@kernlang/review
v4.5.0
Published
Kern Review — scan TS, infer .kern IR, roundtrip diff, report
Maintainers
Readme
@kernlang/review
Kern Review -- 233 rules, taint tracking, OWASP LLM01 coverage, and framework-aware review checks
Part of the KERN monorepo.
Install
npm install @kernlang/reviewUsage
import { reviewFile, reviewSource, reviewDirectory } from '@kernlang/review';
const report = reviewFile('src/handler.ts');
console.log(report.findings);Coverage
Kern Review ships 231 AST-based rules across base correctness, security, framework, performance, test-quality, null-safety, dead-logic, concept, and taint-aware analysis layers.
Recent framework coverage includes:
- Next.js App Router: JSON body parsing hazards, unvalidated typed request bodies, unsafe forwarded headers, mock routes without environment guards, env/path rewrites and redirects, client-boundary env exposure, wildcard image hosts, sensitive public cache headers, SWR invalidation drift, and auth/session storage drift.
- React and browser apps: legacy unsafe class lifecycles, event listener cleanup identity mismatches, immediate cleanup calls in effects, timer cleanup drift, module-scoped timer handles, stale
.length/.sizehook deps, props-array mutation in render, unsafe browser storage JSON parsing, client-side open redirects from query params, and wildcardpostMessagetarget origins. - Storybook: secret-looking args, non-deterministic story data, unmocked network calls, and interaction
playfunctions that perform user events without assertions. - Playwright and tests: focused
.onlytests, fixedwaitForTimeoutsleeps, brittlenetworkidlewaits, no-opexpect(x)assertions, and empty test files. - Security: cookie hardening for Express and Next cookies, response error leaks, CSP strength, CORS, JWT verification, path traversal, command injection, hardcoded secrets, XSS, prompt injection, and MCP/LLM risk patterns.
License
AGPL-3.0
