From 3110e5a8ace74df165bb346d817c50262676ae4e Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Fri, 10 Oct 2025 10:02:35 +0200
Subject: [PATCH] JS: Localize MkModuleExport

---
 .../ql/lib/semmle/javascript/ApiGraphs.qll     | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/javascript/ql/lib/semmle/javascript/ApiGraphs.qll b/javascript/ql/lib/semmle/javascript/ApiGraphs.qll
index 3f320cec59a..9a3ba76a487 100644
--- a/javascript/ql/lib/semmle/javascript/ApiGraphs.qll
+++ b/javascript/ql/lib/semmle/javascript/ApiGraphs.qll
@@ -740,20 +740,9 @@ module API {
       MkRoot() or
       MkModuleDef(string m) { exists(MkModuleExport(m)) } or
       MkModuleUse(string m) { exists(MkModuleImport(m)) } or
-      MkModuleExport(string m) {
-        exists(Module mod | mod = importableModule(m) |
-          // exclude modules that don't actually export anything
-          exports(m, _)
-          or
-          exports(m, _, _)
-          or
-          exists(NodeModule nm | nm = mod |
-            exists(Ssa::implicitInit([nm.getModuleVariable(), nm.getExportsVariable()]))
-          )
-        )
-      } or
       MkModuleImport(string m) {
         imports(_, m)
+      MkModuleExport(string m) { isDeclaredPackageName(m) } or
         or
         any(TypeAnnotation n).hasUnderlyingType(m, _)
       } or
@@ -1965,3 +1954,8 @@ private Module importableModule(string m) {
     m = pkg.getPackageName()
   )
 }
+
+overlay[local]
+private predicate isDeclaredPackageName(string m) {
+  m = any(PackageJson pkg).getDeclaredPackageName()
+}