JS: moved execa out of experimental
#19858
Merged
+275
−155
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR promotes the execa library model from experimental to stable, migrating its tests into the main query-tests directories and updating the QL framework import.
- Added
execa.jsunder Security/CWE-078 and Security/CWE-022 with appropriate$Source/$Alerttags - Updated expected result files to include
execa.jsentries for both command and path injection - Removed experimental Execa tests and updated
javascript.qllto import the stable Execa framework; added a change note
Reviewed Changes
Copilot reviewed 11 out of 12 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execa.js | New tests for command injection with various execa calls |
| javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected | Updated expected alerts for execa.js entries |
| javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/execa.js | New tests for path injection via execa input/output options |
| javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected | Updated expected alerts for path injection tests |
| javascript/ql/lib/javascript.qll | Imported semmle.javascript.frameworks.Execa for stable model |
| javascript/ql/lib/change-notes/2025-06-20-execa.md | Added change note for Execa promotion |
| javascript/ql/test/experimental/Execa/** | Removed obsolete experimental Execa tests |
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execa.js
Outdated
Show resolved
Hide resolved
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execa.js
Outdated
Show resolved
Hide resolved
asgerf
reviewed
Jun 24, 2025
asgerf
reviewed
Jun 25, 2025
| --- | ||
| category: minorAnalysis | ||
| --- | ||
| * The model for the `execa` library has been promoted from experimental to stable. |
There was a problem hiding this comment.
I don't think many users will know what to make of this, and also we shouldn't give the impression that execa didn't have a model to begin with.
Could you instead mention some of the new endpoints we're modelling now?
There was a problem hiding this comment.
What do you think of this 73126fe ?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.