Fetching from the wire…
Security2026-07-12 · source-backed
Released July 11, it adds static-analysis queries that flag prompt-injection vulnerabilities in JavaScript and TypeScript, plus Kotlin 2.4.0 support (GitHub). Treating untrusted-input-into-LLM flows as a first-class security defect class is the right call. If you're wiring LLM calls into a JS/TS app, you can now catch injection sinks in CI instead of at runtime. Turn it on.
Each link below shares sources, entities, or timing with this story.
CodeQL supports TypeScript / Shared entities / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (CodeQL supports TypeScript); both cover GitHub, Kotlin, TypeScript; overlapping topics (catch, kotlin).
LLM uses OpenAI / Shared entities / Earlier coverage
Linked by a graph relationship (LLM uses OpenAI); both cover GitHub, LLM, TypeScript; earlier GitHub coverage from 2026-07-10.
CodeQL supports JavaScript / Shared entities / Earlier coverage
Linked by a graph relationship (CodeQL supports JavaScript); both cover JavaScript, LLM, TypeScript; earlier JavaScript coverage from 2026-04-30.
Simon Willison released LLM / Shared entity: JavaScript / Earlier coverage / Tension
Linked by a graph relationship (Simon Willison released LLM); both cover JavaScript; earlier JavaScript coverage from 2026-03-28.
Simon Willison released LLM / Shared entity: LLM / Earlier coverage / Tension
Linked by a graph relationship (Simon Willison released LLM); both cover LLM; earlier LLM coverage from 2026-06-19.
Linked by a graph relationship (Simon Willison released LLM); both cover LLM; earlier LLM coverage from 2026-06-18.
Simon Willison released LLM / Shared entity: GitHub / Earlier coverage / Tension
Linked by a graph relationship (Simon Willison released LLM); both cover GitHub; earlier GitHub coverage from 2026-04-23.
Simon Willison released LLM / Shared entity: LLM / Earlier coverage
Linked by a graph relationship (Simon Willison released LLM); both cover LLM; earlier LLM coverage from 2026-06-19.