Address Copilot review nits

murderteeth · claude · murderteeth · commit 47915328e6c9 · 2026-04-13T17:35:08.000Z
Fixes US spelling (recognised -&gt; recognized) across docs, QLDoc,
change note, and test fixture comments. Clarifies the handler QLDoc
to note sync/async support. Renames the supported-frameworks entry
from "vercel" to "Vercel (@vercel/node)" to avoid implying broader
platform coverage.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/docs/codeql/reusables/supported-frameworks.rst b/docs/codeql/reusables/supported-frameworks.rst
@@ -197,7 +197,7 @@ and the CodeQL library pack ``codeql/javascript-all`` (`changelog <https://githu
    superagent, Network communicator
    swig, templating language
    underscore, Utility library
-   vercel, Serverless framework
+   Vercel (@vercel/node), Serverless framework
    vue, HTML framework
 
 
diff --git a/javascript/ql/lib/change-notes/2026-04-12-vercel-node.md b/javascript/ql/lib/change-notes/2026-04-12-vercel-node.md
@@ -1,4 +1,4 @@
 ---
 category: newFeature
 ---
-* Added support for [`@vercel/node`](https://www.npmjs.com/package/@vercel/node) Vercel serverless functions. Handlers are recognised via the `VercelRequest`/`VercelResponse` TypeScript parameter types, and standard security queries (`js/reflected-xss`, `js/request-forgery`, `js/sql-injection`, `js/command-line-injection`, etc.) now detect vulnerabilities in Vercel API route files.
+* Added support for [`@vercel/node`](https://www.npmjs.com/package/@vercel/node) Vercel serverless functions. Handlers are recognized via the `VercelRequest`/`VercelResponse` TypeScript parameter types, and standard security queries (`js/reflected-xss`, `js/request-forgery`, `js/sql-injection`, `js/command-line-injection`, etc.) now detect vulnerabilities in Vercel API route files.
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/VercelNode.qll b/javascript/ql/lib/semmle/javascript/frameworks/VercelNode.qll
@@ -9,9 +9,10 @@ import semmle.javascript.frameworks.HTTP
  * Provides classes for working with [@vercel/node](https://www.npmjs.com/package/@vercel/node) Vercel serverless functions.
  *
  * A Vercel serverless function is a module whose default export is a function
- * with signature `(req: VercelRequest, res: VercelResponse) => void`, where
- * the types are imported from the `@vercel/node` package. The Vercel runtime
- * invokes the default export for every incoming HTTP request.
+ * taking parameters `(req: VercelRequest, res: VercelResponse)`, where the
+ * types are imported from the `@vercel/node` package. The default export may
+ * be synchronous or `async`, and the Vercel runtime invokes it for every
+ * incoming HTTP request.
  */
 module VercelNode {
   /**
@@ -20,7 +21,7 @@ module VercelNode {
    * `VercelResponse` from `@vercel/node`.
    *
    * Since `@vercel/node` is commonly imported as a type-only import, handlers
-   * are recognised by their TypeScript parameter types. The default-export
+   * are recognized by their TypeScript parameter types. The default-export
    * constraint excludes private helpers or test utilities that share the
    * same signature.
    */
diff --git a/javascript/ql/test/library-tests/frameworks/vercel/src/notahandler.ts b/javascript/ql/test/library-tests/frameworks/vercel/src/notahandler.ts
@@ -2,7 +2,7 @@ import type { VercelRequest, VercelResponse } from "@vercel/node";
 
 // A default-exported function that has VercelRequest/VercelResponse at
 // positions 1 and 2, not 0 and 1. Vercel does not invoke it this way,
-// so it must NOT be recognised as a route handler.
+// so it must NOT be recognized as a route handler.
 export default function notAHandler(ctx: unknown, req: VercelRequest, res: VercelResponse) {
   res.send(req.query.name);
 }
diff --git a/javascript/ql/test/library-tests/frameworks/vercel/src/now.ts b/javascript/ql/test/library-tests/frameworks/vercel/src/now.ts
@@ -1,7 +1,7 @@
 import type { NowRequest, NowResponse } from "@now/node";
 
 // Legacy Zeit-era aliases. The model should treat these identically to
-// the modern @vercel/node NowRequest -> VercelRequest, NowResponse -> VercelResponse.
+// the modern @vercel/node types (NowRequest -> VercelRequest, NowResponse -> VercelResponse).
 export default function handler(req: NowRequest, res: NowResponse) {
   res.send(req.query.name);
 }
diff --git a/javascript/ql/test/library-tests/frameworks/vercel/src/vercel.ts b/javascript/ql/test/library-tests/frameworks/vercel/src/vercel.ts
@@ -1,6 +1,6 @@
 import type { VercelRequest, VercelResponse } from "@vercel/node";
 
-// A private helper with the same signature. Must NOT be recognised as a
+// A private helper with the same signature. Must NOT be recognized as a
 // route handler, since Vercel only invokes the default export.
 function internalHelper(req: VercelRequest, res: VercelResponse) {
   res.send(req.query.name);

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ import type { VercelRequest, VercelResponse } from "@vercel/node";`
`2`	`2`
`3`	`3`	`// A default-exported function that has VercelRequest/VercelResponse at`
`4`	`4`	`// positions 1 and 2, not 0 and 1. Vercel does not invoke it this way,`
`5`		`-// so it must NOT be recognised as a route handler.`
	`5`	`+// so it must NOT be recognized as a route handler.`
`6`	`6`	`export default function notAHandler(ctx: unknown, req: VercelRequest, res: VercelResponse) {`
`7`	`7`	`res.send(req.query.name);`
`8`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`import type { NowRequest, NowResponse } from "@now/node";`
`2`	`2`
`3`	`3`	`// Legacy Zeit-era aliases. The model should treat these identically to`
`4`		`-// the modern @vercel/node NowRequest -> VercelRequest, NowResponse -> VercelResponse.`
	`4`	`+// the modern @vercel/node types (NowRequest -> VercelRequest, NowResponse -> VercelResponse).`
`5`	`5`	`export default function handler(req: NowRequest, res: NowResponse) {`
`6`	`6`	`res.send(req.query.name);`
`7`	`7`	`}`