Skip to content

feat: AST or dependency-graph based no-network audit #484

Description

@jithinraj

Context

The current no-fetch audit in tests/security/no-fetch-audit.test.ts is a regex-based scanner. While it has been broadened to cover 18+ patterns (node:http, node:net, axios, got, execSync, etc.), regex scanning has inherent limitations: false positives from string literals, inability to track re-exports, and no awareness of dependency graphs.

Proposed improvement

Move toward one of:

  • AST-based scanning via ts-morph or TypeScript compiler API to track actual import resolution
  • Dependency-graph enforcement via dep-cruiser rules (already used for transport-neutral enforcement in DD-57)

Scope

This is a quality improvement for stable, not a blocker. The regex scanner is functional and catches the critical patterns.

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions