docs: fix stale flags, broken snippets, dead links, and outdated descriptions

oetr · oetr · commit 338501de495f · 2026-03-27T10:07:09.000+01:00
- fuzz-targets.md: --fuzzFunction -&gt; --fuzzEntryPoint, corpus is
  positional not a --corpus flag, normalize coverage reporter order
- fuzz-settings.md: JAZZER_COVERAGE env -&gt; JAZZER_COVERAGE_REPORTERS,
  remove incorrect -runs=-1 equivalence claim, fix malformed
  xmlDictionary and timeout snippets
- jest-integration.md: close unclosed code blocks, update stale
  version pin from 2.1.0 to ^3.0.0
- bug-detectors.md: normalize --disable_bug_detectors to
  --disableBugDetectors, fix missing spaces before 'in CLI mode'
- examples/jest_typescript_integration: runner -&gt; testRunner, fix
  stale import path, fix trailing commas in JSON, fix title typo
- architecture.md: mention ESM loader hook alongside CJS hookRequire
- Package READMEs: update jazzer.js-commercial links to jazzer.js,
  document async fuzzing mode in fuzzer README, add ESM loader path
  to instrumentor README, fix typos
diff --git a/README.md b/README.md
@@ -119,7 +119,7 @@ ES modules are supported on Node.js >= 20.6 — use `export function fuzz` in a
 
 ## Documentation
 
-Further documentation is available at [docs/readme.md](docs/README.md).
+Further documentation is available at [docs/README.md](docs/README.md).
 
 ### Demo Video - Introduction to Jazzer.js
 
diff --git a/docs/architecture.md b/docs/architecture.md
@@ -25,14 +25,16 @@ The _fuzzing library_ is the main entry point and is used to start fuzzing. It
 is invoked with the name of a _fuzz target_ module and possible fuzzer options.
 As a first step it loads a
 [native plugin](https://nodejs.org/api/addons.html#wrapping-c-objects) Node.js
-addon, _fuzzer plugin_, to interact with libFuzzer and registers a `require`
-hook, _interceptor_, to instrument subsequently loaded code.
-
-The _interceptor_ transforms code using [Babel](https://babeljs.io/) to provide
-feedback to the fuzzer in multiple ways. It extends the loaded code to gather
-coverage statistics so that the fuzzer can detect when new code paths are
-reached. And it also intercepts comparison functions, like `==` or `!=`, to
-detect the parts of the provided input that should be mutated and in what way.
+addon, _fuzzer plugin_, to interact with libFuzzer and registers instrumentation
+hooks to transform subsequently loaded code.
+
+For CJS modules, a `require` hook (via `istanbul-lib-hook`) intercepts loading.
+For ES modules (Node >= 20.6), a loader hook registered via `module.register()`
+intercepts `import` statements in a dedicated loader thread.
+
+Both paths use [Babel](https://babeljs.io/) to transform source code, inserting
+coverage counters so the fuzzer can detect new code paths, and comparison hooks
+(for `==`, `!=`, etc.) so the fuzzer can mutate input toward specific values.
 Available feedback methods are defined in libFuzzer's
 [hook interface definitions](https://github.com/llvm/llvm-project/blob/main/compiler-rt/include/sanitizer/common_interface_defs.h).
 
@@ -70,14 +72,14 @@ information to detect progress and comparison hints to improve mutations. These
 feedback mechanisms have to be added to the application code without user
 intervention.
 
-**Decision**: Use the `istanbul-lib-hook` library to hook into dynamic code
-loading and `babel` plugins to extend the loaded code with the required feedback
-functionality. Instrumenting the code at such a high level leads to an
-independence of the underlying JavaScript engine. Furthermore, it is easily
-possible to decide if a loaded module should be instrumented or not.
+**Decision**: Use `istanbul-lib-hook` to hook into CJS loading and
+`module.register()` to hook into ESM loading, with Babel plugins to insert
+feedback instrumentation. Instrumenting at the source level decouples from the
+underlying JavaScript engine and allows fine-grained control over which modules
+are instrumented.
 
 **Consequences**: Independence of JavaScript engine, fine-grained
-instrumentation control
+instrumentation control, ESM support on Node >= 20.6.
 
 ## Visualization
 
diff --git a/docs/bug-detectors.md b/docs/bug-detectors.md
@@ -91,7 +91,7 @@ prototype, it will be able also find a way to modify other properties of the
 prototype that are not functions. If you find a use case where this assumption
 does not hold, feel free to open an issue.
 
-_Disable with:_ `--disableBugDetectors=prototype-pollution`in CLI mode; or when
+_Disable with:_ `--disableBugDetectors=prototype-pollution` in CLI mode; or when
 using Jest in `.jazzerjsrc.json`:
 
 ```json
@@ -104,7 +104,7 @@ Hooks the `eval` and `Function` functions and reports a finding if the fuzzer
 was able to pass a special string to `eval` and to the function body of
 `Function`.
 
-_Disable with:_ `--disable_bug_detectors=remote-code-execution`in CLI mode; or
+_Disable with:_ `--disableBugDetectors=remote-code-execution` in CLI mode; or
 when using Jest in `.jazzerjsrc.json`:
 
 ```json
@@ -127,8 +127,8 @@ getBugDetectorConfiguration("ssrf")
 	.addPermittedUDPConnection("localhost", 9090);
 ```
 
-_Disable with:_ `--disable_bug_detectors=ssrf` in CLI mode; or when using Jest
-in `.jazzerjsrc.json`:
+_Disable with:_ `--disableBugDetectors=ssrf` in CLI mode; or when using Jest in
+`.jazzerjsrc.json`:
 
 ```json
 { "disableBugDetectors": ["ssrf"] }
diff --git a/docs/fuzz-settings.md b/docs/fuzz-settings.md
@@ -297,7 +297,7 @@ configured for Jest.
 add the following environment variable to the command:
 
 ```bash
-JAZZER_COVERAGE='["json","lcov"]' npx jazzer my-fuzz-file --coverage
+JAZZER_COVERAGE_REPORTERS='["json","lcov"]' npx jazzer my-fuzz-file --coverage
 ```
 
 _Note:_ Setting this environmental variable in Jest mode has no effect.
@@ -366,11 +366,11 @@ provide them as an array of strings, `Uint8Arrays`, or `Int8Arrays` to the
 `dictionaryEntries` option of the `it.fuzz` function:
 
 ```javascript
-const xmlDictionary = ["IDREF","<![IGNORE[","<![INCLUDE[",<!"];
+const xmlDictionary = ["IDREF", "<![IGNORE[", "<![INCLUDE[", "<!"];
 
 it.fuzz("XML parser",
 	(data) => {...},
-	{dictionaryEntries: xmlDictionary}
+	{dictionaryEntries: xmlDictionary});
 ```
 
 ### `disableBugDetectors` : [array\<RegExp\>]
@@ -814,8 +814,7 @@ In _regression_ mode on command line, Jazzer.js runs each input from the seed
 and regression corpus directories on the fuzz target once, and then stops. Under
 the hood, this option adds `-runs=0` to the option
 [`fuzzerOptions`](#fuzzeroptions--arraystring). Setting the fuzzer option to
-`-runs=0` (run each input only once) or `-runs=-1` (run each input indefinitely)
-can be used to achieve the same behavior.
+`-runs=0` (run each input only once) can be used to achieve the same behavior.
 
 **Jest:** Default: `"regression"`.
 
@@ -954,7 +953,7 @@ example how a timeout of 1 second can be set for the test "My test 1":
 ```javascript
 it.fuzz("My test 1",
 	(data) => {...},
-	1000
+	1000);
 ```
 
