You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
AI Reporter — new ai reporter that produces compact, token-efficient clone output specifically designed for feeding results into language models and AI tooling. Use --reporters ai to activate it.
MCP Server enhancements — the Model Context Protocol server now exposes a jscpd://statistics resource and supports a recheck endpoint so AI agents can trigger a rescan without restarting the process.
Apex & CFML language support — jscpd can now detect duplicate code in Salesforce Apex and ColdFusion Markup Language (CFML) files (closes #83, #619).
GDScript support — detect copy-paste duplication in Godot Engine GDScript files.
HTML reporter footer — the HTML report now displays a branded footer with the jscpd version and a sponsor link.
--noTips flag — suppress the usage-tip messages that appear after a detection run.
CI: Node.js 22.x / 24.x — continuous integration updated to test against the latest Node.js LTS and current releases.
Performance
Tokenizer — grammars are now loaded lazily, hot paths are O(n), and the spark-md5 dependency has been removed in favour of a lighter built-in implementation. Startup time and memory usage are noticeably reduced on large codebases.
Replaced the vendored reprism syntax library with the official prismjs npm package, shrinking the installed footprint.
Bug Fixes
Restored the correct start.line expectation for weak-mode clone detection.
jscpd-server — a new jscpd-server package ships a RESTful HTTP API for code-duplication detection. Ideal for CI pipelines, IDE plugins, and services that need on-demand analysis without spinning up a CLI process.
GitHub Actions example — an example_github_action.yml starter workflow is included in the repository.
Bug Fixes
Ignore patterns defined in configuration files are now applied correctly (the path-matching bug in resolveIgnorePattern has been fixed).
Importing jscpd as a Node.js module no longer auto-executes the CLI entry point.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR bumps jscpd to version 4.1.0. While the primary goal is a dependency update, the upgrade of the transitive dependency node-sarif-builder from v2 to v3 introduces a significant breaking change: the minimum required Node.js version has increased from >=14 to >=20.
Although Codacy analysis is 'up to standards', the PR lacks automated verification for this version transition. Specifically, the migration from reprism to prismjs and the updated engine requirements are not covered by any new or modified tests. The merge should be gated on verifying environment compatibility and functionality of the new reporting components.
About this PR
The shift to Node.js 20 as a minimum requirement (via node-sarif-builder v3) is a systemic change. This must be validated across all infrastructure, including developer local environments, CI runners, and production-like containers.
No functional or integration tests were added to verify the dependency bump. Given the replacement of internal syntax highlighting engines and SARIF builders, manual or automated verification is required to ensure detection accuracy.
Test suggestions
Verify that jscpd 4.1.0 correctly identifies clones in the codebase.
Confirm that SARIF reports are generated correctly using node-sarif-builder 3.4.0.
Validate the tool's execution in a Node.js 20+ environment, given the updated engine requirements.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify that jscpd 4.1.0 correctly identifies clones in the codebase.
2. Confirm that SARIF reports are generated correctly using node-sarif-builder 3.4.0.
3. Validate the tool's execution in a Node.js 20+ environment, given the updated engine requirements.
The reason will be displayed to describe this comment to others. Learn more.
🔴 HIGH RISK
Pinning the dependency to the exact version 4.1.0 ensures deterministic builds and protects against potential dependency confusion or hijacking attacks. While the package-lock.json locks the current installation, pinning in package.json provides an additional layer of security.
The reason will be displayed to describe this comment to others. Learn more.
🔴 HIGH RISK
The update to jscpd@4.1.0 introduces node-sarif-builder@3.4.0, which requires Node.js >= 20. This is a breaking change for the execution environment. Please verify CI config files and Dockerfiles to ensure the environment is updated to version 20 or higher.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependenciesPull requests that update a dependency filejavascriptPull requests that update javascript code
0 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dependabot
Bot
added
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
Bumps jscpd from 4.0.5 to 4.1.0.
Changelog
Sourced from jscpd's changelog.
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)