Skip to main content

Module results

Module results 

Source
Expand description

Analysis result types: unused files, exports, dependencies, and members. Analysis result types for all issue categories.

Structs§

ActiveSuppression
A suppression comment present in an analyzed file this run.
AnalysisResults
Complete analysis results.
BoundaryCallViolation
A call from a zoned file to a callee forbidden for that zone via boundaries.calls.forbidden. One finding is reported per unique callee path per file (first occurrence wins).
BoundaryCoverageViolation
A source file that does not match any configured architecture boundary zone.
BoundaryViolation
An import that crosses an architecture boundary rule.
CircularDependency
A circular dependency chain detected in the module graph.
CircularDependencyEdge
One import hop in a circular dependency: the file containing the import and where that import statement sits.
DevDependencyInProduction
A devDependencies package imported by production (non-test, non-config) source code via a runtime/value import. Because a production-only install (pnpm install --prod) omits devDependencies, it would break at runtime, so the package should be promoted to dependencies. The promote-side mirror of TestOnlyDependency / TypeOnlyDependency.
DuplicateExport
An export that appears multiple times across the project.
DuplicateLocation
A location where a duplicate export appears.
DuplicatePropShape
A React/Preact component that participates in a duplicate-prop-shape GROUP: three or more distinct components across two or more files whose statically-harvested, fully-known prop NAME set is byte-for-byte IDENTICAL after excluding a fixed denylist of ubiquitous DOM / render-passthrough prop names, with the REMAINING significant set holding four or more members. This is a structural-refactor health signal (extract a shared Props type or a base component), never a correctness error and never an auto-fix. One finding is emitted per participating component; sharing_components lists the other members of the same group. Health signal: the rule defaults to off (opt-in), so this is dormant until enabled. Exact full-set identity only: a superset / subset relationship does NOT group (so the finding always fits one extracted shared type).
DuplicatePropShapeMember
One member of a duplicate-prop-shape group: the OTHER components that share the same significant prop-name set, listed in each member’s sharing_components. Path-sorted for stable output. A located reference (no shape, which is carried once on the owning DuplicatePropShape).
DynamicSegmentNameConflict
Two or more sibling dynamic route segments at the SAME App Router tree position using different param spellings ([id] vs [slug], or [...x] vs [[...x]]). Next.js throws “You cannot use different slug names for the same dynamic path” at dev / production RUNTIME when the position is hit; next build does NOT catch it, so fallow’s static catch surfaces a route that would otherwise pass CI and crash at request time. One finding is emitted per involved file.
EmptyCatalogGroup
A named catalogs.<name> group with no package entries.
EntryPointSummary
Summary of detected entry points, grouped by discovery source.
ExportUsage
Usage count for an export symbol. Used by the LSP Code Lens to show reference counts above each export declaration.
FeatureFlag
A detected feature flag use site.
ImportSite
A location where an import occurs.
InvalidClientExport
A "use client" file that exports a Next.js server-only / route-segment config name. Next.js rejects this combination at build time; fallow catches it statically before the build runs.
MisconfiguredDependencyOverride
An override entry whose key or value is malformed. Default severity is error because pnpm refuses to install (or silently produces a no-op override) when it encounters these shapes.
MisplacedDirective
A "use client" / "use server" directive written as an expression statement after a non-directive statement (an import, a const). The RSC bundler only honors a directive in the leading prologue, so once any statement precedes it the string is parsed as an ordinary expression and silently ignored: the intended client/server boundary never takes effect. The fix is to move the directive to the very top of the file.
MixedClientServerBarrel
A barrel file that re-exports BOTH a "use client" origin module AND a server-only origin module. Importing one name from such a barrel drags the other’s directive context across the React Server Components boundary (the Next.js App Router footgun); fallow catches it statically.
PolicyViolation
A banned call, banned import, banned effect, or banned export matched by a declarative rule pack (rulePacks config). Banned-call and banned-effect findings report one entry per unique callee path per file (first occurrence wins, matching boundary_call_violations); banned-import findings anchor at each matching import or re-export declaration; banned-export findings anchor at matching export declarations.
PrivateTypeLeak
A public export signature that references a same-file private type.
PropDrillHop
One hop in a prop-drilling chain: a component that received the prop and passed it along (or, at the chain ends, the source that owns it and the consumer that substantively reads it).
PropDrillingChain
A located prop-drilling chain: a received prop forwarded unchanged through >= N intermediate pass-through components, each of which only re-passes it, until a component that substantively consumes it. The high-confidence signal is “the received identifier is used ONLY as the root of forwarded child-JSX attribute values”, not the attribute name matching. Health signal (rule defaults to off, opt-in): a small capped penalty plus a health --hotspots surface, and located per-chain records so CI / an agent can act (“colocate or lift to context at hop B”). Zero-FP doctrine: any spread / cloneElement / element-as-prop / render-prop / context-provider / dynamic shape in the path abstains the whole chain.
ReExportCycle
