Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
eslint-plugin-mongodb
Advanced tools
Eslint rules for the NodeJS MongoDB native driver 2.0 syntax and best practices.
Disclaimer: This is a work in progress. Use it only if you wish to be involved in this project evolution by reporting bugs or even sending PRs.
The first stable release will be 1.0.0.
eslint
as a dev-dependency:npm install --save-dev eslint
eslint-plugin-mongodb
as a dev-dependency:npm install --save-dev eslint-plugin-mongodb
.eslintrc
:plugins:
- mongodb
You can also configure these rules in your .eslintrc
. All rules defined in
this plugin have to be prefixed by 'mongodb/'
plugins:
- mongodb
rules:
- mongodb/no-replace: 0
In order to recognize MongoDB native driver queries, this plugin check for function calls. By using shared settings you can specify your own patterns, here are the defaults:
{
"settings": {
"mongodb": {
"callPatterns": {
"query": [
"(\\.|^)db\\.collection\\([^\\)]+\\)\\.(find|findOne|)$",
],
"update": [
"(\\.|^)db\\.collection\\([^\\)]+\\)\\.(findOneAndUpdate|updateOne|updateMany)$",
],
"insert": [
"(\\.|^)db\\.collection\\([^\\)]+\\)\\.(insertOne|insertMany)$",
],
"remove": [
"(\\.|^)db\\.collection\\([^\\)]+\\)\\.(findOneAndDelete|deleteOne|deleteMany)$",
],
"deprecated": [
"(\\.|^)db\\.collection\\([^\\)]+\\)\\.(remove|update|findAndModify|ensureIndex|findAndRemove|insert|dropAllIndexes)$",
]
}
}
}
})
Note that the above are strings representing regular expressions. It will be
cast with the RegExp
constructor so you have to escape your escapes ;).
Default: 'check-insert-calls': 2
Check insertOne
/insertMany
calls to ensure their arguments are well formed.
Default: 'check-query-calls': 2
Check find
/findOne
calls to ensure their arguments are well formed.
Default: 'check-update-calls': 2
Check update
calls to ensure their arguments are well formed.
Default: 'check-remove-calls': 2
Check remove
calls to ensure their arguments are well formed.
Default: 'check-deprecated-calls': 2
Check collection calls and warn in case of deprecated methods usage.
Default: 'no_replace': 1
Check update queries to ensure no raw replace is done.
Default: 'check-rename-updates': 2
Check $rename
update operator usage.
Default: 'check-unset-updates': 2
Check $unset
update operator usage.
Default: 'check-current-date-updates': 2
Check $currentDate
update operator usage.
Default: 'check-numeric-updates': 2
Check update queries to ensure numeric operators like $mul
and $inc
contain
numeric values.
Default: 'check-minmax-updates': 2
Check $min
and $max
update operators usage.
Default: 'check-set-updates': 2
Check $set
and $setOnInsert
update operators usage.
Default: 'check-push-updates': 2
Check $push
update operator usage and its modifiers.
Default: 'check-pull-updates': 2
Check $pull
update operator usage.
Default: 'check-pop-updates': 2
Check $pop
update operator usage.
Default: 'check-addtoset-updates': 2
Check $addToSet
update operator usage and common misuses.
Default: 'check-deprecated-updates': 2
Check deprecated update operator usage.
Feel free to push your code if you agree with publishing under the MIT license.
Avoid wasting your time and follow those steps to suggest a new rule:
Create and issue prefixed by [rule] and let us know what should change.
FAQs
Lint your MongoDB queries.
The npm package eslint-plugin-mongodb receives a total of 243 weekly downloads. As such, eslint-plugin-mongodb popularity was classified as not popular.
We found that eslint-plugin-mongodb demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.