Changelog timeline
Every pending and recently shipped changeset across the public Critiq OSS repositories (critiq-core and critiq-rules), in one scrolling timeline. Use it to see what changed since you last upgraded, which packages bumped, and how broad each change was. Each entry shows the affected packages, bump type, and release note text.
#Timeline
Showing 31 entries sorted by authoring date (newest first). The colored dot indicates the source repository.
Add Go baseline security adapter facts covering listens that bind to all interfaces, imports of the `unsafe` package, `ssh.InsecureIgnoreHostKey()` host-key callbacks, deprecated `ioutil.TempFile`/`ioutil.TempDir` temporary file helpers, `rsa.GenerateKey` and `rsa.GenerateMultiPrimeKey` invocations below 2048 bits, and imports of broken or deprecated `crypto/md5`, `crypto/des`, `crypto/rc4`, and `crypto/sha1` packages.
Add Go correctness adapter facts for nil map assignment, deferred `Close` before the matching `err` check, nil `context.Context` arguments, `time.Tick` leaks, `WaitGroup.Add` inside the launched goroutine, dropped `append` results, and `defer` statements inside loop bodies.
Add Go general security fact collectors covering JWT signature verification, TLS configuration baseline, weak cipher suites, pprof exposure, weak bcrypt cost, and predictable math/rand seeding.
Add Java audit security adapter facts covering unsafe Jackson default typing, XXE-prone `DocumentBuilderFactory` / `SAXParserFactory` / `TransformerFactory` / `XMLInputFactory` usage, Hibernate `Session.createQuery` and `createNativeQuery` string concatenation, the shell form of `Runtime.getRuntime().exec(String)`, and `SecureRandom` constructors seeded with literal or short byte arrays.
Add Java correctness adapter facts for empty catch blocks, `.equals` on array references, synchronization on string literals, catching `NullPointerException`, unguarded `Optional.get()` calls, and control-flow statements inside `finally` blocks.
Add Java general security, audit security, and correctness fact collectors for twenty new catalog rules.
Add PHP baseline security adapter facts for dynamic eval, unsafe include with user input, weak ciphers, insecure session ID generation, XML external entity exposure, and debug function leakage.
Add PHP correctness adapter facts for duplicate array keys, multiple switch defaults, error suppression with `@`, unreachable statements after `return` or `throw`, and nullsafe operators in by-reference arrow functions.
Add Python correctness and general security adapter facts for bare except handlers, mutable defaults, subprocess shell mode, dynamic code execution, insecure YAML loading, debugger imports, and expanded Django/Flask framework security checks.
Add Rust correctness adapter facts for mutex guards held across `.await`, blocking sleep and `block_on` inside `async fn`, forgotten join handles, unbounded channels, `std::sync::Mutex` in async functions, and unchecked slice indexing with variable indices.
Add Rust general security fact collectors covering network bind exposure, TLS configuration baseline, weak cipher suites, JWT verification, temp file hygiene, SSH host key checks, weak crypto imports, RSA key size, shell command spawn, YAML deserialization, and panic-prone async handlers.
Ship 6 new Go baseline security catalog rules covering listens that bind to all interfaces, imports of the `unsafe` package, `ssh.InsecureIgnoreHostKey()` host-key callbacks, deprecated `ioutil.TempFile`/`ioutil.TempDir` temporary file helpers, RSA key sizes below 2048 bits, and imports of broken or deprecated `crypto/md5`, `crypto/des`, `crypto/rc4`, and `crypto/sha1` packages.
Ship 7 new Go correctness catalog rules covering nil map assignment, deferred `Close` before the matching `err` check, nil `context.Context` arguments, `time.Tick` leaks, `WaitGroup.Add` inside the launched goroutine, dropped `append` results, and `defer` statements inside loop bodies.
Ship seven Go general security catalog rules: JWT signature verification, TLS minimum version, SSLv2/SSLv3 protocol rejection, weak TLS cipher suites, pprof endpoint exposure, weak bcrypt cost, and predictable math/rand seeding.
Ship 6 new Java audit security catalog rules covering unsafe Jackson polymorphic deserialization, XXE on `DocumentBuilderFactory` / `SAXParserFactory` / `TransformerFactory` / `XMLInputFactory`, Hibernate `Session.createQuery` and `createNativeQuery` string concatenation, the shell form of `Runtime.getRuntime().exec(String)`, and predictable `SecureRandom` seeding.
Ship 6 new Java correctness catalog rules covering empty catch blocks, `.equals` on array references, synchronizing on string literals, catching `NullPointerException`, unguarded `Optional.get()` calls, and control-flow statements inside `finally` blocks.
Ship twenty Java correctness and security catalog rules with RuleSpec fixtures.
Add eleven PHP correctness and baseline security catalog rules covering duplicate array keys, switch defaults, error suppression, unreachable code, nullsafe by-reference returns, dynamic eval, unsafe includes, weak ciphers, session ID generation, XXE, and debug exposure.
Ship 16 new Python correctness and security catalog rules covering control-flow defects, subprocess shell usage, dynamic execution, YAML loading, temp file APIs, network bind exposure, debugger imports, Jinja autoescape, and Django/Flask framework hardening gaps.
Ship 7 new Rust correctness catalog rules covering mutex guards held across `.await`, blocking sleep and `block_on` inside `async fn`, forgotten join handles, unbounded channels, `std::sync::Mutex` in async functions, and unchecked slice indexing with variable indices.
Ship twelve Rust general security catalog rules covering network bind exposure, TLS configuration baseline, weak cipher suites, JWT verification, temp file hygiene, SSH host key checks, weak crypto imports, RSA key size, shell command spawn, YAML deserialization, and panic-prone async handlers.
Add Express security fact detectors for permissive CORS with credentials, synchronous child-process execution, blocking file reads in handlers, and mutable module exports. Extend Express error-handler disclosure detection to cover `err.stack` payloads.
Add TypeScript adapter facts for React maintenance and security JSX patterns (bind in props, prop spreads, lifecycle setState, direct state mutation, target=_blank rel, duplicate attributes, and this in function components).
Add TypeScript adapter facts for async correctness, await-in-loop performance, and empty-function quality checks.
Add TypeScript language correctness fact detectors for control flow in finally blocks, NaN/typeof comparisons, duplicate if-else conditions, array callbacks, promise rejection values, subclass constructors, array sort/for-in idioms.
Add TypeScript runtime and language security fact collectors for `with` statements, `arguments.callee`, `javascript:` URLs, native prototype extension, global native reassignment, non-Error throws, blocking dialogs, `process.exit`, and unsafe `__dirname` path concatenation.
Add Express and Node.js security rules for permissive CORS with credentials, synchronous child-process execution, blocking `readFileSync` in handlers, and mutable module exports.
Add nine React maintenance and security rules with recommended and strict preset membership, plus security preset coverage for target=_blank without noopener.
Add TypeScript catalog rules for async correctness, await-in-loop performance, and empty-function quality.
Add ten `ts.correctness.*` rules for TypeScript/JavaScript language correctness patterns backed by new adapter facts.
Add TypeScript security and runtime catalog rules for `with` statements, `arguments.callee`, `javascript:` URLs, native prototype extension, global native reassignment, non-Error throws, blocking dialogs, `process.exit`, and unsafe `__dirname` path concatenation.