fix(react-doctor): harden rules against prototype-pollution FPs and adopt-config noise

[aidenybai]

Summary

Audited every OBJECT[someAstName] lookup in the rule plugin and surrounding utils — converted plain-object indexing to Map.get / Object.hasOwn so AST-derived names that shadow Object.prototype properties (constructor, toString, hasOwnProperty, …) can't fall through to the native value and false-positive. Same audit pass picked up four other shipped regressions: a shallow effect-needs-cleanup walker, an over-broad Tailwind palette regex, version-gating that silently dropped rules on R17/18 + unknown React versions, and an adoptExistingLintConfig path that emitted misleading stderr warnings on Next.js / CRA scaffolds.

Fixes

• Prototype pollution → false positives (the original no-legacy-class-lifecycles constructor bug, reproduced in 5 sibling rules):
  • no-legacy-class-lifecycles, no-react19-deprecated-apis, no-react-dom-deprecated-apis, rn-no-deprecated-modules, no-side-tab-border, no-prevent-default — Record<string, X> lookups → Map.get
  • run-oxlint category/help maps + run-knip issue-type map — Object.hasOwn guards via new lookupOwnString helper / Map.get
• effect-needs-cleanup shallow walker (~36% FP rate measured against react-grab / excalidraw / popover patterns): effectHasCleanupRelease now scans every ReturnStatement in the effect's own scope via walkInsideStatementBlocks (stops at function boundaries so cleanup nested in a callback still fires).
• design-no-default-tailwind-palette over-matching: regex anchored to canonical Tailwind stops (50 … 950) instead of \d{2,3}, so Radix Colors utilities (text-gray-11, bg-slate-2) aren't flagged as the Tailwind template default.
• filterRulesByReactMajor directional gating: deprecation-warning rules now fire on every detected major (R17/18 users planning the R19 upgrade are exactly the audience that benefits). When reactMajorVersion is null (custom resolver, workspace:*, mid-clone state) we optimistically assume the latest React major and apply every rule, including prefer-newer-api ones.
• Adopt-config stderr noise: new canOxlintExtendConfig pre-screens .eslintrc.json for bare-package extends ("next", "plugin:foo/bar") that oxlint can't resolve, dropping them silently before the parser crashes. Handles JSONC (// and /* */ comments) so real-world configs parse correctly.

Tests

20 new regression tests:

• tests/regressions/proto-pollution-defenses.test.ts — 6 tests (RN, design, prevent-default, with negative + positive each)
• tests/can-oxlint-extend-config.test.ts — 9 unit tests (every extends shape + JSONC line/block comments + comments inside string literals)
• tests/regressions/react-19-migration-rules.test.ts — +5 (constructor / proto-name member access, R17/18 fail-open, null fallback)
• tests/regressions/state-rules.test.ts — +4 (conditional cleanup, try/finally cleanup, nested-fn negative test, null version fires prefer-use-effect-event)
• tests/regressions/react-ui-rules.test.ts — +1 (Radix Colors stops not flagged)
• tests/diagnose.test.ts — flipped null-version assertion to match new policy

Total: 668 tests passing, typecheck/lint/format clean against latest main (oxlint 1.63.0).

Test plan

• pnpm typecheck — clean
• pnpm lint — 0 warnings, 0 errors
• pnpm test — 668/668 passing
• pnpm format — clean
• Re-bench against ~/Developer/{ami,same,expect,react-grab} — zero stderr noise, every spot-checked diagnostic is a true positive, no precision regressions

Made with Cursor

---

Note

Medium Risk
Changes lint rule gating and several rule detectors, which can materially change diagnostic output (and CI outcomes) across projects. Low runtime/security risk, but moderate risk of behavior regressions in linting heuristics and config adoption paths.

Overview
Improves linting correctness and stability by replacing multiple AST-derived Record[...] lookups with Map.get()/Object.hasOwn guards to prevent Object.prototype name collisions (e.g. constructor, toString) from causing false positives or bad messages across several rules and diagnostic/category/help lookups.

Adjusts rule behavior: React-major version gating now fails open when React version is unknown (null) and keeps deprecation-warning rules enabled across detected majors; effect-needs-cleanup now scans all relevant return statements within the effect scope to avoid conditional-cleanup false positives; and design-no-default-tailwind-palette narrows its regex to canonical Tailwind palette stops to avoid flagging custom scales.

Reduces oxlint config-adoption noise by adding canOxlintExtendConfig to pre-screen .eslintrc.json (including JSONC comments) and skip extends that oxlint cannot resolve, plus adds/updates regression tests and consolidates repeated test helpers.

^{Reviewed by Cursor Bugbot for commit cb1e900. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
react-doctor-website	Ready	Preview, Comment	May 8, 2026 0:40am

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 6a715b3. Configure here.}