 _Two:_ by providing it as part of an object with options as the third argument
diff --git a/docs/fuzz-targets.md b/docs/fuzz-targets.md
@@ -234,7 +234,7 @@ Here we list some of the most important parameters:
 | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `<fuzzTarget>`                          | Import path to the fuzz target module.                                                                                                                                                                                                                                                                                                                                                |
 | `[corpus...]`                           | Paths to the corpus directories. If not given, no initial seeds are used nor interesting inputs saved.                                                                                                                                                                                                                                                                                |
-| `-f`, `--fuzzFunction`                  | Name of the fuzz test entry point. It must be an exported function with a single [Buffer](https://nodejs.org/api/buffer.html) parameter. Default is `fuzz`.                                                                                                                                                                                                                           |
+| `-f`, `--fuzzEntryPoint`                | Name of the fuzz test entry point. It must be an exported function with a single [Buffer](https://nodejs.org/api/buffer.html) parameter. Default is `fuzz`.                                                                                                                                                                                                                           |
 | `-i`, `--includes` / `-e`, `--excludes` | Part of filepath names to include/exclude in the instrumentation. A tailing `/` should be used to include directories and prevent confusion with filenames. `*` can be used to include all files. Can be specified multiple times. Default will include everything outside the `node_modules` directory. If either of these flags are set the default value for the other is ignored. |
 | `--sync`                                | Enables synchronous fuzzing. **May only be used for entirely synchronous code**.                                                                                                                                                                                                                                                                                                      |
 | `-h`, `--customHooks`                   | Filenames with custom hooks. Several hooks per file are possible. See further details in [docs/fuzz-settings.md](fuzz-settings.md#customhooks--arraystring).                                                                                                                                                                                                                          |
@@ -249,14 +249,14 @@ In the following example, the `--coverage` flag is combined with the mode flag
 any fuzzing.
 
 ```shell
-npx jazzer --mode=regression <fuzzer parameters> --corpus <corpus directories> --coverage -- <libFuzzer parameters>
+npx jazzer <fuzzTarget> --mode=regression --coverage <corpus directories> -- <libFuzzer parameters>
 ```
 
 Alternatively, you can add a new script to your `package.json`:
 
 ```json
 "scripts": {
-    "coverage": "jazzer --mode=regression --includes=fileToInstrument --includes=anotherFileToInstrument <fuzzer parameters> --corpus <corpus directories> --coverage -- <libFuzzer parameters>"
+    "coverage": "jazzer <fuzzTarget> --mode=regression -i fileToInstrument -i anotherFileToInstrument --coverage <corpus directories>"
 }
 ```
 
@@ -274,6 +274,6 @@ This default directory can be changed by setting the flag
 ### Coverage reporters
 
 The desired report format can be set by the flag `--coverageReporters`, which by
-default is set to `--coverageReporters clover json lcov text`. See
+default is set to `--coverageReporters json text lcov clover`. See
 [here](https://github.com/istanbuljs/istanbuljs/tree/master/packages/istanbul-reports/lib)
 for a list of supported coverage reporters.
diff --git a/docs/jest-integration.md b/docs/jest-integration.md
@@ -53,8 +53,8 @@ runner.
 		"coverage": "jest --coverage"
 	},
 	"devDependencies": {
-		"@jazzer.js/jest-runner": "2.1.0",
-		"jest": "29.3.1"
+		"@jazzer.js/jest-runner": "^3.0.0",
+		"jest": "^29.0.0"
 	},
 	"jest": {
 		"projects": [
@@ -188,13 +188,15 @@ const target = require("./target");
 const { FuzzedDataProvider } = require("@jazzer.js/core");
 
 describe("My describe", () => {
-  it.fuzz("My fuzz test", (data) => {
-    const provider = new FuzzedDataProvider(data);
-    target.fuzzMeMore(
-      provider.consumeNumber(),
-      provider.consumeBoolean(),
-      provider.consumeRemainingAsString());
-  });
+	it.fuzz("My fuzz test", (data) => {
+		const provider = new FuzzedDataProvider(data);
+		target.fuzzMeMore(
+			provider.consumeNumber(),
+			provider.consumeBoolean(),
+			provider.consumeRemainingAsString(),
+		);
+	});
+});
 ```
 
 For more information on how to use the `FuzzedDataProvider` class, please refer
@@ -211,14 +213,14 @@ possible to use `async/await`, `Promise` and `done callback` based tests.
 