A cycle or self-loop in the re-export edge subgraph.
ReactComponentIntel
Per-component render + prop + hook intelligence for one React component. DESCRIPTIVE ambient editor context surfaced by the LSP (a component summary code lens plus per-prop hovers), NOT a finding, IssueKind, severity, or total_issues input. Carried in-process on the #[serde(skip)] AnalysisResults::react_component_intel field (like RenderFanInMetric); never serialized, so bare fallow / audit and the JSON / schema surface are untouched.
ReactHookSummary
Per-kind hook counts for a React component, summarized from hook_uses. DESCRIPTIVE editor context (the LSP code-lens hook breakdown), never a finding, severity, or total_issues input. custom collects every use*-named call that is not one of the four built-ins.
ReactPropDrill
A prop-drilling trace for a prop at the ROOT of a forwarding chain. DESCRIPTIVE ambient editor context (the LSP per-prop hover): the prop is forwarded unchanged through depth components before a component substantively consumes it. Reuses the prop-drilling chain machinery’s abstain ladder (spread / cloneElement / dynamic / provider-in-subtree drop the whole chain), so the trace is honest. NOT a finding (the opt-in prop-drilling rule owns the finding); this rides the #[serde(skip)] ReactComponentIntel carrier.
ReactPropIntel
Per-prop usage intelligence for one React component prop. DESCRIPTIVE editor context (the LSP per-prop hover): whether the prop is read in the component body and how many render sites pass it. NOT a finding (the unused-component-prop React arm owns the deadness rule); this is ambient signal. anchor_line / anchor_col follow the same convention the React unused-component-prop findings use (1-based line, byte-derived col from byte_offset_to_line_col).
ReferenceLocation
A location where an export is referenced (import site in another file).
RenderFanInComponent
One component’s render fan-in detail: how many JSX render SITES target it and how many DISTINCT parent components render it.
RenderFanInMetric
Per-component render fan-in counts plus the precomputed concentration aggregates.
RouteCollision
Two or more Next.js App Router route files that resolve to the SAME URL within one app-root. Next.js fails the build (“You cannot have two parallel pages that resolve to the same path”); fallow catches it statically and names every colliding file at once. One finding is emitted per colliding file; conflicting_paths lists the sibling files that share the URL.
SecurityAttackSurfaceEntry
One untrusted entry to reachable sink path for fallow security --surface.
SecurityCandidate
An agent-actionable candidate record on a SecurityFinding. fallow fills source_kind, sink, and boundary. The exploitability IMPACT is deliberately NOT a field: severity on the parent finding is only a review-priority tier, while deciding exploitability remains the consuming agent’s job. A perpetually-null impact key would only train consumers to ignore it. The agent reads this record, then writes its own impact verdict downstream.
SecurityCandidateBoundary
The boundary slot of a SecurityCandidate: which structural boundaries the candidate’s flow crosses. A flow that crosses a client/server or module boundary is a stronger review target than a self-contained one; the boundary is fallow’s structural signal over a pure source-sink match.
SecurityCandidateSink
The sink slot of a SecurityCandidate: a self-contained description of the matched sink site. Echoes the finding’s own span (path/line/col) plus the catalogue category/cwe and the captured callee, so an agent can act on candidate.sink in isolation (e.g. after fanning a finding out to a sub-agent) without reading the parent finding.
SecurityDeadCodeContext
Dead-code cross-link attached to a security candidate when fallow’s dead-code pass reports the same anchor as removable code.
SecurityDefensiveBoundary
Agent-facing defensive-boundary verification context for one surface path.
SecurityDefensiveControl
Defensive control found on an attack-surface path.
SecurityFinding
A local security CANDIDATE for downstream agent verification, NOT a verified vulnerability. Emitted only by fallow security, never under bare fallow or the audit gate. There is deliberately no confidence or signal_strength field: fallow does not prove exploitability, so the trace (its hops and length) is the only honest signal.
SecurityNetworkContext
Network-destination context for a secret-to-network candidate (#890): where the secret-bearing network call sends its data. Present only on network-category candidates. A consuming agent uses it to triage exfil (dynamic / untrusted destination) from intended auth (a literal provider host) without re-reading source.
SecurityReachability
Graph-derived reachability ranking signal for a security candidate. Computed from the existing module graph after detection, never proven exploitable. Used to surface candidates that sit on a request/runtime-reachable surface, receive same-module source evidence, or are import-reachable from an untrusted-source module above isolated helpers or scripts.
SecurityRuntimeContext
Runtime coverage context attached to a security candidate when fallow security --runtime-coverage is supplied.
SecurityTaintFlow
A source-to-sink taint-flow triple, emitted only when an untrusted source is import-reachable to the sink (reachability.reachable_from_untrusted_source). The { source, sink, path } shape matches the model agent SAST tooling expects (cf. Semgrep taint_source / taint_sink, SARIF threadFlows).
SecurityUnresolvedCalleeDiagnostic
Internal row for a security sink-shaped callee that extraction could not flatten to a static catalogue path.
SecurityZoneCrossing
A declared architecture-zone crossing, recovered by correlating a finding’s anchor against the run’s architecture-boundary violations.
StaleSuppression
A suppression comment or JSDoc tag that no longer matches any issue.
TaintEndpoint
One endpoint (source or sink node) of a SecurityTaintFlow.
TaintPath
