Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Sarah Gooding
October 3, 2024
When ESLint announced in July that it would be moving towards becoming a language-agnostic platform for source code linting, we knew some exciting developments were on the way. This strategic shift not only broadens ESLint's applicability beyond JavaScript but also paves the way for a more versatile and unified linting experience across various programming languages and file formats.
Now, with the introduction of support for JSON and Markdown linting, the project is taking a significant step toward fulfilling that promise. Previously, ensuring consistency and catching errors in these formats often required separate tools or manual inspection. Today’s announcement expand ESLint’s parsing capabilities to include JSON, JSONC (JSON with comments), and JSON5, along with CommonMark and GitHub-Flavored Markdown.
These new capabilities come in the form of officially-supported plugins that allow ESLint to lint JSON and Markdown files natively. This is all possible thanks to a major refactoring of ESLint core to extract the JavaScript-specific parts from the language-agnostic parts.
ESLint has a monorepo for the new version where the rewrite is happening, and contributors are modernizing the packages:
Every package in eslint/rewrite will be up to modern standards, publishing ESM entrypoints along with type definitions. When possible, we’ll also publish CommonJS entrypoints. All packages are published with provenance to both npm and JSR (when applicable).
ESLint is also building a runtime-agnostic core and a new CLI from scratch. Contributors are maintaining the existing eslint and the rewrite in parallel as they move forward.
For the past 11 years, ESLint has been focused on JavaScript linting but these recent changes move the project towards becoming a universal linter. The new @eslint/json and @eslint/markdown plugins can be installed from npm. Users can write custom rules just like they have for JavaScript, thanks to ESLint’s new Code Explorer, which is open source.
ESLint’s Technical Steering Committee (TSC) decided to open up ESLint and go the route of language plugins, as they had observed plugins linting other languages, like GraphQL and HTML from within ESLint in inefficient and error-prone ways. Allowing for official and community supported plugins makes it possible for the project to leverage expertise from various ecosystems in order to support linting across a wider range of languages.
Starting with JSON and Markdown made the most sense as both were among the top four requested languages to support when ESLint creator Nicholas Zakas asked on Twitter/Mastodon. JSON is ubiquitous in configuration files, data interchange, and API responses. This new official plugin helps validate the structure and syntax of JSON files to prevent runtime errors and enforces consistent formatting and styling rules across all JSON files in a project.
Similarly, Markdown is also a strong choice for one of the first language plugins, as it’s the lingua franca of documentation, README files, and content creation within repositories. ESLint's support for Markdown has the potential to enforce consistent formatting, heading structures, and link validations to maintain high-quality documentation.
These two plugins are intended to be examples of how contributors can write their own language plugins. ESLint has documented the process for creating one.
The RFC for language plugins indicates that the next officially supported plugins on the roadmap will be YAML and CSS, as both were among the top four most-requested languages in the community poll. They plan to use PostCSS as the parser and will investigate further for YAML, but these are still in the early stages.
When I asked Zakas if he sees ESLint branching out to support non-JS heavy ecosystems further into the future, he referred to the long-term goal stated in the announcement today, leaving the door open for any possibility.
“Linting languages other than JavaScript has been on the ESLint roadmap for a while, so it’s exciting to reach this milestone,” Zakas said. “Our long-term goal is to ensure that ESLint can lint any kind of file you might use in a web project, whether that be with officially supported language plugins or with community-written plugins. With JavaScript, JSON, and Markdown, we’re already well on our way towards achieving that goal.”
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.