 ```javascript
 describe("My describe", () => {
-  it.fuzz("My callback fuzz test", (data, done) => {
-    target.callbackFuzzMe(data, done);
-  });
-
-  it.fuzz("My async fuzz test", async (data) => {
-    await target.asyncFuzzMe(data);
-  });
-)};
+	it.fuzz("My callback fuzz test", (data, done) => {
+		target.callbackFuzzMe(data, done);
+	});
+
+	it.fuzz("My async fuzz test", async (data) => {
+		await target.asyncFuzzMe(data);
+	});
+});
 ```
 
 ### TypeScript Jest fuzz tests
@@ -372,7 +374,7 @@ Additional options for coverage report generation are described in the
 [fuzz targets documentation](./fuzz-targets.md#coverage-report-generation).
 
 The desired report format can be set by the flag `--coverageReporters`, which by
-default is set to `--coverageReporters clover json lcov text`. See
+default is set to `--coverageReporters json text lcov clover`. See
 [here](https://github.com/istanbuljs/istanbuljs/tree/master/packages/istanbul-reports/lib)
 for a list of supported coverage reporters.
 
diff --git a/docs/release.md b/docs/release.md
@@ -21,7 +21,7 @@ To release a new version of Jazzer.js follow the described process:
    - An automatic changelog, based on the included merge requests, is added to
      the prerelease description
    - The prerelease is listed on the
-     [release page](https://github.com/CodeIntelligenceTesting/jazzer.js-commercial/releases)
+     [release page](https://github.com/CodeIntelligenceTesting/jazzer.js/releases)
 8. Release the prerelease in GitHub
    - Adjust the prerelease description to include the highlights of the release
    - If you find some problems with the prerelease and want to start over:
diff --git a/examples/jest_typescript_integration/README.md b/examples/jest_typescript_integration/README.md
@@ -1,4 +1,4 @@
-# Jest Typscript Integration Example
+# Jest TypeScript Integration Example
 
 Detailed documentation on the Jest integration is available in the main
 [Jazzer.js](https://github.com/CodeIntelligenceTesting/jazzer.js/blob/main/docs/jest-integration.md)
@@ -14,26 +14,28 @@ The example below shows how to configure the Jazzer.js Jest integration in
 combination with the normal Jest runner.
 
 ```json
-  "jest": {
-    "projects": [
-      {
-        "displayName": "Jest",
-        "preset": "ts-jest",
-      },
-      {
-        "displayName": {
-          "name": "Jazzer.js",
-          "color": "cyan",
-        },
-        "preset": "ts-jest",
-        "runner": "@jazzer.js/jest-runner",
-        "testEnvironment": "node",
-        "testMatch": ["<rootDir>/*.fuzz.[jt]s"],
-      },
-    ],
-    "coveragePathIgnorePatterns": ["/node_modules/", "/dist/"],
-    "modulePathIgnorePatterns": ["/node_modules", "/dist/"],
-  }
+{
+	"jest": {
+		"projects": [
+			{
+				"displayName": "Jest",
+				"preset": "ts-jest"
+			},
+			{
+				"displayName": {
+					"name": "Jazzer.js",
+					"color": "cyan"
+				},
+				"preset": "ts-jest",
+				"testRunner": "@jazzer.js/jest-runner",
+				"testEnvironment": "node",
+				"testMatch": ["<rootDir>/*.fuzz.[jt]s"]
+			}
+		],
+		"coveragePathIgnorePatterns": ["/node_modules/", "/dist/"],
+		"modulePathIgnorePatterns": ["/node_modules", "/dist/"]
+	}
+}
 ```
 
 Further configuration can be specified in `.jazzerjsrc`, like in any other
@@ -51,7 +53,7 @@ Write a Jest fuzz test like:
 
 ```typescript
 // file: jazzerjs.fuzz.ts
-import "@jazzer.js/jest-runner/jest-extension";
+import "@jazzer.js/jest-runner";
 describe("My describe", () => {
 	it.fuzz("My fuzz test", (data: Buffer) => {
 		target.fuzzMe(data);
diff --git a/packages/bug-detectors/README.md b/packages/bug-detectors/README.md
@@ -1,8 +1,8 @@
 # @jazzer.js/bug-detectors
 
 The `@jazzer.js/bug-detectors` module is used by
-[Jazzer.js](https://github.com/CodeIntelligenceTesting/jazzer.js-commercial#readme)
-to detect and report bugs in JavaScript code.
+[Jazzer.js](https://github.com/CodeIntelligenceTesting/jazzer.js#readme) to
+detect and report bugs in JavaScript code.
 
