We’ve updated the JavaScript analyzer with some bug fixes and some new issues. The complete list of JS issues can be found here.
OWASP security rules.
We now detect security vulnerabilities like remote code execution hatches(JS-S0011), shell injection (JS-S0010) unsigned JWT tokens and weak TLS encryption algorithms(JS-S1009).
// JS-S1009: Usage of an insecure TLS protocol version
const options = {
secureProtocol: 'TLSv1_method', // insecure version
minVersion: 'TLSv1.1', // insecure version
maxVersion: 'TLSv1.2'
}
const connection = tls.connect(443, 'www.abc.com', options, () => { })
const req = https.request(options, res => { })
const socket = request.get(options)
Syntax errors now shown on the dashboard
Previously, any files with syntactic errors were ignored by DeepSource.
Now they’re reported as issues in the dashboard:
// JS-0833: missing `=>` after arrow function parameters
const myFun = () {
return "I'm missing a =>!"
}
Default module system updated to ESModules.
Prior to this update, the default module system was assumed to be CommonJS. This meant that unless the user specified module_system
to be "esmodules"
in the .deepsource.toml
file, import
statements would go ignored (or be reported as syntax errors after the above change).
Now, ES6 style imports are assumed to be the default. This also covers the syntax for CommonJS imports which are just calls to the require
function.
False positive fixes.
We’ve fixed several false positives reported by our users.
Patched issues include like JS-0128, JS-0378, JS-0377 and several others.