Compact taint-flow path shape. The ordered per-hop trace is NOT duplicated here: it lives on SecurityReachability::untrusted_source_trace. This carries only the flow’s structural summary (intra-module flow plus the cross-module hop count) so consumers do not parse two copies of the hops.
TestOnlyDependency
A production dependency that is only imported by test files. Since it is never used in production code, it could be moved to devDependencies.
ThinWrapper
A located thin-wrapper / passthrough component: a React/Preact component whose entire body is return <Child {...props}/> (a single spread-forwarded child render, no host wrapper, no own value-add). It is pure structural indirection, a CANDIDATE for inlining at call sites or deleting. Health signal (rule defaults to off, opt-in): never a correctness error. Zero-FP doctrine: forwardRef / memo / exported / context-provider / cloneElement / render-prop / named-attr / unresolved-child wrappers all abstain (each is an intentional indirection or unprovable shape).
TraceHop
One hop in a security finding’s structural trace. Stored as an absolute path internally; JSON serialization strips the project root via serde_path::serialize.
TypeOnlyDependency
A production dependency that is only used via type-only imports. In production builds, type imports are erased, so this dependency is not needed at runtime and could be moved to devDependencies.
UnlistedDependency
A dependency used in code but not listed in package.json.
UnprovidedInject
A Vue inject(KEY) or Svelte getContext(KEY) whose symbol KEY is provide/setContext’d nowhere in the analyzed project. The key is a symbol with cross-file identity, so an unmatched key is a real dead-half DI link: at runtime the inject returns undefined, surfaced only at render. The fix is binary: provide the key somewhere, or remove the dead inject.
UnrenderedComponent
A Vue/Svelte single-file component (the default export of a .vue/.svelte file) that is reachable in the module graph but rendered NOWHERE in the project: no <Tag>, no :is/this= binding, no components/app.component registration, no h()/auto-import use, and no script value-read. It survives unused-file (a barrel re-export keeps it reachable) and unused-export (the re-export counts as a use), yet no file actually instantiates it.
UnresolvedCatalogReference
A workspace package.json reference (catalog: or catalog:<name>) that points at a catalog which does not declare the consumed package.
UnresolvedImport
An import that could not be resolved.
UnusedCatalogEntry
A package manager catalog entry that no workspace package references via the catalog: protocol.
UnusedComponentEmit
A Vue <script setup> defineEmits declared event that is EMITTED nowhere inside its own single-file component (no emit('<name>') call). Single-file finding, zero-FP doctrine: the whole file abstains on any unharvestable / dynamic-emit / whole-object-use / defineModel signal.
UnusedComponentInput
An Angular @Input() / signal input() / model() declared input that is read NOWHERE inside its own component (neither the inline/external template nor the class body). Single-file dead-input direction; the Angular analogue of UnusedComponentProp. The whole component abstains on an unresolved extends heritage clause (a base class in another file may read this.foo).
UnusedComponentOutput
An Angular @Output() / signal output() declared output that is EMITTED nowhere inside its own component (no this.<output>.emit(...)). Single-file dead-output direction; the Angular analogue of UnusedComponentEmit. A model() is recorded as an input only, so its framework-driven update: emit is never flagged here. The whole component abstains on an unresolved extends heritage clause.
UnusedComponentProp
A Vue <script setup> defineProps, Svelte 5 $props(), or React declared prop that is referenced NOWHERE inside its own component. Single-component finding, zero-FP doctrine: the component abstains on any opaque public or fallthrough signal.
UnusedDependency
A dependency that is listed in package.json but never imported.
UnusedDependencyOverride
An entry in pnpm’s overrides: map (or the legacy pnpm.overrides in package.json) whose target package is not declared in any workspace package.json and is not present in pnpm-lock.yaml. Projects without a readable lockfile fall back to package manifest checks; the hint field flags that conservative mode.
UnusedExport
An export that is never imported by other modules.
UnusedFile
A file that is not reachable from any entry point.
UnusedLoadDataKey
A SvelteKit +page.{ts,server.ts,js,server.js} load() return-object key read by no consumer: not off the sibling +page.svelte’s data.<key>, nor project-wide via page.data.<key> / $page.data.<key>. A dead load key runs a real server/DB fetch cost on every request for data nothing renders. The fix is a human call (delete the key, or wire a consumer): a load fetch may have side effects, so there is no safe auto-fix.
UnusedMember
An unused enum or class member.
UnusedServerAction
A Next.js Server Action (an export of a "use server" file) that no code in the analyzed project references: no import-and-call, no action={fn} JSX binding, no <form action={fn}>. This is the cross-graph “declared but zero consumers” direction, reclassified out of unused-export for "use server" files so the finding carries the action-specific signal. It does NOT mean the endpoint is unreachable: Next still registers the action id, so it stays POST-able. It means no project code calls it (likely forgotten / dead, and a candidate for removal to shrink surface area).
UnusedSvelteEvent
A Svelte component dispatching a custom event via createEventDispatcher() whose event name is listened to NOWHERE in the analyzed project. Cross-file dead-output direction: the component fires an event nothing handles. Zero-FP doctrine: the whole component abstains on any dynamic-dispatch or whole-dispatch-value signal, and a listener on ANY component anywhere credits the event name (the liberal over-credit direction).