 ## Install
 
@@ -15,5 +15,5 @@ npm install --save-dev @jazzer.js/bug-detectors
 ## Documentation
 
 - Up-to-date
-  [information](https://github.com/CodeIntelligenceTesting/jazzer.js-commercial/blob/main/docs/fuzz-settings.md#bug-detectors)
+  [information](https://github.com/CodeIntelligenceTesting/jazzer.js/blob/main/docs/bug-detectors.md)
   about currently available bug detectors
diff --git a/packages/core/README.md b/packages/core/README.md
@@ -3,7 +3,7 @@
 This is the main entry point and all most users have to install as a
 dev-dependency, so that they can fuzz their projects.
 
-The `@jazzer.js/core` module provide a CLI interface via the `jazzer` command.
+The `@jazzer.js/core` module provides a CLI interface via the `jazzer` command.
 It can be used by `npx` or node script command. To display a command
 documentation use the `--help` flag.
 
@@ -25,5 +25,5 @@ npm install --save-dev @jazzer.js/core
 ## Documentation
 
 See
-[Jazzer.js README](https://github.com/CodeIntelligenceTesting/jazzer.js-commercial#readme)
+[Jazzer.js README](https://github.com/CodeIntelligenceTesting/jazzer.js#readme)
 for more information.
diff --git a/packages/fuzzer/README.md b/packages/fuzzer/README.md
@@ -6,10 +6,11 @@ shared object from GitHub but falls back to compilation on the user's machine if
 there is no suitable binary.
 
 Loading the addon initializes libFuzzer and the sanitizer runtime. Users can
-then start the fuzzer with the exported `startFuzzing` function; see
-[the test](fuzzer.test.ts) for an example. For the time being, the fuzzer runs
-on the main thread and therefore blocks Node's event loop; this is most likely
-what users want, so that their JS fuzz target can run in its normal environment.
+then start the fuzzer with the exported `startFuzzing` or `startFuzzingAsync`
+functions; see [the test](fuzzer.test.ts) for an example. In sync mode
+(`--sync`), the fuzzer runs on the main thread and blocks the event loop. In the
+default async mode, libFuzzer runs on a separate native thread and communicates
+with the JS event loop via a thread-safe function.
 
 ## Development
 
diff --git a/packages/instrumentor/README.md b/packages/instrumentor/README.md
@@ -8,9 +8,10 @@ coverage statistics, so that the fuzzer can detect when new code paths are
 reached, and comparison feedback, to enable the fuzzer to mutate it's input in a
 meaningful way.
 
-Code loading is intercepted using
-[istanbul-lib-hook](https://github.com/istanbuljs/istanbuljs/tree/master/packages/istanbul-lib-hook)
-, which also enables fine-grained control of when to apply the instrumentatino.
+CJS modules are intercepted using
+[istanbul-lib-hook](https://github.com/istanbuljs/istanbuljs/tree/master/packages/istanbul-lib-hook).
+ES modules are intercepted via a Node.js loader hook (`module.register`,
+requires Node >= 20.6).
 
 ## Install
 
@@ -23,5 +24,5 @@ npm install --save-dev @jazzer.js/instrumentor
 ## Documentation
 
 See
-[Jazzer.js README](https://github.com/CodeIntelligenceTesting/jazzer.js-commercial#readme)
+[Jazzer.js README](https://github.com/CodeIntelligenceTesting/jazzer.js#readme)
 for more information.
diff --git a/packages/jest-runner/readme.md b/packages/jest-runner/readme.md
@@ -1,14 +1,14 @@
 # Jest Fuzz Runner
 
-Custom Jest runner to executes fuzz tests via Jazzer.js, detailed documentation
+Custom Jest runner to execute fuzz tests via Jazzer.js. Detailed documentation
 can be found at the
-[Jazzer.js GitHub page](https://github.com/CodeIntelligenceTesting/jazzer.js-commercial).
+[Jazzer.js GitHub page](https://github.com/CodeIntelligenceTesting/jazzer.js).
 
 A fuzz test in Jest, in this case written in TypeScript, would look similar to
 the following example:
 
 ```typescript
-// file: "Target.fuzz.ts
+// file: "Target.fuzz.ts"
 // Import the fuzz testing extension to compile TS code.
 import "@jazzer.js/jest-runner";
 import * as target from "./target";
