This release includes breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
+3 more
Affected surfaces
ReleasePort's take
Light signalTokentoll v0.8.0 now scans JavaScript/TypeScript apps and adds detectors for OpenAI, Anthropic, Vercel AI SDKs plus LangChain.js constructors.
Why it matters: Expands coverage to JS/TS codebases; new detectors surface calls to major LLM SDKs affecting developers building AI‑enabled applications.
Summary
AI summaryUpdates Detectors, Upgrade ```yaml, and Compatibility across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
tokentoll now scans JavaScript and TypeScript apps alongside Python. tokentoll now scans JavaScript and TypeScript apps alongside Python. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Feature | Medium |
Detects OpenAI Node SDK calls: chat.completions.create, responses.create, embeddings.create. Detects OpenAI Node SDK calls: chat.completions.create, responses.create, embeddings.create. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Feature | Medium |
Detects Anthropic SDK calls: messages.create and messages.stream. Detects Anthropic SDK calls: messages.create and messages.stream. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Feature | Medium |
Detects Vercel AI SDK calls: generateText, streamText, generateObject, streamObject, embed, embedMany. Detects Vercel AI SDK calls: generateText, streamText, generateObject, streamObject, embed, embedMany. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Feature | Medium |
Detects LangChain.js constructors: ChatOpenAI, ChatAnthropic, ChatGoogleGenerativeAI, OpenAIEmbeddings. Detects LangChain.js constructors: ChatOpenAI, ChatAnthropic, ChatGoogleGenerativeAI, OpenAIEmbeddings. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Feature | Medium |
Same‑file constant propagation now handles string literals, integer literals, const/let bindings, object literals, function default parameters, env fallback expressions, and Vercel provider wrappers. Same‑file constant propagation now handles string literals, integer literals, const/let bindings, object literals, function default parameters, env fallback expressions, and Vercel provider wrappers. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Feature | Medium |
Parser uses tree‑sitter with official TypeScript and JavaScript grammars, supporting .js, .jsx, .ts, .tsx files by default. Parser uses tree‑sitter with official TypeScript and JavaScript grammars, supporting .js, .jsx, .ts, .tsx files by default. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Feature | Medium |
GitHub Action workflow path filter now includes **.ts, **.tsx, **.js, **.jsx alongside Python files. GitHub Action workflow path filter now includes **.ts, **.tsx, **.js, **.jsx alongside Python files. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Feature | Medium |
Action's install pin updated to tokentoll==0.8.0; Python upgrade via pip installs the new version. Action's install pin updated to tokentoll==0.8.0; Python upgrade via pip installs the new version. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Performance | Low |
Install footprint increased by ~3 MB due to new tree‑sitter dependencies. Install footprint increased by ~3 MB due to new tree‑sitter dependencies. Source: llm_adapter@2026-05-30 Confidence: high |
— |
Full changelog
tokentoll now covers JavaScript and TypeScript apps in addition to Python. Same scanner, same diff engine, same policy verdict, same PR comment. A mixed Python + TypeScript repo scans in one pass.
What's new
Detectors
- OpenAI Node SDK:
client.chat.completions.create,client.responses.create,client.embeddings.create. OpenAI-compatible clients (Groq, Together, custombaseURL) are picked up automatically because the call shape is identical. - Anthropic SDK:
client.messages.create,client.messages.stream. - Vercel AI SDK:
generateText,streamText,generateObject,streamObject,embed,embedMany. The SDK name is inferred from the provider wrapper (openai(\"gpt-4o\")->openai,anthropic(\"...\")->anthropic, etc.) so pricing flows through correctly. - LangChain.js:
new ChatOpenAI,new ChatAnthropic,new ChatGoogleGenerativeAI,new OpenAIEmbeddings, and otherChat*constructors.
Value resolution
Same-file constant propagation handles:
- String literals, template strings without interpolation, integer literals
const/letbindings, object literals (including nested properties likeconfig.model)- Function default parameters across both TS and JS grammars
process.env.X || \"fallback\"andprocess.env.X ?? \"fallback\"- Vercel AI SDK provider wrappers like
openai(\"gpt-4o\")andopenai.chat(\"gpt-4o\")
Cross-file imports are not resolved in v0.8 and produce a dynamic call site.
Parser
tree-sitter with the official tree-sitter-typescript and tree-sitter-javascript grammars. Handles .js, .jsx, .ts, .tsx. Required deps so the feature is on by default.
GitHub Action
Recommended workflow path filter now covers TS/JS:
on:
pull_request:
paths:
- \"**.py\"
- \"**.ts\"
- \"**.tsx\"
- \"**.js\"
- \"**.jsx\"
Upgrade
- uses: Jwrede/[email protected]
with:
fail-on-policy-violation: true
pip install --upgrade tokentoll
The action's install pin is bumped to tokentoll==0.8.0.
Tests
138 passing (up from 123 in v0.7). 15 new tests cover literal models, same-file constants, env fallbacks, Anthropic + max_tokens, Vercel generateText/streamText/embed, LangChain.js constructors, dynamic-model warnings, .tsx parsing, OpenAI-compatible clients, and a mixed Python + TS repo scan.
Compatibility
- No breaking changes to the Python scanner, policy schema, or PR comment format.
- The new tree-sitter deps add about 3MB to the install footprint; nothing else changes.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Tokentoll
All releases →Related context
Related tools
Beta — feedback welcome: [email protected]