@rushstack/eslint-plugin-security
Advanced tools
@rushstack/eslint-plugin-security - npm Package Compare versions
Comparing version 0.4.0 to 0.5.0
@@ -35,2 +35,3 @@ "use strict"; | ||
| const noUnsafeRegExp = { | ||
| defaultOptions: [], | ||
| meta: { | ||
@@ -37,0 +38,0 @@ type: 'problem', |
| { | ||
| "name": "@rushstack/eslint-plugin-security", | ||
| "version": "0.4.0", | ||
| "version": "0.5.0", | ||
| "description": "An ESLint plugin providing rules that identify common security vulnerabilities for browser applications, Node.js tools, and Node.js services", | ||
@@ -21,3 +21,3 @@ "license": "MIT", | ||
| "@rushstack/tree-pattern": "0.2.4", | ||
| "@typescript-eslint/experimental-utils": "~5.30.3" | ||
| "@typescript-eslint/experimental-utils": "~5.38.0" | ||
| }, | ||
@@ -28,4 +28,4 @@ "peerDependencies": { | ||
| "devDependencies": { | ||
| "@rushstack/heft": "0.45.14", | ||
| "@rushstack/heft-node-rig": "1.9.15", | ||
| "@rushstack/heft": "0.47.9", | ||
| "@rushstack/heft-node-rig": "1.10.0", | ||
| "@types/eslint": "8.2.0", | ||
@@ -35,6 +35,6 @@ "@types/estree": "0.0.50", | ||
| "@types/node": "12.20.24", | ||
| "@typescript-eslint/parser": "~5.30.3", | ||
| "@typescript-eslint/typescript-estree": "~5.30.3", | ||
| "@typescript-eslint/parser": "~5.38.0", | ||
| "@typescript-eslint/typescript-estree": "~5.38.0", | ||
| "eslint": "~8.7.0", | ||
| "typescript": "~4.7.4" | ||
| "typescript": "~4.8.4" | ||
| }, | ||
@@ -45,4 +45,3 @@ "scripts": { | ||
| "_phase:test": "heft test --no-build" | ||
| }, | ||
| "readme": "# @rushstack/eslint-plugin-security\n\nThis plugin implements a collection of security rules for ESLint.\n\nOur ambition is to eventually provide a comprehensive set of recommended security rules for:\n- web browser applications\n- Node.js tools\n- Node.js services\n\nIf you would like to request or contribute a new security rule, you are encouraged to\n[create a GitHub issue](https://github.com/microsoft/rushstack/issues) in the\n[Rush Stack](https://rushstack.io/) monorepo where this project is developed.\nThanks!\n\n## `@rushstack/security/no-unsafe-regexp`\n\nRequire regular expressions to be constructed from string constants rather than dynamically\nbuilding strings at runtime.\n\n#### Rule Details\n\nRegular expressions should be constructed from string constants. Dynamically building strings at runtime may\nintroduce security vulnerabilities, performance concerns, and bugs involving incorrect escaping of special characters.\n\n#### Examples\n\nThe following patterns are considered problems when `@rushstack/security/no-unsafe-regexp` is enabled:\n\n```ts\nfunction parseRestResponse(request: ICatalogRequest,\n items: ICatalogItem[]): ICatalogItem[] {\n\n // Security vulnerability: A malicious user could invoke the REST service using a\n // \"searchPattern\" with a complex RegExp that causes a denial of service.\n const regexp: RegExp = new RegExp(request.searchPattern);\n return items.filter(item => regexp.test(item.title));\n}\n```\n\n```ts\nfunction hasExtension(filePath: string, extension: string): boolean {\n // Escaping mistake: If the \"extension\" string contains a special character such as \".\",\n // it will be interpreted as a regular expression operator. Correctly escaping an arbitrary\n // string is a nontrivial problem due to RegExp implementation differences, as well as contextual\n // issues (since which characters are special changes inside RegExp nesting constructs).\n // In most cases, this problem is better solved without regular expressions.\n const regexp: RegExp = new RegExp(`\\.${extension}$`);\n return regexp.test(filePath);\n}\n```\n\nThe following patterns are NOT considered problems:\n\n```ts\nfunction isInteger(s: string): boolean {\n return /[0-9]+/.test(s);\n}\n```\n\n```ts\nfunction isInteger(s: string): boolean {\n return new RegExp('[0-9]+').test(s);\n}\n```\n\n## Links\n\n- [CHANGELOG.md](\n https://github.com/microsoft/rushstack/blob/main/stack/eslint-plugin-security/CHANGELOG.md) - Find\n out what's new in the latest version\n\n`@rushstack/eslint-plugin-security` is part of the [Rush Stack](https://rushstack.io/) family of projects.\n" | ||
| } | ||
| } |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Lines of code
- increased by1.01%
100
Worsened metrics
- Total package byte prevSize
- decreased by-11.11%
16431
Dependency changes
+ Added@typescript-eslint/experimental-utils@5.38.1(transitive)
+ Added@typescript-eslint/scope-manager@5.38.1(transitive)
+ Added@typescript-eslint/types@5.38.1(transitive)
+ Added@typescript-eslint/typescript-estree@5.38.1(transitive)
+ Added@typescript-eslint/utils@5.38.1(transitive)
+ Added@typescript-eslint/visitor-keys@5.38.1(transitive)
- Removed@typescript-eslint/experimental-utils@5.30.7(transitive)
- Removed@typescript-eslint/scope-manager@5.30.7(transitive)
- Removed@typescript-eslint/types@5.30.7(transitive)
- Removed@typescript-eslint/typescript-estree@5.30.7(transitive)
- Removed@typescript-eslint/utils@5.30.7(transitive)
- Removed@typescript-eslint/visitor-keys@5.30.7(transitive)