## Changes to code extraction
* The extractor now supports TypeScript 2.9 and 3.0 syntax.
* Files that use `require` or `module.exports` inside a `try` or `if` statement are now recognized as CommonJS modules.
* On finding a file whose name starts with a dot and ends with "rc" (such as `.eslintrc` and `.babelrc`), the extractor will now examine its contents to determine whether it looks like JSON data. If so, the file is parsed as JSON and added to the snapshot. In particular, this means that ESLint and Babel configuration files are now added to the snapshot automatically.
## General improvements
* Improved modeling of data flow through destructuring assignments may give additional results for the security queries and other queries that rely on data flow.
* Improved modeling of global variables may give more true-positive results and fewer false-positive results for a variety of queries.
* Improved modeling of re-export declarations may result in fewer false-positive results for a variety of queries.
* Improved modeling of taint flow through array operations may give additional results for the security queries.
* The taint tracking library recognizes more ways in which taint propagates. In particular, some flow through string formatters is now recognized. This may give additional results for the security queries.
* The taint tracking library now recognizes additional sanitization patterns. This may give fewer false-positive results for the security queries.
* Type inference for simple function calls has been improved. This may give additional results for queries that rely on type inference.
* Handling of ambient TypeScript code has been improved. As a result, fewer false-positive results will be reported in `.d.ts` files.
* Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following libraries:
## New queries
| **Query** | **Tags** | **Purpose** |
| Clear-text logging of sensitive information (`js/clear-text-logging`) | security, external/cwe/cwe-312, external/cwe/cwe-315, external/cwe/cwe-359 | Highlights logging of sensitive information, indicating a violation of [CWE-312](https://cwe.mitre.org/data/definitions/312.html). Results are shown on LGTM by default. |
| Disabling Electron webSecurity (`js/disabling-electron-websecurity`) | security, frameworks/electron | Highlights Electron browser objects that are created with the `webSecurity` property set to false. Results are shown on LGTM by default. |
| Enabling Electron allowRunningInsecureContent (`js/enabling-electron-insecure-content`) | security, frameworks/electron | Highlights Electron browser objects that are created with the `allowRunningInsecureContent` property set to true. Results are shown on LGTM by default. |
| Uncontrolled data used in remote request (`js/request-forgery`) | security, external/cwe/cwe-918 | Highlights remote requests that are built from unsanitized user input, indicating a violation of [CWE-918](https://cwe.mitre.org/data/definitions/918.html). Results are hidden on LGTM by default. |
| Use of externally-controlled format string (`js/tainted-format-string`) | security, external/cwe/cwe-134 | Highlights format strings containing user-provided data, indicating a violation of [CWE-134](https://cwe.mitre.org/data/definitions/134.html). Results are shown on LGTM by default. |