Merge pull request #21461 from github/asger/js-shebang-bun-tsx

JS: Recognise bun and tsx in shebang lines
2026-03-30 12:18:18 +02:00 · 2026-03-13 15:07:12 +01:00
parent f11815c633 b8c44be599
commit 7d6e08ecf1
7 changed files with 23 additions and 6 deletions
--- a/javascript/extractor/src/com/semmle/js/extractor/FileExtractor.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/FileExtractor.java
@@ -28,13 +28,13 @@ import com.semmle.util.trap.TrapWriter.Label;
 */
 public class FileExtractor {
  /**
-   * Pattern to use on the shebang line of a script to identify whether it is a Node.js script.
+   * Pattern to use on the shebang line of a script to identify whether it is a JavaScript script.
   *
-   * <p>There are many different ways of invoking the Node.js interpreter (directly, through {@code
+   * <p>There are many different ways of invoking a JavaScript interpreter (directly, through {@code
   * env}, with or without flags, with or without modified environment, etc.), so we simply look for
-   * the word {@code "node"} or {@code "nodejs"}.
+   * the word {@code "node"}, {@code "nodejs"}, {@code "bun"}, or {@code "tsx"}.
   */
-  private static final Pattern NODE_INVOCATION = Pattern.compile("\\bnode(js)?\\b");
+  private static final Pattern JS_INVOCATION = Pattern.compile("\\b(node(js)?|bun|tsx)\\b");

  /** A pattern that matches strings starting with `{ "...":`, suggesting JSON data. */
  public static final Pattern JSON_OBJECT_START =
@@ -157,7 +157,7 @@ public class FileExtractor {
            // do a cheap check first
            if (firstLine != null && firstLine.startsWith("#!")) {
              // now do the slightly more expensive one
-              return NODE_INVOCATION.matcher(firstLine).find();
+              return JS_INVOCATION.matcher(firstLine).find();
            }
          } catch (IOException e) {
            Exceptions.ignore(e, "We simply skip this file.");
@@ -302,7 +302,7 @@ public class FileExtractor {
        int lengthOfText = endOfLine - startOfText;
        String text = new String(bytes, startOfText, lengthOfText, StandardCharsets.UTF_8);
        // Check if the shebang is a recognized JavaScript intepreter.
-        return !NODE_INVOCATION.matcher(text).find();
+        return !JS_INVOCATION.matcher(text).find();
      }

      @Override
--- a/javascript/ql/test/library-tests/TypeScript/Shebangs/Shebangs.expected
+++ b/javascript/ql/test/library-tests/TypeScript/Shebangs/Shebangs.expected
@@ -0,0 +1,4 @@
+| shebang_bun.ts |
+| shebang_node.ts |
+| shebang_tsx.ts |
+| tsconfig.json |
--- a/javascript/ql/test/library-tests/TypeScript/Shebangs/Shebangs.ql
+++ b/javascript/ql/test/library-tests/TypeScript/Shebangs/Shebangs.ql
@@ -0,0 +1,4 @@
+import javascript
+
+from File f
+select f.getRelativePath()
--- a/javascript/ql/test/library-tests/TypeScript/Shebangs/shebang_bun.ts
+++ b/javascript/ql/test/library-tests/TypeScript/Shebangs/shebang_bun.ts
@@ -0,0 +1,2 @@
+#!/usr/bin/env bun
+const x: number = 1;
--- a/javascript/ql/test/library-tests/TypeScript/Shebangs/shebang_node.ts
+++ b/javascript/ql/test/library-tests/TypeScript/Shebangs/shebang_node.ts
@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+const x: number = 1;
--- a/javascript/ql/test/library-tests/TypeScript/Shebangs/shebang_tsx.ts
+++ b/javascript/ql/test/library-tests/TypeScript/Shebangs/shebang_tsx.ts
@@ -0,0 +1,2 @@
+#!/usr/bin/env tsx
+const x: number = 1;
--- a/javascript/ql/test/library-tests/TypeScript/Shebangs/tsconfig.json
+++ b/javascript/ql/test/library-tests/TypeScript/Shebangs/tsconfig.json
@@ -0,0 +1,3 @@
+{
+    "include": ["."]
+}