|
9 | 9 | * Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following features: |
10 | 10 | - file system access, for example through [fs-extra](https://github.com/jprichardson/node-fs-extra) or [globby](https://www.npmjs.com/package/globby) |
11 | 11 | - outbound network access, for example through the [fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API) |
12 | | - - the [Google Cloud Spanner](https://cloud.google.com/spanner), [lodash](https://lodash.com) and [underscore](https://underscorejs.org/) libraries |
| 12 | + - the [lodash](https://lodash.com), [underscore](https://underscorejs.org/), [async](https://www.npmjs.com/package/async) and [async-es](https://www.npmjs.com/package/async-es) libraries |
13 | 13 |
|
14 | | -* The type inference now handles nested imports (that is, imports not appearing at the toplevel). This may yield fewer false-positive results on projects that use this non-standard language feature. |
| 14 | +* Type inference for function calls has been improved. This may give additional results for queries that rely on type inference. |
15 | 15 |
|
16 | 16 | ## New queries |
17 | 17 |
|
|
37 | 37 | | Server-side URL redirect | More results | This rule now recognizes redirection calls in more cases. | |
38 | 38 | | Unused variable, import, function or class | Fewer false-positive results | This rule now flags fewer variables that may be used by `eval` calls. | |
39 | 39 | | Unused variable, import, function or class | Fewer results | This rule now flags import statements with multiple unused imports once. | |
40 | | -| User-controlled bypass of security check | Fewer results | This rule no longer flags conditions that guard early returns. The precision of this rule has been revised to "medium". Results are no longer shown on LGTM by default. | |
41 | 40 | | Whitespace contradicts operator precedence | Fewer false-positive results | This rule no longer flags operators with asymmetric whitespace. | |
42 | 41 | | Unused import | Fewer false-positive results | This rule no longer flags imports used by the `transform-react-jsx` Babel plugin. | |
| 42 | +| Self assignment | Fewer false-positive results | This rule now ignores self-assignments preceded by a JSDoc comment with a `@type` tag. | |
| 43 | +| Client side cross-site scripting | More results | This rule now also flags HTML injection in the body of an email. | |
43 | 44 |
|
44 | 45 | ## Changes to QL libraries |
45 | 46 |
|
|
48 | 49 | * The `DataFlow::ThisNode` class now corresponds to the implicit receiver parameter of a function, as opposed to an indivdual `this` expression. This means `getALocalSource` now maps all `this` expressions within a given function to the same source. The data-flow node associated with a `ThisExpr` can no longer be cast to `DataFlow::SourceNode` or `DataFlow::ThisNode` - it is recomended to use `getALocalSource` before casting or instead of casting. |
49 | 50 |
|
50 | 51 | * `ReactComponent::getAThisAccess` has been renamed to `getAThisNode`. The old name is still usable but is deprecated. It no longer gets individual `this` expressions, but the `ThisNode` mentioned above. |
| 52 | + |
| 53 | +* A `DataFlow::ParameterNode` instance now exists for all function parameters. Previously, unused parameters did not have a corresponding dataflow node. |
0 commit comments