v1.2.0 Release Notes¶

Release Date: January 15, 2026

Highlights¶

• 🔒 Type Evaporation Scan - Detect TypeScript type loss at API boundaries
• 🛡️ Enhanced Security Analysis - Improved taint tracking across modules
• 📊 Graph Improvements - Better visualization and filtering
• 🧪 Test Generation Improvements - More comprehensive edge case coverage

New Features¶

Type Evaporation Scan¶

New tool to detect vulnerabilities where TypeScript types are lost at API boundaries:

result = type_evaporation_scan(
    frontend_code=ts_code,
    backend_code=python_code
)
# Detects: isAdmin="true" (string) bypassing boolean check

Cross-File Security Improvements¶

• Enhanced taint propagation across module boundaries
• New sink detection for NoSQL and LDAP injection
• Improved false positive reduction

Improvements¶

• get_call_graph - Added paths_from and paths_to for path queries
• get_graph_neighborhood - Added min_confidence filter
• security_scan - Added confidence scoring to vulnerability reports
• generate_unit_tests - Better handling of complex control flow

Bug Fixes¶

• Fixed false positives in SQL injection detection
• Corrected line number reporting in nested functions
• Fixed memory leak in long-running symbolic execution

Breaking Changes¶

Response Schema Update¶

security_scan response now includes confidence field:

// Before (v1.1.x)
{
  "vulnerabilities": [{"type": "SQL_INJECTION", ...}]
}

// After (v1.2.x)
{
  "vulnerabilities": [{"type": "SQL_INJECTION", "confidence": 0.95, ...}]
}

Upgrade Guide¶

From v1.1.x¶

pip install --upgrade codescalpel

Update any code that parses vulnerability responses to handle the new confidence field.