NodeSecure · fraxken · Feb 17, 2026 · Feb 16, 2026
diff --git a/.changeset/tricky-tools-reply.md b/.changeset/tricky-tools-reply.md
@@ -0,0 +1,8 @@
+---
+"@nodesecure/tree-walker": minor
+"@nodesecure/scanner": minor
+"@nodesecure/tarball": minor
+"@nodesecure/rc": minor
+---
+
+chore: upgrade js-x-ray
diff --git a/workspaces/rc/package.json b/workspaces/rc/package.json
@@ -45,7 +45,7 @@
     "ajv": "6.12.6"
   },
   "dependencies": {
-    "@nodesecure/js-x-ray": "11.5.0",
+    "@nodesecure/js-x-ray": "12.0.0",
     "@nodesecure/npm-types": "^1.2.0",
     "@nodesecure/vulnera": "^2.0.1",
     "@openally/config": "^1.0.1",

diff --git a/workspaces/scanner/package.json b/workspaces/scanner/package.json
@@ -68,7 +68,7 @@
     "@nodesecure/contact": "^3.0.0",
     "@nodesecure/flags": "^3.0.3",
     "@nodesecure/i18n": "^4.1.0",
-    "@nodesecure/js-x-ray": "11.5.0",
+    "@nodesecure/js-x-ray": "12.0.0",
     "@nodesecure/mama": "^2.1.1",
     "@nodesecure/npm-registry-sdk": "^4.4.0",
     "@nodesecure/npm-types": "^1.3.0",

diff --git a/workspaces/scanner/src/depWalker.ts b/workspaces/scanner/src/depWalker.ts
@@ -11,7 +11,7 @@ import {
   scanDirOrArchive,
   type PacoteProvider
 } from "@nodesecure/tarball";
-import { CollectableSet } from "@nodesecure/js-x-ray";
+import { DefaultCollectableSet, type CollectableSet } from "@nodesecure/js-x-ray";
 import * as Vulnera from "@nodesecure/vulnera";
 import { npm } from "@nodesecure/tree-walker";
 import { parseAuthor } from "@nodesecure/utils";
@@ -126,7 +126,7 @@ export async function depWalker(
 
   const statsCollector = new StatsCollector({ logger }, { isVerbose });
 
-  const collectables = kCollectableTypes.map((type) => new CollectableSet<Metadata>(type));
+  const collectables = kCollectableTypes.map((type) => new DefaultCollectableSet<Metadata>(type));
 
   const pacoteProvider: PacoteProvider = {
     async extract(spec, dest, opts): Promise<void> {
@@ -412,7 +412,7 @@ export async function depWalker(
   }
 }
 
-function extractHighlightedIdentifiers(collectables: CollectableSet<Metadata>[], identifiersToHighlight: Set<string>) {
+function extractHighlightedIdentifiers(collectables: DefaultCollectableSet<Metadata>[], identifiersToHighlight: Set<string>) {
   if (identifiersToHighlight.size === 0) {
     return [];
   }

diff --git a/workspaces/tarball/package.json b/workspaces/tarball/package.json
@@ -47,7 +47,7 @@
   "dependencies": {
     "@nodesecure/conformance": "^1.2.1",
     "@nodesecure/fs-walk": "^2.0.0",
-    "@nodesecure/js-x-ray": "11.5.0",
+    "@nodesecure/js-x-ray": "12.0.0",
     "@nodesecure/mama": "^2.1.1",
     "@nodesecure/npm-types": "^1.2.0",
     "@nodesecure/utils": "^2.3.0",

diff --git a/workspaces/tarball/src/class/NpmTarball.class.ts b/workspaces/tarball/src/class/NpmTarball.class.ts
@@ -9,7 +9,7 @@ import {
 } from "@nodesecure/mama";
 import {
   AstAnalyser,
-  CollectableSet,
+  DefaultCollectableSet,
   warnings,
   type AstAnalyserOptions
 } from "@nodesecure/js-x-ray";
@@ -87,25 +87,27 @@ export class NpmTarball {
           .flatMap(filterJavaScriptFiles())
       });
 
-      const operationQueue =
-        Array.from(hostNameSet)
-          .map(({ value, locations }) => this.#resolver.isPrivateHost(value)
-            .then((isPrivate) => {
-              if (isPrivate) {
-                locations.forEach(({ file, location }) => {
-                  code.warnings.push({
-                    kind: "shady-link",
-                    ...warnings["shady-link"],
-                    file: file ?? undefined,
-                    location,
-                    value,
-                    source: "Scanner"
+      if (hostNameSet instanceof DefaultCollectableSet) {
+        const operationQueue =
+          Array.from(hostNameSet)
+            .map(({ value, locations }) => this.#resolver.isPrivateHost(value)
+              .then((isPrivate) => {
+                if (isPrivate) {
+                  locations.forEach(({ file, location }) => {
+                    code.warnings.push({
+                      kind: "shady-link",
+                      ...warnings["shady-link"],
+                      file: file ?? undefined,
+                      location,
+                      value,
+                      source: "Scanner"
+                    });
                   });
-                });
-              }
-            })
-          );
-      await Promise.allSettled(operationQueue);
+                }
+              })
+            );
+        await Promise.allSettled(operationQueue);
+      }
     }
 
     return {
@@ -121,7 +123,7 @@ export class NpmTarball {
       return options;
     }
 