Enums§

DependencyLocation
Where in package.json a dependency is listed.
DependencyOverrideMisconfigReason
Why a dependency-override entry is misconfigured. pnpm install would either fail at install time or silently no-op on these entries; surfacing them statically catches the issue before pnpm does.
DependencyOverrideSource
Where an override entry was declared. Serialized as the filename label ("pnpm-workspace.yaml" or "package.json") so the value in JSON output matches the value users write in ignoreDependencyOverrides[].source.
FlagConfidence
Detection confidence for a feature flag finding.
FlagKind
The detection method used to identify a feature flag.
PolicyRuleKind
Which rule-pack rule kind produced a PolicyViolation.
PolicyViolationSeverity
Effective severity of a single PolicyViolation. Per-rule severity overrides the rules."policy-violation" master; off rules emit nothing, so only error and warn appear on the wire. The exit-code gate inspects this per-finding value, not the master severity.
ReExportCycleKind
Discriminator for ReExportCycle: which structural shape was detected.
SecurityDeadCodeKind
Dead-code issue kind linked to a security candidate.
SecurityFindingKind
The kind of security candidate. Findings are CANDIDATES for downstream agent verification, NOT verified vulnerabilities.
SecurityRuntimeState
Runtime coverage state for the function enclosing a security sink. This is production-observation evidence, not an exploitability verdict.
SecuritySeverity
Verification-priority tier for a security candidate. This is ranking, not an exploitability verdict.
SuppressionOrigin
The origin of a stale suppression: inline comment or JSDoc tag.
TaintConfidence
How strongly the untrusted-source signal is associated with the sink, a structured discriminator so a consumer can tier candidates without parsing the human evidence prose. Present only when SecurityReachability::reachable_from_untrusted_source is true. Neither value proves exploitability; both are ranking signals (issue #885 doctrine: rank, never gate).
TraceHopRole
The role a hop plays in a security finding’s structural import trace.

Constants§

TOTAL_ISSUE_RESULT_KEYS
Serialized AnalysisResults arrays that contribute to AnalysisResults::total_issues.