JS: Support for newer version of Hapi - @hapi/hapi

[Napalys]

The latest version of Hapi introduces a new import name, @hapi/hapi, and a new server function.

Without this update, CodeQL would miss alerts related to the TaintedPath CWE-022 when using the newer version of the Hapi server.

[Copilot]

Pull Request Overview

This pull request updates the codebase to support the newer version of Hapi using the new import name "@hapi/hapi" and server function, ensuring that CodeQL can correctly detect alerts related to TaintedPath CWE-022.

• Updated test code in the Security query-tests to use "@hapi/hapi".
• Revised library test code for Hapi server instantiation.
• Documented the changes in the library change-notes.

Reviewed Changes

Copilot reviewed 3 out of 6 changed files in this pull request and generated no comments.

File	Description
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/hapi.js	Introduces a new test case using the updated Hapi import and server function.
javascript/ql/test/library-tests/frameworks/hapi/src/hapihapi.js	Updates server instantiation to support the new Hapi API.
javascript/ql/lib/change-notes/2025-03-26-Hapi.md	Adds a brief change note documenting the update.

Files not reviewed (3)

• javascript/ql/lib/semmle/javascript/frameworks/Hapi.qll: Language not supported
• javascript/ql/test/library-tests/frameworks/hapi/tests.expected: Language not supported
• javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected: Language not supported

Comments suppressed due to low confidence (1)

javascript/ql/test/library-tests/frameworks/hapi/src/hapihapi.js:1

• [nitpick] The file uses two different patterns for instantiating a Hapi server. For consistency and clarity, consider unifying the instantiation style (either using inline require or assigning the module to a variable).

var server1 = new (require('@hapi/hapi')).Server(); // HTTP::Server

Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more