #460)

    Introduces support for multiple named main entrypoints in probes, allowing probes to define different handlers for various analysis scenarios. This enables more flexible probe implementations while maintaining full backward compatibility.

    Key Changes:

    • Added NamedMainHandlers type supporting multiple handler functions with required default handler
    • Extended ProbeContext with setEntryPoint(handlerName: string) method for handler selection
    • Updated Probe interface to accept either single main function or NamedMainHandlers object
    • Implemented handler resolution logic in ProbeRunner#runProbe with automatic cleanup
    • Added comprehensive test coverage (all 14 existing tests + 8 new tests passing)

    Backward Compatibility:

    • Existing probes with single main function continue to work without changes
    • setEntryPoint method available but optional for backward-compatible probes
    • No breaking changes to existing API

    This is the core infrastructure PR. Future work will include example probe refactoring and documentation updates.

  • #456 9f4e420 Thanks @​7amed3li! - Add sensitivity option to AstAnalyser for configurable warning detection

    Introduces a new sensitivity option in AstAnalyserOptions that allows users to control the strictness of warning detection:

    • conservative (default): Maintains current strict behavior to minimize false positives. Suitable for scanning ecosystem libraries.
    • aggressive: Detects all child_process usage for maximum visibility in local project scanning.

    This change implements the sensitivity option for the isUnsafeCommand probe. Additional probes (isSerializeEnv, data-exfiltration) can be updated in future releases.

  • #480 d9e0481 Thanks @​clemgbld! - feat(js-x-ray): add sql-injection probe

  • #467 8948caa Thanks @​7amed3li! - feat(isSerializeEnv): add named handler for direct process.env access detection

    Introduces a named handler pattern in the isSerializeEnv probe to detect direct process.env access when running in aggressive sensitivity mode.

    Changes:

    • Added validateProcessEnv validator to detect process.env MemberExpression nodes

... (truncated)

Commits
  • 0828de3 chore: update versions (#457)
  • d9e0481 feat(js-x-ray): add sql-injection probe (#480)
  • 9b51811 fix(js-x-ray): fix 32 bit ip addresses false positive (#482)
  • 8848684 feat(js-x-ray): implement log-usage probe (#479)
  • 029031c refactor(js-x-ray): type the type of CollectableSet (#478)
  • dc78db3 docs:(js-x-ray): add doc for CollectableSet (#475)
  • c4fad05 refactor(isUnsafeCommand): use VariableTracer and introduce virtual identifie...
  • e288c04 feat: generate data-exfiltration warning on import when the sensitivity is ag...
  • 317d679 feat(isLiteral): collect email literals using CollectableSet (#468)
  • 8948caa feat(isSerializeEnv): add named handler for direct process.env detection (#467)
  • Additional commits viewable in compare view

Updates @nodesecure/scanner from 9.0.0 to 10.0.0

Release notes

Sourced from @​nodesecure/scanner's releases.

@​nodesecure/scanner@​10.0.0

Major Changes

Minor Changes

Patch Changes

Changelog

Sourced from @​nodesecure/scanner's changelog.

10.0.0

Major Changes

Minor Changes

Patch Changes

Commits
  • 11370ef chore: update versions (#605)
  • 7330ef9 feat(scanner): integrate buit-in stats in the response of depWalker (#612)
  • 9b0ba2e chore(deps): bump @​nodesecure/js-x-ray in the dependencies group (#611)
  • 2afafb7 refactor!: rename cwd() to workingDir() (#606)
  • 5b237e2 feat(tarball): add warning when hostname resolve to a private ip (#603)
  • See full diff in compare view

Updates @nodesecure/mama from 2.0.2 to 2.1.1

Release notes

Sourced from @​nodesecure/mama's releases.

@​nodesecure/mama@​2.1.1

Patch Changes

@​nodesecure/mama@​2.1.0

Minor Changes

Patch Changes

Changelog

Sourced from @​nodesecure/mama's changelog.

2.1.1

Patch Changes

2.1.0

Minor Changes

Patch Changes

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​nodesecure/mama since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the nodesecure-dependencies group across 1 director…
596d9b5 
…y with 3 updates

Bumps the nodesecure-dependencies group with 3 updates in the / directory: [@nodesecure/js-x-ray](https://github.com/NodeSecure/js-x-ray/tree/HEAD/workspaces/js-x-ray), [@nodesecure/scanner](https://github.com/NodeSecure/scanner/tree/HEAD/workspaces/scanner) and [@nodesecure/mama](https://github.com/NodeSecure/scanner/tree/HEAD/workspaces/mama).


Updates `@nodesecure/js-x-ray` from 11.1.0 to 11.4.0
- [Release notes](https://github.com/NodeSecure/js-x-ray/releases)
- [Changelog](https://github.com/NodeSecure/js-x-ray/blob/master/workspaces/js-x-ray/CHANGELOG.md)
- [Commits](https://github.com/NodeSecure/js-x-ray/commits/@nodesecure/js-x-ray@11.4.0/workspaces/js-x-ray)

Updates `@nodesecure/scanner` from 9.0.0 to 10.0.0
- [Release notes](https://github.com/NodeSecure/scanner/releases)
- [Changelog](https://github.com/NodeSecure/scanner/blob/master/workspaces/scanner/CHANGELOG.md)
- [Commits](https://github.com/NodeSecure/scanner/commits/@nodesecure/scanner@10.0.0/workspaces/scanner)

Updates `@nodesecure/mama` from 2.0.2 to 2.1.1
- [Release notes](https://github.com/NodeSecure/scanner/releases)
- [Changelog](https://github.com/NodeSecure/scanner/blob/master/workspaces/mama/CHANGELOG.md)
- [Commits](https://github.com/NodeSecure/scanner/commits/@nodesecure/mama@2.1.1/workspaces/mama)

---
updated-dependencies:
- dependency-name: "@nodesecure/js-x-ray"
  dependency-version: 11.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nodesecure-dependencies
- dependency-name: "@nodesecure/scanner"
  dependency-version: 10.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: nodesecure-dependencies
- dependency-name: "@nodesecure/mama"
  dependency-version: 2.1.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nodesecure-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Feb 2, 2026
@socket-security
Copy link

socket-security bot commented Feb 2, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​nodesecure/​size-satisfies@​1.1.0651008882100
Added@​types/​server-destroy@​1.0.4921006680100
Addedserver-destroy@​1.0.11001006975100
Added@​openally/​config.typescript@​1.2.1731008390100
Added@​nodesecure/​ossf-scorecard-sdk@​3.2.17310010083100
Added@​types/​ws@​8.18.11001007481100
Added@​nodesecure/​vis-network@​1.4.0741009183100
Added@​nodesecure/​documentation-ui@​1.3.0751009984100
Addedzup@​0.0.2751009977100
Added@​openally/​config.eslint@​2.2.0761009285100
Updated@​nodesecure/​scanner@​9.0.0 ⏵ 10.0.081 +11007897 +3100
Added@​nodesecure/​licenses-conformance@​2.1.07910010083100
Added@​nodesecure/​report@​4.1.17910010092100
Addedchokidar@​5.0.010010010081100
Addedsirv@​3.0.210010010081100
Addedpino-pretty@​13.1.39910010086100
Added@​lit/​task@​1.0.310010010086100
Addedfind-my-way@​9.3.09910010088100
Addedws@​8.18.39910010090100
Addedpino@​10.1.09910010096100
Added@​nodesecure/​cache@​1.0.0100100100100100
Added@​nodesecure/​server@​1.0.0100100100100100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants