tests/unit/controller-error-shape.test.js scans for variants of error: String(err) / err.message / error.message to catch the original leak class. But the runtime-shipped response body uses message: as its key — a future contributor who writes res.status(500).json({ message: err.message }) would route around the global error-handler's policy without the regression test catching it.
Fix: extend the regex set to also reject message: String(error), message: String(err), message: err.message, message: error.message in app/controllers/ and app/middleware/. Zero existing occurrences — pure tightening.
Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/
tests/unit/controller-error-shape.test.jsscans for variants oferror: String(err) / err.message / error.messageto catch the original leak class. But the runtime-shipped response body usesmessage:as its key — a future contributor who writesres.status(500).json({ message: err.message })would route around the global error-handler's policy without the regression test catching it.Fix: extend the regex set to also reject
message: String(error),message: String(err),message: err.message,message: error.messageinapp/controllers/andapp/middleware/. Zero existing occurrences — pure tightening.Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/