-    return { ...options, collectables: [...options.collectables ?? [], new CollectableSet("hostname")] };
+    return { ...options, collectables: [...options.collectables ?? [], new DefaultCollectableSet("hostname")] };
   }
 }
 

diff --git a/workspaces/tarball/test/NpmTarball.spec.ts b/workspaces/tarball/test/NpmTarball.spec.ts
@@ -5,7 +5,7 @@ import { describe, test } from "node:test";
 import assert from "node:assert";
 
 // Import Third-party Dependencies
-import { CollectableSet, warnings, type Warning } from "@nodesecure/js-x-ray";
+import { DefaultCollectableSet, warnings, type Warning } from "@nodesecure/js-x-ray";
 import { ManifestManager } from "@nodesecure/mama";
 
 type SourceArrayLocation = [[number, number], [number, number]];
@@ -26,7 +26,7 @@ describe("NpmTarball", () => {
   test("it should have a shady-link warning when a hostname resolve a private ip address with collectables", async() => {
     const mama = await ManifestManager.fromPackageJSON(path.join(kFixturePath, "shady-link", "package.json"));
     const npmTarball = new NpmTarball(mama);
-    const hostnameSet = new CollectableSet("hostname");
+    const hostnameSet = new DefaultCollectableSet("hostname");
 
     const result = await npmTarball.scanFiles({
       collectables: [hostnameSet]
@@ -101,7 +101,7 @@ describe("NpmTarball", () => {
     const npmTarball = new NpmTarball(mama);
 
     const result = await npmTarball.scanFiles({
-      collectables: [new CollectableSet("url"), new CollectableSet("ip")]
+      collectables: [new DefaultCollectableSet("url"), new DefaultCollectableSet("ip")]
     });
 
     assert.deepEqual(
@@ -136,7 +136,7 @@ describe("NpmTarball", () => {
   test("it should add the spec to collectables", async() => {
     const mama = await ManifestManager.fromPackageJSON(path.join(kFixturePath, "shady-link", "package.json"));
     const npmTarball = new NpmTarball(mama);
-    const hostnameSet = new CollectableSet<Metadata>("hostname");
+    const hostnameSet = new DefaultCollectableSet<Metadata>("hostname");
 
     await npmTarball.scanFiles({
       collectables: [hostnameSet]
@@ -146,7 +146,7 @@ describe("NpmTarball", () => {
   });
 });
 
-function extractSpecs(collectableSet: CollectableSet<Metadata>) {
+function extractSpecs(collectableSet: DefaultCollectableSet<Metadata>) {
   return Array.from(collectableSet)
     .flatMap(({ locations }) => locations.flatMap(({ metadata }) => metadata?.spec ?? []));
 }

diff --git a/workspaces/tarball/test/SourceCodeReport.spec.ts b/workspaces/tarball/test/SourceCodeReport.spec.ts
@@ -5,7 +5,7 @@ import { test } from "node:test";
 import assert from "node:assert";
 
 // Import Third-party Dependencies
-import { AstAnalyser, CollectableSet } from "@nodesecure/js-x-ray";
+import { AstAnalyser, DefaultCollectableSet } from "@nodesecure/js-x-ray";
 
 // Import Internal Dependencies
 import { SourceCodeScanner } from "../src/class/SourceCodeScanner.class.ts";
@@ -141,7 +141,7 @@ test("should detect the usage of global fetch and update hasExternalCapacity fla
 });
 
 test("should add spec to collectables", async() => {
-  const emailSet = new CollectableSet<{ spec: string; }>("email");
+  const emailSet = new DefaultCollectableSet<{ spec: string; }>("email");
   const mama = createFakeManifestManager();
   const scanner = new SourceCodeScanner(mama, {
     astAnalyser: new AstAnalyser({ collectables: [emailSet] })

diff --git a/workspaces/tarball/test/SourceCodeScanner.spec.ts b/workspaces/tarball/test/SourceCodeScanner.spec.ts
@@ -8,7 +8,7 @@ import { describe, test } from "node:test";
 import {
   ManifestManager
 } from "@nodesecure/mama";
-import { type ReportOnFile, AstAnalyser, CollectableSet } from "@nodesecure/js-x-ray";
+import { type ReportOnFile, AstAnalyser, DefaultCollectableSet } from "@nodesecure/js-x-ray";
 
 // Import Internal Dependencies
 import {
@@ -139,7 +139,7 @@ describe("SourceCodeScanner", () => {
 
   test("it should add spec to collectables", async() => {
     const mama = loadFixtureManifest("entryfiles");
-    const emailSet = new CollectableSet<{ spec?: string; }>("email");
+    const emailSet = new DefaultCollectableSet<{ spec?: string; }>("email");
 
     const scanner = new SourceCodeScanner(mama, {
       astAnalyser: new AstAnalyser({

diff --git a/workspaces/tree-walker/package.json b/workspaces/tree-walker/package.json
@@ -37,7 +37,7 @@
   },
   "homepage": "https://github.com/NodeSecure/tree/master/workspaces/tree-walker#readme",
   "dependencies": {
-    "@nodesecure/js-x-ray": "11.5.0",
+    "@nodesecure/js-x-ray": "12.0.0",
     "@nodesecure/npm-registry-sdk": "^4.0.0",
     "@nodesecure/npm-types": "^1.1.0",
     "@npmcli/arborist": "9.1.10",