fix(detector): reject binary input to prevent false positives

Binary files contain null bytes that get parsed into JSX-like AST nodes.
Add a null-byte guard in containsJSX to short-circuit on binary content.

Author: evaliyev

package-lock.json

@@ -5,11 +5,13 @@
   "type": "module",
   "main": "./dist/index.cjs",
   "module": "./dist/index.mjs",
+  "types": "./dist/index.d.mts",
   "bin": {
     "has-jsx": "bin/has-jsx.js"
   },
   "exports": {
     ".": {
+      "types": "./dist/index.d.mts",
       "import": "./dist/index.mjs",
       "require": "./dist/index.cjs",
       "default": "./dist/index.mjs"
@@ -55,7 +57,9 @@
     "commander": "^14.0.3"
   },
   "devDependencies": {
+    "@types/node": "^25.2.3",
     "tsdown": "^0.20.3",
+    "typescript": "^5.7",
     "vitest": "^4.0.18"
   }
 }

package.json

@@ -9,13 +9,13 @@ import { hasJSX, hasJSXInString } from './index.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 
-/**
- * Runs the CLI with the provided arguments.
- *
- * @param {string[]} argv - Command line arguments (process.argv)
- * @returns {Promise<void>}
- */
-export async function run(argv) {
+interface CliOptions {
+  file?: string;
+  verbose?: boolean;
+  quiet?: boolean;
+}
+
+export async function run(argv: string[]): Promise<void> {
   const packageJson = JSON.parse(
     readFileSync(join(__dirname, '../package.json'), 'utf-8')
   );
@@ -32,14 +32,14 @@ export async function run(argv) {
     .option('-q, --quiet', 'Silent mode (exit codes only)')
     .exitOverride()
     .configureOutput({
-      writeOut: (str) => console.log(str.trimEnd()),
-      writeErr: (str) => console.error(str.trimEnd()),
+      writeOut: (str: string) => console.log(str.trimEnd()),
+      writeErr: (str: string) => console.error(str.trimEnd()),
     })
-    .action(async (source, options) => {
+    .action(async (source: string | undefined, options: CliOptions) => {
       try {
-        let result;
-        let inputType;
-        let inputValue;
+        let result: boolean;
+        let inputType: 'file' | 'string';
+        let inputValue: string;
 
         if (options.file) {
           result = await hasJSX(options.file);
@@ -70,31 +70,37 @@ export async function run(argv) {
           console.log(result ? 'JSX detected' : 'No JSX detected');
           process.exit(exitCode);
         }
-      } catch (error) {
+      } catch (error: unknown) {
         if (isProcessExitError(error)) {
           throw error;
         }
         if (!options.quiet) {
-          console.error(`Error: ${error.message}`);
+          console.error(`Error: ${(error as Error).message}`);
         }
         process.exit(2);
       }
     });
 
   try {
     await program.parseAsync(argv);
-  } catch (error) {
+  } catch (error: unknown) {
     if (isProcessExitError(error) || isCommanderError(error)) {
       return;
     }
     throw error;
   }
 }
 
-function isProcessExitError(error) {
-  return error.message?.startsWith('process.exit(');
+function isProcessExitError(error: unknown): boolean {
+  return error instanceof Error && error.message.startsWith('process.exit(');
 }
 
-function isCommanderError(error) {
-  return error.code?.startsWith('commander.');
+function isCommanderError(error: unknown): boolean {
+  return (
+    typeof error === 'object' &&
+    error !== null &&
+    'code' in error &&
+    typeof (error as { code: unknown }).code === 'string' &&
+    (error as { code: string }).code.startsWith('commander.')
+  );
 }

src/cli.js src/cli.tssrc/cli.js renamed to src/cli.ts

@@ -0,0 +1,26 @@
+import { tsx } from '@ast-grep/napi';
+
+/** Detects if source code contains JSX syntax using AST analysis. */
+export function containsJSX(source: string): boolean {
+  // Binary files contain null bytes; valid source code never does.
+  // Without this guard, garbled UTF-8 from binaries gets parsed into JSX-like AST nodes.
+  if (source.includes('\0')) return false;
+
+  try {
+    const root = tsx.parse(source).root();
+
+    // jsx_element covers standard elements and fragments (<>...</>)
+    const match = root.find({
+      rule: {
+        any: [
+          { kind: 'jsx_element' },
+          { kind: 'jsx_self_closing_element' },
+        ],
+      },
+    });
+
+    return match !== null;
+  } catch {
+    return false;
+  }
+}

src/detector.js

@@ -0,0 +1,18 @@
+import { readFileContent } from './utils.js';
+import { containsJSX } from './detector.js';
+
+/** Checks if a file contains JSX syntax. */
+export async function hasJSX(filepath: string): Promise<boolean> {
+  const content = await readFileContent(filepath);
+  return containsJSX(content);
+}
+
+/** Checks if a string contains JSX syntax. */
+export function hasJSXInString(source: string): boolean {
+  if (typeof source !== 'string') {
+    throw new TypeError('Expected source to be a string');
+  }
+  return containsJSX(source);
+}
+
+export default hasJSX;

src/detector.ts

@@ -1,14 +1,8 @@
 import { readFile } from 'fs/promises';
 import { existsSync, statSync } from 'fs';
 
-/**
- * Reads file content from the filesystem with validation.
- *
- * @param {string} filepath - Absolute or relative path to file
- * @returns {Promise<string>} File content
- * @throws {Error} If file doesn't exist, is not a file, or can't be read
- */
-export async function readFileContent(filepath) {
+/** Reads file content from the filesystem with validation. */
+export async function readFileContent(filepath: string): Promise<string> {
   if (!existsSync(filepath)) {
     throw new Error(`File not found: ${filepath}`);
   }

src/index.js

@@ -56,6 +56,13 @@ describe('hasJSX API', () => {
     });
   });
 
+  describe('Binary content (no false positives)', () => {
+    it('returns false for binary content', () => {
+      const binary = Buffer.from([0x7f, 0x45, 0x4c, 0x46, 0x00, 0x3c, 0x64, 0x69, 0x76, 0x3e]).toString('utf-8');
+      expect(hasJSXInString(binary)).toBe(false);
+    });
+  });
+
   describe('Error handling', () => {
     it('throws error for nonexistent file', async () => {
       await expect(hasJSX('/nonexistent/file.js')).rejects.toThrow('File not found');
@@ -103,10 +110,10 @@ describe('hasJSX API', () => {
 
     describe('Error handling', () => {
       it('throws TypeError for non-string input', () => {
-        expect(() => hasJSXInString(null)).toThrow(TypeError);
-        expect(() => hasJSXInString(undefined)).toThrow(TypeError);
-        expect(() => hasJSXInString(123)).toThrow(TypeError);
-        expect(() => hasJSXInString({})).toThrow(TypeError);
+        expect(() => hasJSXInString(null as unknown as string)).toThrow(TypeError);
+        expect(() => hasJSXInString(undefined as unknown as string)).toThrow(TypeError);
+        expect(() => hasJSXInString(123 as unknown as string)).toThrow(TypeError);
+        expect(() => hasJSXInString({} as unknown as string)).toThrow(TypeError);
       });
 
       it('returns false for empty string', () => {