Context
The current no-fetch audit in tests/security/no-fetch-audit.test.ts is a regex-based scanner. While it has been broadened to cover 18+ patterns (node:http, node:net, axios, got, execSync, etc.), regex scanning has inherent limitations: false positives from string literals, inability to track re-exports, and no awareness of dependency graphs.
Proposed improvement
Move toward one of:
- AST-based scanning via ts-morph or TypeScript compiler API to track actual import resolution
- Dependency-graph enforcement via dep-cruiser rules (already used for transport-neutral enforcement in DD-57)
Scope
This is a quality improvement for stable, not a blocker. The regex scanner is functional and catches the critical patterns.
Related
Context
The current no-fetch audit in
tests/security/no-fetch-audit.test.tsis a regex-based scanner. While it has been broadened to cover 18+ patterns (node:http, node:net, axios, got, execSync, etc.), regex scanning has inherent limitations: false positives from string literals, inability to track re-exports, and no awareness of dependency graphs.Proposed improvement
Move toward one of:
Scope
This is a quality improvement for stable, not a blocker. The regex scanner is functional and catches the critical patterns.
Related